ansible lint additions, .yamllint.yml configuratuion
This commit is contained in:
Bastian de Byl
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: setup nginx base configuration
|
||||
become: true
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: files/nginx/nginx.conf
|
||||
dest: /etc/nginx/nginx.conf
|
||||
mode: 0644
|
||||
@@ -10,7 +10,7 @@
|
||||
|
||||
- name: setup nginx directories
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "/etc/nginx/{{ item }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
@@ -19,13 +19,14 @@
|
||||
- sites-available
|
||||
tags: http
|
||||
|
||||
- name: ensure http/s directories exist
|
||||
- name: ensure http and letsencrypt directories exist
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0644
|
||||
loop:
|
||||
- /srv/http
|
||||
- /srv/http/letsencrypt
|
||||
@@ -33,16 +34,17 @@
|
||||
|
||||
- name: chown http user home
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: /srv/http
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0644
|
||||
recurse: true
|
||||
tags: http
|
||||
|
||||
- name: template nginx http sites-available
|
||||
become: true
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "templates/nginx/sites/{{ item }}.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||
mode: 0644
|
||||
@@ -58,14 +60,14 @@
|
||||
|
||||
- name: remove pihole from sites-enabled if there
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "/etc/nginx/sites-enabled/pi.hole.conf"
|
||||
state: absent
|
||||
tags: http
|
||||
|
||||
- name: enable desired nginx http sites
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
src: "/etc/nginx/sites-available/{{ item }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||
state: link
|
||||
@@ -81,5 +83,6 @@
|
||||
|
||||
- name: validate nginx configurations
|
||||
become: true
|
||||
shell: nginx -t
|
||||
ansible.builtin.command: nginx -t
|
||||
changed_when: false
|
||||
tags: http
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: template nginx https sites-available
|
||||
become: true
|
||||
template:
|
||||
ansible.builtin.template:
|
||||
src: "templates/nginx/sites/{{ item }}.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||
mode: 0644
|
||||
@@ -13,7 +13,7 @@
|
||||
|
||||
- name: enable desired nginx https sites
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
src: "/etc/nginx/sites-available/{{ item }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||
state: link
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: create nginx/conf directory
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
@@ -14,7 +14,7 @@
|
||||
|
||||
- name: create modsec_includes.conf
|
||||
become: true
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: files/nginx/modsec_includes.conf
|
||||
dest: "{{ nginx_path }}/modsec_includes.conf"
|
||||
mode: 0644
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
- name: clone coreruleset and modsecurity
|
||||
become: true
|
||||
git:
|
||||
ansible.builtin.git:
|
||||
repo: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
update: true
|
||||
@@ -35,7 +35,7 @@
|
||||
|
||||
- name: setup modsec and coreruleset configs
|
||||
become: true
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
force: true
|
||||
@@ -47,7 +47,7 @@
|
||||
|
||||
- name: setup coreruleset rules
|
||||
become: true
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "{{ crs_rules_path }}/{{ item.name }}.conf"
|
||||
dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
|
||||
force: true
|
||||
@@ -60,7 +60,7 @@
|
||||
|
||||
- name: setup coreruleset data
|
||||
become: true
|
||||
copy:
|
||||
ansible.builtin.copy:
|
||||
src: "{{ crs_rules_path }}/{{ item }}.data"
|
||||
dest: "{{ modsec_rules_path }}/{{ item }}.data"
|
||||
force: true
|
||||
@@ -72,7 +72,7 @@
|
||||
|
||||
- name: whitelist local ip addresses
|
||||
become: true
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
path: "{{ modsec_crs_before_rule_conf }}"
|
||||
regexp: "{{ modsec_whitelist_local_re }}"
|
||||
line: "{{ modsec_whitelist_local }}"
|
||||
@@ -82,9 +82,9 @@
|
||||
|
||||
- name: activate mod-security
|
||||
become: true
|
||||
lineinfile:
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/nginx/modsecurity.conf
|
||||
regexp: '^SecRuleEngine'
|
||||
line: 'SecRuleEngine On'
|
||||
regexp: "^SecRuleEngine"
|
||||
line: "SecRuleEngine On"
|
||||
notify: restart_nginx
|
||||
tags: modsec
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: touch nginx logs, enable jail
|
||||
become: true
|
||||
file:
|
||||
ansible.builtin.file:
|
||||
path: "/var/log/nginx/{{ item }}.log"
|
||||
state: touch
|
||||
mode: 0644
|
||||
|
||||
Reference in New Issue
Block a user