INF-113 - nginx ansible role
Initial commit
disabled the default site, and added default_site as an option
Use nginx repo for newer version
Change-Id: I994a1f2f2f18cc2d1c42a2d9bb7321835a5dd1a1
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
new file mode 100644
index 0000000..791dac6
--- /dev/null
+++ b/molecule/default/converge.yml
@@ -0,0 +1,43 @@
+---
+# nginx molecule/default/verify.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: Converge
+ hosts: all
+ vars:
+ acme_username: "www-data" # make independent of the acme role
+ vhosts:
+ - name: "static.example.com"
+ default_server: true
+ extra_config: |
+ location /teapot {
+ return 418;
+ }
+ - name: "autoindex.example.com"
+ autoindex: true
+ - name: "authenticated.example.com"
+ auth_scope: "mysite"
+ - name: "proxy.example.com"
+ proxy_pass: "http://localhost:8000"
+ - name: "redirects"
+ aliases:
+ - "redirect.example.com"
+ redirect_url: "https://destination.example.com"
+ strip_request_uri: true
+ auth_scopes:
+ - scope: mysite
+ users:
+ - name: ghopper
+ password: verysecurepassword
+ - name: dknuth
+ password: anotherpassword
+ - scope: othersite
+ users:
+ - name: aturing
+ password: yetanotherpw
+ tasks:
+ - name: "Include nginx"
+ include_role:
+ name: "nginx"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
new file mode 100644
index 0000000..5c40573
--- /dev/null
+++ b/molecule/default/molecule.yml
@@ -0,0 +1,20 @@
+---
+# nginx molecule/default/molecule.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+dependency:
+ name: galaxy
+driver:
+ name: docker
+platforms:
+ - name: "ubuntu-18.04-priv"
+ image: "quay.io/paulfantom/molecule-systemd:ubuntu-18.04"
+ privileged: true
+ volumes:
+ - "/sys/fs/cgroup:/sys/fs/cgroup:ro"
+provisioner:
+ name: ansible
+verifier:
+ name: ansible
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
new file mode 100644
index 0000000..829bbf1
--- /dev/null
+++ b/molecule/default/prepare.yml
@@ -0,0 +1,15 @@
+---
+# nginx molecule/default/prepare.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: Prepare
+ hosts: all
+
+ tasks:
+ - name: Install GPG to support adding apt repo keys
+ apt:
+ name: "gpg"
+ state: "present"
+ update_cache: true
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
new file mode 100644
index 0000000..5e2e15c
--- /dev/null
+++ b/molecule/default/verify.yml
@@ -0,0 +1,203 @@
+---
+# nginx molecule/default/verify.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: Verify
+ hosts: all
+ vars:
+ nginx_static_dir: "/srv/sites"
+ tasks:
+
+ # Static site tests
+ - name: Create a test file to be served for the static site
+ lineinfile:
+ path: "{{ nginx_static_dir }}/static.example.com/index.html"
+ line: "This file is served from static.example.com"
+ mode: 0644
+ create: true
+
+ - name: Test that static site is being served with index.yaml
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "static.example.com"
+ status_code: 200
+ return_content: true
+ register: webpage
+ failed_when: "'This file is served from static.example.com' not in webpage.content"
+
+ - name: Test that the static site is the default site
+ uri:
+ url: http://127.0.0.1/
+ status_code: 200
+ return_content: true
+ register: webpage
+ failed_when: "'This file is served from static.example.com' not in webpage.content"
+
+ - name: Delete static site test file
+ file:
+ path: "{{ nginx_static_dir }}/static.example.com/index.html"
+ mode: 0644
+ state: absent
+
+ - name: Verify that 403 is returned when no index.html file exists and autoindex is off
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "static.example.com"
+ status_code: 403
+
+ - name: See if extra_config (teapot with code 418 at /teapot) is working
+ uri:
+ url: http://127.0.0.1/teapot
+ headers:
+ Host: "static.example.com"
+ status_code: 418
