mirror of
https://github.com/dev-sec/ansible-nginx-hardening.git
synced 2024-11-26 07:03:49 +01:00
fix linting issues (#30)
* fix linting issues Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * set file permissions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
This commit is contained in:
parent
cb407267c0
commit
3028b5ddc7
3
.github/workflows/release.yml
vendored
3
.github/workflows/release.yml
vendored
@ -1,6 +1,7 @@
|
|||||||
|
---
|
||||||
name: New release
|
name: New release
|
||||||
|
|
||||||
on:
|
on: # yamllint disable-line rule:truthy
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- master
|
- master
|
||||||
|
@ -93,8 +93,7 @@ verifier:
|
|||||||
name: inspec
|
name: inspec
|
||||||
sudo: true
|
sudo: true
|
||||||
inspec_tests:
|
inspec_tests:
|
||||||
- ../nginx-baseline
|
- https://github.com/dev-sec/nginx-baseline
|
||||||
#- https://github.com/dev-sec/nginx-baseline
|
|
||||||
controls:
|
controls:
|
||||||
- nginx-01
|
- nginx-01
|
||||||
- nginx-02
|
- nginx-02
|
||||||
|
13
.travis.yml
13
.travis.yml
@ -89,19 +89,6 @@ env:
|
|||||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||||
test_playbook: official-nginx-role-debian.yml
|
test_playbook: official-nginx-role-debian.yml
|
||||||
|
|
||||||
# - distro: amazon
|
|
||||||
# init: /lib/systemd/systemd
|
|
||||||
# version: latest
|
|
||||||
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
|
||||||
# test_playbook: official-nginx-role-debian.yml
|
|
||||||
#
|
|
||||||
# - distro: fedora
|
|
||||||
# init: /lib/systemd/systemd
|
|
||||||
# version: latest
|
|
||||||
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
|
||||||
# test_playbook: official-nginx-role-debian.yml
|
|
||||||
|
|
||||||
|
|
||||||
before_install:
|
before_install:
|
||||||
# Pull container
|
# Pull container
|
||||||
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
|
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
---
|
||||||
- name: restart nginx
|
- name: restart nginx
|
||||||
service:
|
service:
|
||||||
name: "nginx"
|
name: "nginx"
|
||||||
|
@ -1,2 +1,3 @@
|
|||||||
|
---
|
||||||
- src: nginxinc.nginx
|
- src: nginxinc.nginx
|
||||||
- src: geerlingguy.nginx
|
- src: geerlingguy.nginx
|
||||||
|
@ -5,12 +5,13 @@
|
|||||||
mode: "o-rw"
|
mode: "o-rw"
|
||||||
owner: "root"
|
owner: "root"
|
||||||
group: "root"
|
group: "root"
|
||||||
recurse: yes
|
recurse: true
|
||||||
|
|
||||||
- name: create additional configuration
|
- name: create additional configuration
|
||||||
template:
|
template:
|
||||||
src: "hardening.conf.j2"
|
src: "hardening.conf.j2"
|
||||||
dest: "/etc/nginx/conf.d/90.hardening.conf"
|
dest: "/etc/nginx/conf.d/90.hardening.conf"
|
||||||
|
mode: '0600'
|
||||||
owner: "root"
|
owner: "root"
|
||||||
group: "root"
|
group: "root"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
@ -21,6 +22,9 @@
|
|||||||
regexp: '^\s*server_tokens'
|
regexp: '^\s*server_tokens'
|
||||||
line: " server_tokens {{ nginx_server_tokens }};"
|
line: " server_tokens {{ nginx_server_tokens }};"
|
||||||
insertafter: "http {"
|
insertafter: "http {"
|
||||||
|
mode: '0640'
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- name: change ssl_protocols in main nginx.conf
|
- name: change ssl_protocols in main nginx.conf
|
||||||
@ -29,6 +33,9 @@
|
|||||||
regexp: '^\s*ssl_protocols'
|
regexp: '^\s*ssl_protocols'
|
||||||
line: " ssl_protocols {{ nginx_ssl_protocols }};"
|
line: " ssl_protocols {{ nginx_ssl_protocols }};"
|
||||||
insertafter: "http {"
|
insertafter: "http {"
|
||||||
|
mode: '0640'
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- name: change ssl_prefer_server_ciphers in main nginx.conf
|
- name: change ssl_prefer_server_ciphers in main nginx.conf
|
||||||
@ -37,6 +44,9 @@
|
|||||||
regexp: '^\s*ssl_prefer_server_ciphers'
|
regexp: '^\s*ssl_prefer_server_ciphers'
|
||||||
line: " ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers }};"
|
line: " ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers }};"
|
||||||
insertafter: "http {"
|
insertafter: "http {"
|
||||||
|
mode: '0640'
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- name: change client_max_body_size in main nginx.conf
|
- name: change client_max_body_size in main nginx.conf
|
||||||
@ -45,6 +55,9 @@
|
|||||||
regexp: '^\s*client_max_body_size'
|
regexp: '^\s*client_max_body_size'
|
||||||
line: " client_max_body_size {{ nginx_client_max_body_size }};"
|
line: " client_max_body_size {{ nginx_client_max_body_size }};"
|
||||||
insertafter: "http {"
|
insertafter: "http {"
|
||||||
|
mode: '0640'
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- name: change client_body_buffer_size in main nginx.conf
|
- name: change client_body_buffer_size in main nginx.conf
|
||||||
@ -53,6 +66,9 @@
|
|||||||
regexp: '^\s*client_body_buffer_size'
|
regexp: '^\s*client_body_buffer_size'
|
||||||
line: " client_body_buffer_size {{ nginx_client_body_buffer_size }};"
|
line: " client_body_buffer_size {{ nginx_client_body_buffer_size }};"
|
||||||
insertafter: "http {"
|
insertafter: "http {"
|
||||||
|
mode: '0640'
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- name: change keepalive_timeout in main nginx.conf
|
- name: change keepalive_timeout in main nginx.conf
|
||||||
@ -61,6 +77,9 @@
|
|||||||
regexp: '^\s*keepalive_timeout'
|
regexp: '^\s*keepalive_timeout'
|
||||||
line: " keepalive_timeout {{ nginx_keepalive_timeout }};"
|
line: " keepalive_timeout {{ nginx_keepalive_timeout }};"
|
||||||
insertafter: "http {"
|
insertafter: "http {"
|
||||||
|
mode: '0640'
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- name: remove default.conf
|
- name: remove default.conf
|
||||||
|
Loading…
Reference in New Issue
Block a user