From 88b13486340e16363826df16871b4ed652ac37c7 Mon Sep 17 00:00:00 2001
From: Christoph Maser <christoph.maser@1und1.de>
Date: Sun, 26 May 2024 22:31:39 +0200
Subject: [PATCH] drop support for versions < 1.15.0, set default version to
 1.16.0

---
 README.md                                |  2 +-
 REFERENCE.md                             |  4 +--
 manifests/init.pp                        |  7 +++--
 spec/acceptance/nginx_mail_spec.rb       | 40 ------------------------
 spec/classes/nginx_spec.rb               | 13 ++++----
 spec/defines/resource_mailhost_spec.rb   |  2 +-
 spec/defines/resource_server_spec.rb     | 14 ---------
 templates/mailhost/mailhost.epp          |  3 --
 templates/mailhost/mailhost_ssl.epp      |  5 +--
 templates/server/server_ssl_settings.erb |  3 --
 10 files changed, 17 insertions(+), 76 deletions(-)

diff --git a/README.md b/README.md
index 8eb2f990e..0c941aab9 100644
--- a/README.md
+++ b/README.md
@@ -262,7 +262,7 @@ nginx::nginx_upstreams:
 
 ## Nginx with precompiled Passenger
 
-Example configuration for Debian and RHEL / CentOS (>6), pulling the Nginx and
+Example configuration for Debian and RHEL / CentOS, pulling the Nginx and
 Passenger packages from the Phusion repo. See additional notes in
 [https://github.com/voxpupuli/puppet-nginx/blob/master/docs/quickstart.md](https://github.com/voxpupuli/puppet-nginx/blob/master/docs/quickstart.md)
 
diff --git a/REFERENCE.md b/REFERENCE.md
index 2d74ccc2d..ab9beb79b 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -277,11 +277,11 @@ Data type: `String[1]`
 The version of nginx installed (or being installed).
 Unfortunately, different versions of nginx may need configuring
 differently.  The default is derived from the version of nginx
-already installed.  If the fact is unavailable, it defaults to '1.6.0'.
+already installed.  If the fact is unavailable, it defaults to '1.16.0'.
 You may need to set this manually to get a working and idempotent
 configuration.
 
-Default value: `pick(fact('nginx_version'), '1.6.0')`
+Default value: `pick(fact('nginx_version'), '1.16.0')`
 
 ##### <a name="-nginx--debug_connections"></a>`debug_connections`
 
diff --git a/manifests/init.pp b/manifests/init.pp
index 2445c100d..90eed55a1 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -20,7 +20,7 @@
 #   The version of nginx installed (or being installed).
 #   Unfortunately, different versions of nginx may need configuring
 #   differently.  The default is derived from the version of nginx
-#   already installed.  If the fact is unavailable, it defaults to '1.6.0'.
+#   already installed.  If the fact is unavailable, it defaults to '1.16.0'.
 #   You may need to set this manually to get a working and idempotent
 #   configuration.
 #
@@ -240,7 +240,7 @@
   Hash $nginx_upstreams                                   = {},
   Nginx::UpstreamDefaults $nginx_upstreams_defaults       = {},
   Boolean $purge_passenger_repo                           = true,
-  String[1] $nginx_version                                = pick(fact('nginx_version'), '1.6.0'),
+  String[1] $nginx_version                                = pick(fact('nginx_version'), '1.16.0'),
 
   ### END Hiera Lookups ###
 ) inherits nginx::params {
@@ -251,6 +251,9 @@
     deprecation('keepalive_requests', 'Passing a String is deprecated, please pass a Integer')
   }
 
+  if versioncmp($nginx_version, '1.15.0') < 0 {
+    fail("nginx::nginx_version must be at least 1.15.0, got ${nginx_version}")
+  }
   contain 'nginx::package'
   contain 'nginx::config'
   contain 'nginx::service'
diff --git a/spec/acceptance/nginx_mail_spec.rb b/spec/acceptance/nginx_mail_spec.rb
index 1475471b4..993c97673 100644
--- a/spec/acceptance/nginx_mail_spec.rb
+++ b/spec/acceptance/nginx_mail_spec.rb
@@ -79,45 +79,5 @@ class { 'nginx':
     describe port(465) do
       it { is_expected.to be_listening }
     end
-
-    context 'when configured for nginx 1.14' do
-      it 'runs successfully' do
-        pp = "
-      if fact('os.family') == 'RedHat' {
-        package { 'nginx-mod-mail':
-          ensure => installed,
-        }
-      }
-
-      class { 'nginx':
-        mail            => true,
-        nginx_version   => '1.14.0',
-        dynamic_modules => fact('os.family') ? {
-          'RedHat' => ['/usr/lib64/nginx/modules/ngx_mail_module.so'],
-          default  => [],
-        }
-      }
-      nginx::resource::mailhost { 'domain1.example':
-        ensure      => present,
-        auth_http   => 'localhost/cgi-bin/auth',
-        protocol    => 'smtp',
-        listen_port => 587,
-        ssl         => true,
-        ssl_port    => 465,
-        ssl_cert    => '/etc/pki/tls/certs/blah.cert',
-        ssl_key     => '/etc/pki/tls/private/blah.key',
-        xclient     => 'off',
-      }
-        "
-
-        apply_manifest(pp, catch_failures: true)
-      end
-
-      describe file('/etc/nginx/conf.mail.d/domain1.example.conf') do
-        it 'does\'t contain `ssl` on `listen` line' do
-          is_expected.to contain 'listen                *:465;'
-        end
-      end
-    end
   end
 end
diff --git a/spec/classes/nginx_spec.rb b/spec/classes/nginx_spec.rb
index b0ba21406..43eabdbc2 100644
--- a/spec/classes/nginx_spec.rb
+++ b/spec/classes/nginx_spec.rb
@@ -38,6 +38,12 @@
         it { is_expected.to contain_nginx__resource__streamhost('streamhost1').with_proxy('streamproxy') }
       end
 
