majic-ansible-roles Changeset

Changeset - c1abe824342c

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 2 months ago 2024-03-02 22:30:40
branko@majic.rs

MAR-192: Added support for Debian 12 Bookworm to xmpp_server role:

- Some of the tests are still failing, namely the ones centered around
the sendxmpp tool (which seems completely broken at this point in
Debian 12 Bookworm)

8 files changed with 182 insertions and 24 deletions:

docs/rolereference.rst

roles/xmpp_server/meta/main.yml

roles/xmpp_server/molecule/default/host_vars/ldap-server.yml

roles/xmpp_server/molecule/default/molecule.yml

roles/xmpp_server/molecule/default/prepare.yml

roles/xmpp_server/molecule/default/tests/test_mandatory.py

roles/xmpp_server/molecule/default/tests/test_optional.py

roles/xmpp_server/templates/prosody.cfg.lua.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1000,12 +1000,13 @@ Parameters @@
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 11 (Bullseye)
 - Debian 12 (Bookworm)
 Examples
 ~~~~~~~~
 Here is an example configuration for setting-up XMPP server using Prosody:

roles/xmpp_server/meta/main.yml

➞

Show inline comments

@@ @@ -14,6 +14,7 @@ galaxy_info: @@
   license: BSD
   min_ansible_version: 2.9
   platforms:
     - name: Debian
       versions:
         - 11
         - 12

roles/xmpp_server/molecule/default/host_vars/ldap-server.yml

➞

Show inline comments

@@ @@ -39,6 +39,9 @@ backup_host_ssh_private_keys: @@
   ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
   ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
 backup_clients:
   - server: parameters-optional-bullseye
     ip: 192.168.56.52
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
   - server: parameters-optional-bookworm
     ip: 192.168.56.32
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

roles/xmpp_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -16,13 +16,13 @@ platforms: @@
   # Helpers
   # =======
   - name: ldap-server
-    box: debian/bullseye64
+    box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
@@ @@ -76,12 +76,62 @@ platforms: @@
     interfaces:
       - auto_config: true
         ip: 192.168.56.52
         network_name: private_network
         type: static
   # Debian 11 Bookworm
   # ==================
   - name: client-bookworm
     groups:
       - clients
       - bookworm
     box: debian/bookworm64
     memory: 256
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.21
         network_name: private_network
         type: static
   - name: parameters-mandatory-bookworm
     groups:
       - parameters-mandatory
       - bookworm
     box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.31
         network_name: private_network
         type: static
   - name: parameters-optional-bookworm
     groups:
       - parameters-optional
       - bookworm
     box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.32
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   playbooks:
     cleanup: cleanup.yml
   config_options:
     defaults:

roles/xmpp_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -35,12 +35,27 @@ @@
             - domain2
             - proxy.domain2
             - conference.domain2
             - domain3
             - proxy.domain3
             - conference.domain3
         - name: parameters-mandatory-bookworm_xmpp
           fqdn:
             - parameters-mandatory
             - domain1
             - proxy.domain1
             - conference.domain1
         - name: parameters-optional-bookworm_xmpp
           fqdn:
             - parameters-optional
             - domain2
             - proxy.domain2
             - conference.domain2
             - domain3
             - proxy.domain3
             - conference.domain3
     - name: Set-up link to generated X.509 material
       file:
         src: ".gimmecert"
         dest: "tests/data/x509"
         state: link
@@ @@ -102,12 +117,49 @@ @@
       with_dict:
 .168.56.11: "ldap-server backup-server"
 .168.56.41: "client-bullseye"
 .168.56.51: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
 .168.56.52: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
 - hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       blockinfile:
         path: "/etc/ssl/openssl.cnf"
         block: |
           [openssl_init]
           ssl_conf = ssl_sect
           [ssl_sect]
           system_default = system_default_sect
           [system_default_sect]
           MinProtocol = TLSv1.1
           CipherString = DEFAULT@SECLEVEL=0
         owner: root
         group: root
         mode: 0644
         state: present
     - name: Set-up the hosts file
       lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
 .168.56.11: "ldap-server backup-server"
 .168.56.21: "client-bookworm"
 .168.56.31: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
 .168.56.32: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
 - hosts: clients
   become: true
   tasks:
     - name: Install tool for testing TCP connectivity
       apt:

roles/xmpp_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -46,22 +46,37 @@ Component "proxy.domain1" "proxy65" @@
 def test_xmpp_c2s_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     XMPP C2S ports.
     """
     expected_tls_versions = ["TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
     else:
         expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             "TLS_AKE_WITH_AES_128_GCM_SHA256",
             "TLS_AKE_WITH_AES_256_GCM_SHA384",
             "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain1 -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string

roles/xmpp_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -52,25 +52,43 @@ Component "proxy.domain3" "proxy65" @@
 def test_xmpp_c2s_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     XMPP C2S ports.
     """
     expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
     else:
         expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             "TLS_AKE_WITH_AES_128_GCM_SHA256",
             "TLS_AKE_WITH_AES_256_GCM_SHA384",
             "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string

roles/xmpp_server/templates/prosody.cfg.lua.j2

➞

Show inline comments

@@ @@ -52,19 +52,37 @@ c2s_ssl = { @@
   protocol = "{{ xmpp_server_tls_protocol }}";
   ciphers = "{{ xmpp_server_tls_ciphers }}";
+}
 -- Configure TLS protocol and ciphers for client-to-server
 -- connections (direct TLS).
 {% if ansible_distribution_release == "bullseye" %}
 legacy_ssl_ssl = {
   protocol = "{{ xmpp_server_tls_protocol }}";
   ciphers = "{{ xmpp_server_tls_ciphers }}";
+}
 {% else %}
 c2s_direct_tls_ssl = {
   protocol = "{{ xmpp_server_tls_protocol }}";
   ciphers = "{{ xmpp_server_tls_ciphers }}";
   -- @WORKAROUND: No DHE ciphers because dhparam is getting reset
   --
   --    There is a bug in Prosody 0.12.3 resulting in dhparam value
   --    from from global config getting ignored when domain SNI
   --    context is initalised on TCP port 5223. Define the parameter
   --    in within this configuration context as well to fix the issue.
   dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem";
+}
 {% endif %}
 -- Ports on which to have direct TLS/SSL.
 {% if ansible_distribution_release == "bullseye" %}
 legacy_ssl_ports = { 5223 }
 {% else %}
 c2s_direct_tls_ports = { 5223 }
 {% endif %}
 -- Force clients to use encrypted connection.
 c2s_require_encryption = true
 -- Disable certificate validation for server-to-server connections.
 s2s_secure_auth = false

0 comments (0 inline, 0 general)