+
+ - name: Create a yaml file to check that MIME config is working
+ copy:
+ dest: "{{ nginx_static_dir }}/static.example.com/example.yaml"
+ mode: 0644
+ content: |
+ ---
+ # example YAML file
+
+ - name: Retrieve YAML file
+ uri:
+ url: http://127.0.0.1/example.yaml
+ headers:
+ Host: "static.example.com"
+ status_code: 200
+ return_content: true
+ register: webpagey
+
+ - name: Assert that yaml file uses text/yaml MIME type
+ assert:
+ that:
+ - webpagey['content_type'] == 'text/yaml'
+
+ - name: Delete yaml test file
+ file:
+ path: "{{ nginx_static_dir }}/static.example.com/example.yaml"
+ state: absent
+
+ # Test nginx autoindex
+ - name: Create a test dir to be served for the autoindex site
+ file:
+ path: "{{ nginx_static_dir }}/autoindex.example.com/autoindex_example_dir"
+ mode: 0755
+ state: directory
+
+ - name: Test that autoindex is created and lists directory
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "autoindex.example.com"
+ status_code: 200
+ return_content: true
+ register: webpageai
+ failed_when: "'autoindex_example_dir' not in webpageai.content"
+
+ - name: Delete test dir for autoindex site
+ file:
+ path: "{{ nginx_static_dir }}/autoindex.example.com/autoindex_example_dir"
+ state: absent
+
+ # HTTP Basic Authentication tests
+ - name: Create a test file to be served for the authenticated site
+ lineinfile:
+ path: "{{ nginx_static_dir }}/authenticated.example.com/index.html"
+ line: "This file is served from authenticated.example.com"
+ mode: 0644
+ create: true
+
+ - name: Test that the authenticated file can't be accessed without authentication
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "authenticated.example.com"
+ status_code: 401
+
+ - name: Test that the authenticated file can be accessed by authorized user
+ uri:
+ url: http://127.0.0.1/
+ url_username: "ghopper"
+ url_password: "verysecurepassword"
+ headers:
+ Host: "authenticated.example.com"
+ status_code: 200
+ return_content: true
+ register: webpage
+ failed_when: "'authenticated.example.com' not in webpage.content"
+
+ - name: Test that the authenticated file can't be accessed by unauthorized user
+ uri:
+ url: http://127.0.0.1/
+ url_username: "aturing"
+ url_password: "yetanotherpw"
+ headers:
+ Host: "authenticated.example.com"
+ status_code: 401
+
+ - name: Delete authenticated site test file
+ file:
+ path: "{{ nginx_static_dir }}/authenticated.example.com/index.html"
+ state: absent
+
+ # Proxy tests
+ - name: Verify that when proxy isn't running, NGINX returns a 502 "Bad Gateway" error
+ uri:
+ url: http://127.0.0.1/
+ headers:
+ Host: "proxy.example.com"
+ status_code: 502
+
+ - name: Create a test file to be served by the proxy
+ lineinfile:
+ path: "/tmp/index.html"
+ line: "This file is served from proxy.example.com"
+ mode: 0644
+ create: true
+
+ - name: Run a python http.server as proxy target for 20 seconds in the background
+ shell: >-
+ (cd /tmp;
+ python3 -m http.server & PY_PID=$!;
+ echo "server running: $PY_PID";
+ sleep 20;
+ kill $PY_PID) &
+ tags:
+ - skip_ansible_lint
+
+ - name: Wait 10 seconds for Python http.server to get started
+ pause:
+ seconds: 10
+
+ - name: Test that the proxy site is being served
+ uri:
+ url: http://127.0.0.1
+ headers:
+ Host: "proxy.example.com"
+ status_code: 200
+ return_content: true
+ register: webpage
+ failed_when: "'proxy.example.com' not in webpage.content"
+
+ - name: Delete proxy site test file
+ file:
+ path: "/tmp/index.html"
+ state: absent
+
+ # Redirect tests
+ - name: Check that 301 redirect is being served
+ uri:
+ url: http://127.0.0.1
+ headers:
+ Host: "redirect.example.com"
+ follow_redirects: "none"
+ status_code: 301
+ return_content: true
+ register: webpage
+ failed_when: "webpage.location != 'https://destination.example.com'"