feat: niginx baseline hardening

This commit is contained in:
Aravinth Manivannan 2023-07-20 13:44:36 +05:30
parent b6d1f3eaf0
commit 52467092a6
Signed by: realaravinth
GPG key ID: AD9F0F08E855ED88
3 changed files with 19 additions and 17 deletions

3
.gitignore vendored
View file

@ -9,3 +9,6 @@ terraform.tfstate.backup
.terraform/
.terraform.lock.hcl
bullseye
inspec/
inspec.sh
ansible/assets/

View file

@ -5,24 +5,23 @@
---
- name: Configure loadbalancers
hosts: bullseye_loadbalance
remote_user: root
tasks:
- name: Ensure all VMs are reachable
ansible.builtin.ping:
- name: Update package cache
ansible.builtin.apt:
update_cache: true
upgrade: safe
- name: Install git, zip, nginx, wget, curl & other utils
remote_user: atm
become: true
pre_tasks:
- name: Install nginx
become: true
ansible.builtin.apt:
update_cache: true
pkg:
- nginx
- ca-certificates
- ufw
collections:
- devsec.hardening
roles:
- dev-sec.nginx-hardening
tasks:
- name: Add user atm to docker group
ansible.builtin.user:
name: atm
@ -62,12 +61,12 @@
- name: Copy the Nginx config file and restart nginx
ansible.builtin.copy:
src: ./assets/nginx.cfg
dest: /etc/nginx/sites-available/nginx.cfg
dest: /etc/nginx/sites-available/libreddit
- name: Create symlink
ansible.builtin.file:
src: /etc/nginx/sites-available/nginx.cfg
dest: /etc/nginx/sites-enabled/default
src: /etc/nginx/sites-available/libreddit
dest: /etc/nginx/sites-enabled/libreddit
state: link
- name: Enable and start nginx service

View file

@ -33,11 +33,11 @@ def test_nginx_service_running_and_enabled(host):
assert service.is_enabled
def test_config_is_present(host):
file = host.file("/etc/nginx/sites-available/nginx.cfg")
file = host.file("/etc/nginx/sites-available/libreddit")
assert file.exists
assert file.is_file
sym_file = host.file("/etc/nginx/sites-enabled/default")
sym_file = host.file("/etc/nginx/sites-enabled/libreddit")
assert sym_file.exists
assert sym_file.is_symlink
assert sym_file.linked_to == file