From fac6e156330db767b4321dce3083fa70558ef161 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 16 Sep 2021 17:22:27 +0200
Subject: [PATCH] varnish: validate configuration

---
 CHANGELOG.md           |  1 +
 varnish/tasks/main.yml | 57 ++++++++++++++++++++++++------------------
 2 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 39b33e78..17dd6ce3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release.
 * nagios-nrpe + evolinux-users: new checks for bkctld
 * redis: instance service for Debian 11
 * squid: add *.o.lencr.org to default whitelist
+* varnish: validate configuration
 
 ### Changed
 
diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml
index 75268841..46ee965b 100644
--- a/varnish/tasks/main.yml
+++ b/varnish/tasks/main.yml
@@ -43,6 +43,9 @@
     src: varnish.conf.jessie.j2
     dest: /etc/systemd/system/varnish.service.d/evolinux.conf
     force: yes
+    owner: root
+    group: root
+    mode: "0644"
   when: ansible_distribution_major_version is version('10', '<')
   notify:
     - reload systemd
@@ -58,6 +61,9 @@
     src: varnish.conf.buster.j2
     dest: /etc/systemd/system/varnish.service.d/evolinux.conf
     force: yes
+    owner: root
+    group: root
+    mode: "0644"
   when: ansible_distribution_major_version is version('10', '>=')
   notify:
     - reload systemd
@@ -79,12 +85,39 @@
     - varnish
     - logrotate
 
+- name: Create Varnish config dir
+  file:
+    path: /etc/varnish/conf.d
+    state: directory
+    mode: "0755"
+  tags:
+    - varnish
+    - config
+    - update-config
+
+# First, copy included files
+- name: Copy included Varnish config
+  template:
+    src: "{{ item }}"
+    dest: /etc/varnish/conf.d/
+    mode: "0644"
+    force: yes
+  with_fileglob:
+    - "templates/varnish/conf.d/*.vcl"
+  notify: reload varnish
+  tags:
+    - varnish
+    - config
+    - update-config
+
+# Then, copy main configuration
 - name: Copy Varnish configuration
   template:
     src: "{{ item }}"
     dest: "{{ varnish_config_file }}"
     mode: "0644"
     force: yes
+    validate: "varnishd -Cf %s > /dev/null"
   loop: "{{ query('first_found', templates) }}"
   vars:
     templates:
@@ -102,28 +135,4 @@
     - config
     - update-config
 
-- name: Create Varnish config dir
-  file:
-    path: /etc/varnish/conf.d
-    state: directory
-    mode: "0755"
-  tags:
-    - varnish
-    - config
-    - update-config
-
-- name: Copy included Varnish config
-  template:
-    src: "{{ item }}"
-    dest: /etc/varnish/conf.d/
-    force: yes
-    mode: "0644"
-  with_fileglob:
-    - "templates/varnish/conf.d/*.vcl"
-  notify: reload varnish
-  tags:
-    - varnish
-    - config
-    - update-config
-
 - include: munin.yml