+      describe 'unsupported version' do
+        let(:params) { { nginx_version: '1.14.0' } }
+
+        it { is_expected.to compile.and_raise_error(%r{nginx::nginx_version must be at least 1.15.0, got 1.14.0}) }
+      end
+
       context 'nginx::package' do
         it { is_expected.to compile.with_all_deps }
 
@@ -189,13 +195,8 @@
             let(:params) { { package_source: 'passenger' } }
 
             it { is_expected.to contain_package('nginx') }
+            it { is_expected.to contain_package('libnginx-mod-http-passenger') }
 
-            if (facts.dig(:os, 'name') == 'Debian' && %w[11].include?(facts.dig(:os, 'release', 'major'))) ||
-               (facts.dig(:os, 'name') == 'Ubuntu' && %w[bionic focal jammy].include?(facts.dig(:os, 'distro', 'codename')))
-              it { is_expected.to contain_package('libnginx-mod-http-passenger') }
-            else
-              it { is_expected.to contain_package('passenger') }
-            end
             it do
               is_expected.to contain_apt__source('nginx').with(
                 'location' => 'https://oss-binaries.phusionpassenger.com/apt/passenger',
diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb
index 86be065ed..7c6b76c56 100644
--- a/spec/defines/resource_mailhost_spec.rb
+++ b/spec/defines/resource_mailhost_spec.rb
@@ -548,7 +548,7 @@
               title: 'should set the IPv4 SSL listen port',
               attr: 'ssl_port',
               value: 45,
-              match: '  listen                *:45;'
+              match: '  listen                *:45 ssl;'
             },
             {
               title: 'should enable IPv6',
diff --git a/spec/defines/resource_server_spec.rb b/spec/defines/resource_server_spec.rb
index 60515a008..6278bd2bf 100644
--- a/spec/defines/resource_server_spec.rb
+++ b/spec/defines/resource_server_spec.rb
@@ -667,20 +667,6 @@
               )
             end
 
-            context 'without a value for the nginx_version fact do' do
-              let :facts do
-                facts[:nginx_version] ? facts.delete(:nginx_version) : facts
-              end
-
-              it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{  ssl on;}) }
-            end
-
-            context 'with fact nginx_version=1.14.1' do
-              let(:facts) { facts.merge(nginx_version: '1.14.1') }
-
-              it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{  ssl on;}) }
-            end
-
             context 'with fact nginx_version=1.15.1' do
               let(:facts) { facts.merge(nginx_version: '1.15.1') }
 
diff --git a/templates/mailhost/mailhost.epp b/templates/mailhost/mailhost.epp
index 8a9c4fb58..003898c8a 100644
--- a/templates/mailhost/mailhost.epp
+++ b/templates/mailhost/mailhost.epp
@@ -23,9 +23,6 @@ server {
 <%- } -%>
 <%= $mailhost_common -%>
 
-<%- if versioncmp($nginx_version, '1.15.0') < 0 { -%>
-  ssl                   off;
-<% } %>
   starttls              <%= $starttls %>;
 
 <% if $starttls != 'off' { %>
diff --git a/templates/mailhost/mailhost_ssl.epp b/templates/mailhost/mailhost_ssl.epp
index 3b0ef78fc..e5ffc5f10 100644
--- a/templates/mailhost/mailhost_ssl.epp
+++ b/templates/mailhost/mailhost_ssl.epp
@@ -14,16 +14,13 @@
 server {
 <%= $mailhost_prepend -%>
 <%- $listen_ip.each |$ip| { -%>
-  listen                <%= $ip %>:<%= $ssl_port %><% if versioncmp($nginx_version, '1.15.0') >= 0 { %> ssl<% } %>;
+  listen                <%= $ip %>:<%= $ssl_port %> ssl;
 <%- } -%>
 <%- $ipv6_listen_ip.each |$ipv6| { -%>
   listen                [<%= $ipv6 %>]:<%= $ssl_port %> <% if $ipv6_listen_options { %><%= $ipv6_listen_options %><% } %>;
 <%- } -%>
 <%= $mailhost_common -%>
 
-<%- if versioncmp($nginx_version, '1.15.0') < 0 { -%>
-  ssl                   on;
-<% } %>
   starttls              off;
 
 <%= $mailhost_ssl_settings -%>
diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb
index 16a056139..e5251ace8 100755
--- a/templates/server/server_ssl_settings.erb
+++ b/templates/server/server_ssl_settings.erb
@@ -1,6 +1,3 @@
-<% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) < 0 -%>
-  ssl on;
-<% end -%>
 <% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.25.1']) >= 0 && @http2 -%>
   http2 <%= @http2 %>;
 <% end -%>