feat: niginx baseline hardening
This commit is contained in:
parent
b6d1f3eaf0
commit
52467092a6
GPG key ID:
AD9F0F08E855ED88
3 changed files with 19 additions and 17 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
|
@ -9,3 +9,6 @@ terraform.tfstate.backup
|
||||||
.terraform/
|
.terraform/
|
||||||
.terraform.lock.hcl
|
.terraform.lock.hcl
|
||||||
bullseye
|
bullseye
|
||||||
|
inspec/
|
||||||
|
inspec.sh
|
||||||
|
ansible/assets/
|
||||||
|
|
|
||||||
|
|
@ -5,24 +5,23 @@
|
||||||
---
|
---
|
||||||
- name: Configure loadbalancers
|
- name: Configure loadbalancers
|
||||||
hosts: bullseye_loadbalance
|
hosts: bullseye_loadbalance
|
||||||
remote_user: root
|
remote_user: atm
|
||||||
|
become: true
|
||||||
tasks:
|
pre_tasks:
|
||||||
- name: Ensure all VMs are reachable
|
- name: Install nginx
|
||||||
ansible.builtin.ping:
|
become: true
|
||||||
- name: Update package cache
|
|
||||||
ansible.builtin.apt:
|
|
||||||
update_cache: true
|
|
||||||
upgrade: safe
|
|
||||||
|
|
||||||
- name: Install git, zip, nginx, wget, curl & other utils
|
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
pkg:
|
pkg:
|
||||||
- nginx
|
- nginx
|
||||||
- ca-certificates
|
- ca-certificates
|
||||||
- ufw
|
|
||||||
|
|
||||||
|
collections:
|
||||||
|
- devsec.hardening
|
||||||
|
roles:
|
||||||
|
- dev-sec.nginx-hardening
|
||||||
|
|
||||||
|
tasks:
|
||||||
- name: Add user atm to docker group
|
- name: Add user atm to docker group
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: atm
|
name: atm
|
||||||
|
|
@ -62,12 +61,12 @@
|
||||||
- name: Copy the Nginx config file and restart nginx
|
- name: Copy the Nginx config file and restart nginx
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: ./assets/nginx.cfg
|
src: ./assets/nginx.cfg
|
||||||
dest: /etc/nginx/sites-available/nginx.cfg
|
dest: /etc/nginx/sites-available/libreddit
|
||||||
|
|
||||||
- name: Create symlink
|
- name: Create symlink
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
src: /etc/nginx/sites-available/nginx.cfg
|
src: /etc/nginx/sites-available/libreddit
|
||||||
dest: /etc/nginx/sites-enabled/default
|
dest: /etc/nginx/sites-enabled/libreddit
|
||||||
state: link
|
state: link
|
||||||
|
|
||||||
- name: Enable and start nginx service
|
- name: Enable and start nginx service
|
||||||
|
|
|
||||||
|
|
@ -33,11 +33,11 @@ def test_nginx_service_running_and_enabled(host):
|
||||||
assert service.is_enabled
|
assert service.is_enabled
|
||||||
|
|
||||||
def test_config_is_present(host):
|
def test_config_is_present(host):
|
||||||
file = host.file("/etc/nginx/sites-available/nginx.cfg")
|
file = host.file("/etc/nginx/sites-available/libreddit")
|
||||||
assert file.exists
|
assert file.exists
|
||||||
assert file.is_file
|
assert file.is_file
|
||||||
|
|
||||||
sym_file = host.file("/etc/nginx/sites-enabled/default")
|
sym_file = host.file("/etc/nginx/sites-enabled/libreddit")
|
||||||
assert sym_file.exists
|
assert sym_file.exists
|
||||||
assert sym_file.is_symlink
|
assert sym_file.is_symlink
|
||||||
assert sym_file.linked_to == file
|
assert sym_file.linked_to == file
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue