feat: niginx baseline hardening

2023-07-20 13:44:36 +05:30 · 2023-07-20 13:44:36 +05:30 · 52467092a6
commit 52467092a6
parent b6d1f3eaf0
3 changed files with 19 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,6 @@ terraform.tfstate.backup
 .terraform/
 .terraform.lock.hcl
 bullseye
+inspec/
+inspec.sh
+ansible/assets/
--- a/ansible/loadbalance.yml
+++ b/ansible/loadbalance.yml
@ -5,24 +5,23 @@
 ---
 - name: Configure loadbalancers
  hosts: bullseye_loadbalance
-  remote_user: root
-
-  tasks:
-    - name: Ensure all VMs are reachable
-      ansible.builtin.ping:
-    - name: Update package cache
-      ansible.builtin.apt:
-        update_cache: true
-        upgrade: safe
-
-    - name: Install git, zip, nginx, wget, curl & other utils
+  remote_user: atm
+  become: true
+  pre_tasks:
+    - name: Install nginx
+      become: true
      ansible.builtin.apt:
        update_cache: true
        pkg:
          - nginx
          - ca-certificates
-          - ufw

+  collections:
+    - devsec.hardening
+  roles:
+    - dev-sec.nginx-hardening
+
+  tasks:
    - name: Add user atm to docker group
      ansible.builtin.user:
        name: atm
@ -62,12 +61,12 @@
    - name: Copy the Nginx config file and restart nginx
      ansible.builtin.copy:
        src: ./assets/nginx.cfg
-        dest: /etc/nginx/sites-available/nginx.cfg
+        dest: /etc/nginx/sites-available/libreddit

    - name: Create symlink
      ansible.builtin.file:
-        src: /etc/nginx/sites-available/nginx.cfg
-        dest: /etc/nginx/sites-enabled/default
+        src: /etc/nginx/sites-available/libreddit
+        dest: /etc/nginx/sites-enabled/libreddit
        state: link

    - name: Enable and start nginx service
--- a/tests/test_loadbalance.py
+++ b/tests/test_loadbalance.py
@ -33,11 +33,11 @@ def test_nginx_service_running_and_enabled(host):
    assert service.is_enabled

 def test_config_is_present(host):
-    file = host.file("/etc/nginx/sites-available/nginx.cfg")
+    file = host.file("/etc/nginx/sites-available/libreddit")
    assert file.exists
    assert file.is_file

-    sym_file = host.file("/etc/nginx/sites-enabled/default")
+    sym_file = host.file("/etc/nginx/sites-enabled/libreddit")
    assert sym_file.exists
    assert sym_file.is_symlink
    assert sym_file.linked_to  == file