1
0
mirror of https://github.com/dev-sec/ansible-nginx-hardening.git synced 2024-11-26 07:03:49 +01:00

fix linting issues (#30)

* fix linting issues

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* set file permissions

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
This commit is contained in:
schurzi 2020-08-24 10:45:13 +02:00 committed by GitHub
parent cb407267c0
commit 3028b5ddc7
Signed by: GitHub
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 135 additions and 127 deletions

@ -1,6 +1,7 @@
---
name: New release name: New release
on: on: # yamllint disable-line rule:truthy
push: push:
branches: branches:
- master - master

@ -93,8 +93,7 @@ verifier:
name: inspec name: inspec
sudo: true sudo: true
inspec_tests: inspec_tests:
- ../nginx-baseline - https://github.com/dev-sec/nginx-baseline
#- https://github.com/dev-sec/nginx-baseline
controls: controls:
- nginx-01 - nginx-01
- nginx-02 - nginx-02

@ -89,19 +89,6 @@ env:
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
test_playbook: official-nginx-role-debian.yml test_playbook: official-nginx-role-debian.yml
# - distro: amazon
# init: /lib/systemd/systemd
# version: latest
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
# test_playbook: official-nginx-role-debian.yml
#
# - distro: fedora
# init: /lib/systemd/systemd
# version: latest
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
# test_playbook: official-nginx-role-debian.yml
before_install: before_install:
# Pull container # Pull container
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'

@ -1,3 +1,4 @@
---
- name: restart nginx - name: restart nginx
service: service:
name: "nginx" name: "nginx"

@ -1,2 +1,3 @@
---
- src: nginxinc.nginx - src: nginxinc.nginx
- src: geerlingguy.nginx - src: geerlingguy.nginx

@ -5,12 +5,13 @@
mode: "o-rw" mode: "o-rw"
owner: "root" owner: "root"
group: "root" group: "root"
recurse: yes recurse: true
- name: create additional configuration - name: create additional configuration
template: template:
src: "hardening.conf.j2" src: "hardening.conf.j2"
dest: "/etc/nginx/conf.d/90.hardening.conf" dest: "/etc/nginx/conf.d/90.hardening.conf"
mode: '0600'
owner: "root" owner: "root"
group: "root" group: "root"
notify: restart nginx notify: restart nginx
@ -21,6 +22,9 @@
regexp: '^\s*server_tokens' regexp: '^\s*server_tokens'
line: " server_tokens {{ nginx_server_tokens }};" line: " server_tokens {{ nginx_server_tokens }};"
insertafter: "http {" insertafter: "http {"
mode: '0640'
owner: "root"
group: "root"
notify: restart nginx notify: restart nginx
- name: change ssl_protocols in main nginx.conf - name: change ssl_protocols in main nginx.conf
@ -29,6 +33,9 @@
regexp: '^\s*ssl_protocols' regexp: '^\s*ssl_protocols'
line: " ssl_protocols {{ nginx_ssl_protocols }};" line: " ssl_protocols {{ nginx_ssl_protocols }};"
insertafter: "http {" insertafter: "http {"
mode: '0640'
owner: "root"
group: "root"
notify: restart nginx notify: restart nginx
- name: change ssl_prefer_server_ciphers in main nginx.conf - name: change ssl_prefer_server_ciphers in main nginx.conf
@ -37,6 +44,9 @@
regexp: '^\s*ssl_prefer_server_ciphers' regexp: '^\s*ssl_prefer_server_ciphers'
line: " ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers }};" line: " ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers }};"
insertafter: "http {" insertafter: "http {"
mode: '0640'
owner: "root"
group: "root"
notify: restart nginx notify: restart nginx
- name: change client_max_body_size in main nginx.conf - name: change client_max_body_size in main nginx.conf
@ -45,6 +55,9 @@
regexp: '^\s*client_max_body_size' regexp: '^\s*client_max_body_size'
line: " client_max_body_size {{ nginx_client_max_body_size }};" line: " client_max_body_size {{ nginx_client_max_body_size }};"
insertafter: "http {" insertafter: "http {"
mode: '0640'
owner: "root"
group: "root"
notify: restart nginx notify: restart nginx
- name: change client_body_buffer_size in main nginx.conf - name: change client_body_buffer_size in main nginx.conf
@ -53,6 +66,9 @@
regexp: '^\s*client_body_buffer_size' regexp: '^\s*client_body_buffer_size'
line: " client_body_buffer_size {{ nginx_client_body_buffer_size }};" line: " client_body_buffer_size {{ nginx_client_body_buffer_size }};"
insertafter: "http {" insertafter: "http {"
mode: '0640'
owner: "root"
group: "root"
notify: restart nginx notify: restart nginx
- name: change keepalive_timeout in main nginx.conf - name: change keepalive_timeout in main nginx.conf
@ -61,6 +77,9 @@
regexp: '^\s*keepalive_timeout' regexp: '^\s*keepalive_timeout'
line: " keepalive_timeout {{ nginx_keepalive_timeout }};" line: " keepalive_timeout {{ nginx_keepalive_timeout }};"
insertafter: "http {" insertafter: "http {"
mode: '0640'
owner: "root"
group: "root"
notify: restart nginx notify: restart nginx
- name: remove default.conf - name: remove default.conf