feat: niginx baseline hardening
This commit is contained in:
parent
b6d1f3eaf0
commit
52467092a6
GPG Key ID:
AD9F0F08E855ED88
|
|
@ -9,3 +9,6 @@ terraform.tfstate.backup
|
|||
.terraform/
|
||||
.terraform.lock.hcl
|
||||
bullseye
|
||||
inspec/
|
||||
inspec.sh
|
||||
ansible/assets/
|
||||
|
|
|
|||
|
|
@ -5,24 +5,23 @@
|
|||
---
|
||||
- name: Configure loadbalancers
|
||||
hosts: bullseye_loadbalance
|
||||
remote_user: root
|
||||
|
||||
tasks:
|
||||
- name: Ensure all VMs are reachable
|
||||
ansible.builtin.ping:
|
||||
- name: Update package cache
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
upgrade: safe
|
||||
|
||||
- name: Install git, zip, nginx, wget, curl & other utils
|
||||
remote_user: atm
|
||||
become: true
|
||||
pre_tasks:
|
||||
- name: Install nginx
|
||||
become: true
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
pkg:
|
||||
- nginx
|
||||
- ca-certificates
|
||||
- ufw
|
||||
|
||||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- dev-sec.nginx-hardening
|
||||
|
||||
tasks:
|
||||
- name: Add user atm to docker group
|
||||
ansible.builtin.user:
|
||||
name: atm
|
||||
|
|
@ -62,12 +61,12 @@
|
|||
- name: Copy the Nginx config file and restart nginx
|
||||
ansible.builtin.copy:
|
||||
src: ./assets/nginx.cfg
|
||||
dest: /etc/nginx/sites-available/nginx.cfg
|
||||
dest: /etc/nginx/sites-available/libreddit
|
||||
|
||||
- name: Create symlink
|
||||
ansible.builtin.file:
|
||||
src: /etc/nginx/sites-available/nginx.cfg
|
||||
dest: /etc/nginx/sites-enabled/default
|
||||
src: /etc/nginx/sites-available/libreddit
|
||||
dest: /etc/nginx/sites-enabled/libreddit
|
||||
state: link
|
||||
|
||||
- name: Enable and start nginx service
|
||||
|
|
|
|||
|
|
@ -33,11 +33,11 @@ def test_nginx_service_running_and_enabled(host):
|
|||
assert service.is_enabled
|
||||
|
||||
def test_config_is_present(host):
|
||||
file = host.file("/etc/nginx/sites-available/nginx.cfg")
|
||||
file = host.file("/etc/nginx/sites-available/libreddit")
|
||||
assert file.exists
|
||||
assert file.is_file
|
||||
|
||||
sym_file = host.file("/etc/nginx/sites-enabled/default")
|
||||
sym_file = host.file("/etc/nginx/sites-enabled/libreddit")
|
||||
assert sym_file.exists
|
||||
assert sym_file.is_symlink
|
||||
assert sym_file.linked_to == file
|
||||
|
|
|
|||
Loading…
Reference in New Issue