diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4d5fa69..e548656 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,7 @@ +--- name: New release -on: +on: # yamllint disable-line rule:truthy push: branches: - master @@ -59,7 +60,7 @@ jobs: id: create_release uses: actions/create-release@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token with: release_name: ${{ steps.version.outputs.next-version }} tag_name: ${{ steps.version.outputs.next-version }} diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml index 5f2d956..0a32e4c 100644 --- a/.kitchen.vagrant.yml +++ b/.kitchen.vagrant.yml @@ -25,33 +25,33 @@ transport: max_ssh_sessions: 5 platforms: -- name: ubuntu-16.04 - driver_config: - box: bento/ubuntu-16.04 -- name: ubuntu-18.04 - driver_config: - box: bento/ubuntu-18.04 -- name: centos-6 - driver_config: - box: bento/centos-6 -- name: centos-7 - driver_config: - box: bento/centos-7 -- name: oracle-6 - driver_config: - box: bento/oracle-6 -- name: oracle-7 - driver_config: - box: bento/oracle-7 -- name: debian-9 - driver_config: - box: bento/debian-9 -- name: debian-10 - driver_config: - box: bento/debian-10 -- name: amazon - driver_config: - box: bento/amazonlinux-2 + - name: ubuntu-16.04 + driver_config: + box: bento/ubuntu-16.04 + - name: ubuntu-18.04 + driver_config: + box: bento/ubuntu-18.04 + - name: centos-6 + driver_config: + box: bento/centos-6 + - name: centos-7 + driver_config: + box: bento/centos-7 + - name: oracle-6 + driver_config: + box: bento/oracle-6 + - name: oracle-7 + driver_config: + box: bento/oracle-7 + - name: debian-9 + driver_config: + box: bento/debian-9 + - name: debian-10 + driver_config: + box: bento/debian-10 + - name: amazon + driver_config: + box: bento/amazonlinux-2 verifier: name: inspec @@ -60,4 +60,4 @@ verifier: - https://github.com/dev-sec/nginx-baseline/ suites: -- name: nginx + - name: nginx diff --git a/.kitchen.yml b/.kitchen.yml index ff7c467..88a5e88 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -26,75 +26,74 @@ provisioner: galaxy_ignore_certs: true platforms: -- name: centos6-ansible-latest - driver: - image: rndmh3ro/docker-centos6-ansible:latest - platform: centos -- name: centos7-ansible-latest - driver: - image: rndmh3ro/docker-centos7-ansible:latest - platform: centos - run_command: /sbin/init - provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - - systemctl enable sshd.service -- name: oracle6-ansible-latest - driver: - image: rndmh3ro/docker-oracle6-ansible:latest - platform: centos -- name: oracle7-ansible-latest - driver: - image: rndmh3ro/docker-oracle7-ansible:latest - run_command: /sbin/init - platform: centos - provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - - systemctl enable sshd.service -- name: ubuntu1604-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1604-ansible:latest - platform: ubuntu - run_command: /sbin/init - provision_command: - - systemctl enable ssh.service -- name: ubuntu1804-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1804-ansible:latest - platform: ubuntu - run_command: /sbin/init - provision_command: - - systemctl enable ssh.service -- name: debian9-ansible-latest - driver: - image: rndmh3ro/docker-debian9-ansible:latest - platform: debian - run_command: /sbin/init - provision_command: - - apt install -y systemd-sysv - - systemctl enable ssh.service -- name: debian10-ansible-latest - driver: - image: rndmh3ro/docker-debian10-ansible:latest - platform: debian - run_command: /sbin/init - provision_command: - - apt install -y systemd-sysv - - systemctl enable ssh.service -- name: amazon-ansible-latest - driver: - image: rndmh3ro/docker-amazon-ansible:latest - platform: centos - run_command: /sbin/init - provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - - systemctl enable sshd.service + - name: centos6-ansible-latest + driver: + image: rndmh3ro/docker-centos6-ansible:latest + platform: centos + - name: centos7-ansible-latest + driver: + image: rndmh3ro/docker-centos7-ansible:latest + platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service + - name: oracle6-ansible-latest + driver: + image: rndmh3ro/docker-oracle6-ansible:latest + platform: centos + - name: oracle7-ansible-latest + driver: + image: rndmh3ro/docker-oracle7-ansible:latest + run_command: /sbin/init + platform: centos + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service + - name: ubuntu1604-ansible-latest + driver: + image: rndmh3ro/docker-ubuntu1604-ansible:latest + platform: ubuntu + run_command: /sbin/init + provision_command: + - systemctl enable ssh.service + - name: ubuntu1804-ansible-latest + driver: + image: rndmh3ro/docker-ubuntu1804-ansible:latest + platform: ubuntu + run_command: /sbin/init + provision_command: + - systemctl enable ssh.service + - name: debian9-ansible-latest + driver: + image: rndmh3ro/docker-debian9-ansible:latest + platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service + - name: debian10-ansible-latest + driver: + image: rndmh3ro/docker-debian10-ansible:latest + platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service + - name: amazon-ansible-latest + driver: + image: rndmh3ro/docker-amazon-ansible:latest + platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service verifier: name: inspec sudo: true inspec_tests: - - ../nginx-baseline - #- https://github.com/dev-sec/nginx-baseline + - https://github.com/dev-sec/nginx-baseline controls: - nginx-01 - nginx-02 @@ -113,4 +112,4 @@ verifier: - nginx-17 suites: -- name: nginx + - name: nginx diff --git a/.travis.yml b/.travis.yml index 08ec7f7..21b2326 100644 --- a/.travis.yml +++ b/.travis.yml @@ -42,17 +42,17 @@ env: run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" test_playbook: test.yml -# - distro: amazon -# init: /lib/systemd/systemd -# version: latest -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# test_playbook: test.yml -# -# - distro: fedora -# init: /lib/systemd/systemd -# version: latest -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# test_playbook: test.yml + # - distro: amazon + # init: /lib/systemd/systemd + # version: latest + # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + # test_playbook: test.yml + # + # - distro: fedora + # init: /lib/systemd/systemd + # version: latest + # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + # test_playbook: test.yml - distro: centos6 version: latest @@ -89,19 +89,6 @@ env: run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" test_playbook: official-nginx-role-debian.yml -# - distro: amazon -# init: /lib/systemd/systemd -# version: latest -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# test_playbook: official-nginx-role-debian.yml -# -# - distro: fedora -# init: /lib/systemd/systemd -# version: latest -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# test_playbook: official-nginx-role-debian.yml - - before_install: # Pull container - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' @@ -116,7 +103,7 @@ script: # Install ansible galaxy requirements - 'docker exec "$(cat ${container_id})" ansible-galaxy -c install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/' - + # Test role - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/tests/"${test_playbook}" -vv' diff --git a/handlers/main.yml b/handlers/main.yml index 97c58cb..de047a8 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,3 +1,4 @@ +--- - name: restart nginx service: name: "nginx" diff --git a/requirements.yml b/requirements.yml index 0560ff5..01240a5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,2 +1,3 @@ +--- - src: nginxinc.nginx - src: geerlingguy.nginx diff --git a/tasks/main.yml b/tasks/main.yml index d7e0e82..857b4ff 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -5,7 +5,7 @@ mode: "o-rw" owner: "root" group: "root" - recurse: yes + recurse: true - name: create additional configuration template: @@ -33,10 +33,10 @@ - name: change ssl_prefer_server_ciphers in main nginx.conf lineinfile: - dest: "/etc/nginx/nginx.conf" - regexp: '^\s*ssl_prefer_server_ciphers' - line: " ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers }};" - insertafter: "http {" + dest: "/etc/nginx/nginx.conf" + regexp: '^\s*ssl_prefer_server_ciphers' + line: " ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers }};" + insertafter: "http {" notify: restart nginx - name: change client_max_body_size in main nginx.conf diff --git a/tests/official-nginx-role-debian.yml b/tests/official-nginx-role-debian.yml index 2f95713..4705961 100644 --- a/tests/official-nginx-role-debian.yml +++ b/tests/official-nginx-role-debian.yml @@ -37,4 +37,4 @@ ignore_errors: true roles: - nginxinc.nginx - - ansible-nginx-hardening \ No newline at end of file + - ansible-nginx-hardening diff --git a/tests/official-nginx-role-redhat.yml b/tests/official-nginx-role-redhat.yml index 558d9fe..8f43b19 100644 --- a/tests/official-nginx-role-redhat.yml +++ b/tests/official-nginx-role-redhat.yml @@ -12,4 +12,4 @@ ignore_errors: true roles: - nginxinc.nginx - - ansible-nginx-hardening \ No newline at end of file + - ansible-nginx-hardening