Check distribution and validate role variables (#583)

Author: alessfg

CHANGELOG.md

@@ -20,12 +20,14 @@ BREAKING CHANGES:
 
 FEATURES:
 
+* Validate that various role variables have been set to one of the allowed values.
 * Add support for the newer `ndk` and `set-misc` NGINX Plus dynamic modules and remove old code checks for distributions that are no longer supported.
 * Add AlmaLinux, Oracle Linux and Rocky Linux to the list of NGINX OSS and NGINX Plus tested and supported distributions.
 * Add Alpine Linux 3.17 to the NGINX list of tested and supported platforms (and remove Alpine Linux 3.13 from the list of NGINX OSS supported distributions).
 
 ENHANCEMENTS:
 
+* Improve validation of supported distributions when installing NGINX from the official repository.
 * Bump the Ansible `community.general` collection to `6.2.0`, `community.crypto` collection to `2.10.0` and `community.docker` collection to `3.4.0`.
 * Use the official GitHub repositories as the source for the various packages required to compile NGINX OSS from source.
 

tasks/main.yml

@@ -1,23 +1,7 @@
 ---
-- name: Check whether you are using a supported NGINX distribution
-  ansible.builtin.assert:
-    that: (nginx_type == "opensource" and ansible_facts['distribution'] in nginx_distributions)
-          or (nginx_type == "plus" and ansible_facts['distribution'] in nginx_plus_distributions)
-    success_msg: Your OS, {{ ansible_facts['distribution'] }} is supported by NGINX {{ (nginx_type == 'plus') | ternary('Plus', 'Open Source') }}
-    fail_msg: Your OS, {{ ansible_facts['distribution'] }} is not supported by NGINX {{ (nginx_type == 'plus') | ternary('Plus', 'Open Source') }}
-  when:
-    - nginx_enable | bool
-    - (nginx_install_from == "nginx_repository" or nginx_type == "plus")
-  ignore_errors: true # noqa ignore-errors
-  tags: nginx_check_support
-
-- name: Check that NGINX setup is an allowed value
-  ansible.builtin.assert:
-    that: nginx_setup in nginx_setup_vars
-    fail_msg: The value {{ nginx_setup }} you used for `nginx_setup` is not allowed. Try one of {{ nginx_setup_vars | join(', ') }}.
-  when: nginx_enable | bool
-  ignore_errors: true # noqa ignore-errors
-  tags: nginx_check_support
+- name: Validate distribution and role variables
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate/validate.yml"
+  tags: nginx_validate
 
 - name: Set up prerequisites
   ansible.builtin.include_tasks: "{{ role_path }}/tasks/prerequisites/prerequisites.yml"
@@ -78,6 +62,7 @@
 - name: Debug NGINX output
   ansible.builtin.include_tasks: "{{ role_path }}/tasks/config/debug-output.yml"
   when:
+    - nginx_enable | bool
     - nginx_debug_output | bool
     - nginx_state != "absent"
   tags: nginx_debug_output

tasks/validate/validate.yml

@@ -0,0 +1,35 @@
+---
+- name: Check whether you are using a supported NGINX distribution
+  ansible.builtin.assert:
+    that:
+      - "{{ ansible_facts['distribution'] | lower in nginx_distributions.keys() | list }}"
+      - "{{ (ansible_facts['distribution_version'] | regex_search('\\d+\\.?\\d*') in nginx_distributions[ansible_facts['distribution'] | lower]['versions'] | string)
+        if ansible_facts['distribution'] | lower in ['alpine', 'ubuntu'] else ansible_facts['distribution_major_version'] in nginx_distributions[ansible_facts['distribution'] | lower]['versions'] | string }}"
+      - "{{ ansible_facts['architecture'] in nginx_distributions[ansible_facts['distribution'] | lower]['architectures'] }}"
+    success_msg: Your distribution, {{ nginx_distributions[ansible_facts['distribution'] | lower]['name'] }} {{ ansible_facts['distribution_version'] }} ({{ ansible_facts['architecture'] }}), is supported by NGINX {{ (nginx_type == 'opensource') | ternary('Open Source', 'Plus') }}.
+    fail_msg: Your distribution, {{ nginx_distributions[ansible_facts['distribution'] | lower]['name'] }} {{ ansible_facts['distribution_version'] }} ({{ ansible_facts['architecture'] }}), is not supported by NGINX {{ (nginx_type == 'opensource') | ternary('Open Source', 'Plus') }}.
+  when:
+    - nginx_enable | bool
+    - (nginx_install_from == "nginx_repository" or nginx_type == "plus")
+  ignore_errors: true # noqa ignore-errors
+
+- name: Check that 'nginx_setup' is an allowed value
+  ansible.builtin.assert:
+    that: nginx_setup in nginx_setup_vars
+    fail_msg: The value you used for 'nginx_setup', {{ nginx_setup }}, is not allowed. The allowed values are [{{ nginx_setup_vars | join(', ') }}].
+  when: nginx_enable | bool
+  ignore_errors: true # noqa ignore-errors
+
+- name: Check that 'nginx_branch' is an allowed value
+  ansible.builtin.assert:
+    that: nginx_branch in nginx_branch_vars
+    fail_msg: The value you used for 'nginx_branch', {{ nginx_branch }}, is not allowed. The allowed values are [{{ nginx_branch_vars | join(', ') }}].
+  when: nginx_enable | bool
+  ignore_errors: true # noqa ignore-errors
+
+- name: Check that 'nginx_install_from' is an allowed value
+  ansible.builtin.assert:
+    that: nginx_install_from in nginx_install_from_vars
+    fail_msg: The value you used for 'nginx_install_from', {{ nginx_install_from }}, is not allowed. The allowed values are [{{ nginx_install_from_vars | join(', ') }}].
+  when: nginx_enable | bool
+  ignore_errors: true # noqa ignore-errors

vars/main.yml

@@ -1,29 +1,114 @@
 ---
-nginx_setup_vars: [
-  install, uninstall, upgrade,
-]
+# Set the values allowed for various variables
+nginx_setup_vars: [install, uninstall, upgrade]
 
-nginx_default_setup: install
+nginx_install_from_vars: [nginx_repository, source, os_repository]
+
+nginx_branch_vars: [mainline, stable]
 
+# Determine the current value of 'nginx_state'
 nginx_state_vals:
   install: present
   uninstall: absent
   upgrade: latest
 
+nginx_default_setup: install
 nginx_state: "{{ nginx_state_vals[nginx_setup] | default(nginx_state_vals[nginx_default_setup]) }}"
 
+# Set the nginx_platforms check to opensource or plus
+nginx_distributions: "{{ (nginx_type == 'opensource') | ternary(nginx_supported_distributions, nginx_plus_supported_distributions) }}"
+
 # Supported NGINX Open Source distributions
 # https://nginx.org/en/docs/install.html
-nginx_distributions: [
-  AlmaLinux, Alpine, Amazon, CentOS, Debian, FreeBSD, OracleLinux, RedHat, Rocky, SLES, Ubuntu,
-  NetBSD, OpenBSD, DragonFlyBSD, HardenedBSD,
-]
+nginx_supported_distributions:
+  almalinux:
+    name: AlmaLinux
+    versions: [8, 9]
+    architectures: [x86_64, aarch64, s390x]
+  alpine:
+    name: Alpine Linux
+    versions: [3.14, 3.15, 3.16, 3.17]
+    architectures: [x86_64, aarch64]
+  amazon:
+    name: Amazon Linux
+    versions: [2]
+    architectures: [x86_64, aarch64]
+  centos:
+    name: CentOS
+    versions: [7]
+    architectures: [x86_64, aarch64]
+  debian:
+    name: Debian
+    versions: [11]
+    architectures: [x86_64, aarch64]
+  oraclelinux:
+    name: Oracle Linux
+    versions: [7, 8, 9]
+    architectures: "{{ (['x86_64', 'aarch64'] + ['s390x']) if (ansible_facts['distribution_major_version'] is version('8', '>=')) else ['x86_64', 'aarch64'] }}"
+  redhat:
+    name: Red Hat Enterprise Linux
+    versions: [7, 8, 9]
+    architectures: "{{ (['x86_64', 'aarch64'] + ['s390x']) if (ansible_facts['distribution_major_version'] is version('8', '>=')) else ['x86_64', 'aarch64'] }}"
+  rocky:
+    name: Rocky Linux
+    versions: [8, 9]
+    architectures: [x86_64, aarch64, s390x]
+  sles:
+    name: SUSE Linux Enterprise Server
+    versions: [12, 15]
+    architectures: [x86_64]
+  ubuntu:
+    name: Ubuntu
+    versions: [18.04, 20.04, 22.04, 22.10]
+    architectures: "{{ (['x86_64', 'aarch64'] + ['s390x']) if ((ansible_facts['distribution_version'] is version('20.04', '==')) or (ansible_facts['distribution_version'] is version('22.04', '=='))) else ['x86_64', 'aarch64'] }}"
 
 # Supported NGINX Plus distributions
 # https://docs.nginx.com/nginx/technical-specs/
-nginx_plus_distributions: [
-  AlmaLinux, Alpine, Amazon, CentOS, Debian, FreeBSD, OracleLinux, RedHat, Rocky, SLES, Ubuntu,
-]
+nginx_plus_supported_distributions:
+  almalinux:
+    name: AlmaLinux
+    versions: [8, 9]
+    architectures: [x86_64, aarch64]
+  alpine:
+    name: Alpine Linux
+    versions: [3.13, 3.14, 3.15, 3.16, 3.17]
+    architectures: [x86_64, aarch64]
+  amazon:
+    name: Amazon Linux
+    versions: [2]
+    architectures: [x86_64, aarch64]
+  centos:
+    name: CentOS
+    versions: [7]
+    architectures: [x86_64, aarch64]
+  debian:
+    name: Debian
+    versions: [11]
+    architectures: [x86_64, aarch64]
+  freebsd:
+    name: FreeBSD
+    versions: [12, 13]
+    architectures: [x86_64]
+  oraclelinux:
+    name: Oracle Linux
+    versions: [7, 8, 9]
+    architectures: "{{ (['x86_64'] + ['aarch64']) if (ansible_facts['distribution_major_version'] is version('8', '==')) else ['x86_64'] }}"
+  redhat:
+    name: Red Hat Enterprise Linux
+    versions: [7, 8, 9]
+    architectures: "{{ (['x86_64', 'aarch64'] + ['s390x']) if (ansible_facts['distribution_major_version'] is version('8', '>=')) else ['x86_64', 'aarch64'] }}"
+  rocky:
+    name: Rocky Linux
+    versions: [8, 9]
+    architectures: [x86_64, aarch64]
+  sles:
+    name: SUSE Linux Enterprise Server
+    versions: [12, 15]
+    architectures: [x86_64]
+  ubuntu:
+    name: Ubuntu
+    versions: [18.04, 20.04, 22.04]
+    architectures: "{{ (['x86_64', 'aarch64'] + ['s390x']) if (ansible_facts['distribution_version'] is version('20.04', '>=')) else ['x86_64', 'aarch64'] }}"
 
 # Default NGINX signing key
 nginx_default_signing_key_pgp: https://nginx.org/keys/nginx_signing.key
@@ -47,29 +132,19 @@ nginx_plus_default_repository_redhat: https://pkgs.nginx.com/plus/{{ (ansible_fa
 nginx_plus_default_repository_suse: https://pkgs.nginx.com/plus/sles/{{ ansible_facts['distribution_major_version'] }}?ssl_clientcert=/etc/ssl/nginx/nginx-repo-bundle.crt&ssl_verify=peer
 
 # Alpine dependencies
-nginx_alpine_dependencies: [
-  ca-certificates, coreutils, openssl, pcre2,
-]
+nginx_alpine_dependencies: [ca-certificates, coreutils, openssl, pcre2]
 
 # Debian dependencies
-nginx_debian_dependencies: [
-  apt-transport-https, ca-certificates, gpg-agent,
-]
+nginx_debian_dependencies: [apt-transport-https, ca-certificates, gpg-agent]
+
+# FreeBSD dependencies
+nginx_freebsd_dependencies: [security/ca_root_nss]
 
 # Red Hat dependencies
-nginx_redhat_dependencies: [
-  ca-certificates,
-]
+nginx_redhat_dependencies: [ca-certificates]
 
 # SLES dependencies
-nginx_sles_dependencies: [
-  ca-certificates,
-]
-
-# FreeBSD dependencies
-nginx_freebsd_dependencies: [
-  security/ca_root_nss,
-]
+nginx_sles_dependencies: [ca-certificates]
 
 # Default locations and versions when 'nginx_install_from' is set to 'source'.
 # Set 'pcre_release' to 1 to install PCRE 1, modify the 'openssl_version' to move back to 1.1.1.
@@ -79,12 +154,7 @@ zlib_version: 1.2.13
 openssl_version: 3.0.7
 
 # Supported NGINX Open Source dynamic modules
-nginx_modules_list: [
-  geoip, image-filter, njs, perl, xslt,
-]
+nginx_modules_list: [geoip, image-filter, njs, perl, xslt]
 
 # Supported NGINX Plus dynamic modules
-nginx_plus_modules_list: [
-  auth-spnego, brotli, encrypted-session, geoip, geoip2, headers-more, image-filter,
-  lua, ndk, njs, opentracing, passenger, perl, prometheus, rtmp, set-misc, subs-filter, xslt,
-]
+nginx_plus_modules_list: [auth-spnego, brotli, encrypted-session, geoip, geoip2, headers-more, image-filter, lua, ndk, njs, opentracing, passenger, perl, prometheus, rtmp, set-misc, subs-filter, xslt]