From 354a862420590c8ae38bb539d8c4f27c81aa1c11 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 2 Oct 2020 22:31:32 -0400 Subject: [PATCH 1/5] ansible_fixes Fixed cronjob formatting (multiline yaml) --- ansible/roles/ssl/tasks/cron.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/roles/ssl/tasks/cron.yml b/ansible/roles/ssl/tasks/cron.yml index 9ca7831..e67509c 100644 --- a/ansible/roles/ssl/tasks/cron.yml +++ b/ansible/roles/ssl/tasks/cron.yml @@ -4,7 +4,7 @@ cron: name: certbot_renew special_time: weekly - job: | - certbot renew --pre-hook "systemctl stop nginx" \ - --post-hook "systemctl start nginx" + job: >- + certbot renew --pre-hook "systemctl stop nginx" + --post-hook "systemctl start nginx" tags: cron From c89079b8105dfa50cb413f7f76d2f87c388d7f72 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 2 Oct 2020 22:31:52 -0400 Subject: [PATCH 2/5] ansible_fixes Replaced 'with_items' with 'loop' --- ansible/roles/common/tasks/security.yml | 4 ++-- ansible/roles/http/tasks/http.yml | 6 +++--- ansible/roles/http/tasks/https.yml | 4 ++-- ansible/roles/http/tasks/modsec.yml | 10 +++++----- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/ansible/roles/common/tasks/security.yml b/ansible/roles/common/tasks/security.yml index 44e9a41..f27aa4a 100644 --- a/ansible/roles/common/tasks/security.yml +++ b/ansible/roles/common/tasks/security.yml @@ -5,7 +5,7 @@ path: /etc/ssh/sshd_config regexp: "{{ item.re }}" line: "{{ item.li }}" - with_items: + loop: - {re: '^[# ]*PasswordAuthentication ', li: 'PasswordAuthentication no'} - {re: '^[# ]*PermitEmptyPasswords ', li: 'PermitEmptyPasswords no'} - {re: '^[# ]*PermitRootLogin ', li: 'PermitRootLogin no'} @@ -18,7 +18,7 @@ src: files/fail2ban/jails/{{ item }} dest: /etc/fail2ban/jail.d/{{ item }} mode: 0644 - with_items: "{{ fail2ban_jails }}" + loop: "{{ fail2ban_jails }}" notify: restart_fail2ban tags: security diff --git a/ansible/roles/http/tasks/http.yml b/ansible/roles/http/tasks/http.yml index 79f3ca6..fd8ca1e 100644 --- a/ansible/roles/http/tasks/http.yml +++ b/ansible/roles/http/tasks/http.yml @@ -14,7 +14,7 @@ path: "/etc/nginx/{{ item }}" state: directory mode: 0644 - with_items: + loop: - sites-enabled - sites-available tags: http @@ -43,7 +43,7 @@ src: "templates/nginx/sites/{{ item }}.j2" dest: "/etc/nginx/sites-available/{{ item }}" mode: 0644 - with_items: + loop: - "{{ ci_server_name }}.http.conf" notify: restart_nginx tags: http @@ -54,7 +54,7 @@ src: "/etc/nginx/sites-available/{{ item }}" dest: "/etc/nginx/sites-enabled/{{ item }}" state: link - with_items: + loop: - "{{ ci_server_name }}.http.conf" notify: restart_nginx tags: http diff --git a/ansible/roles/http/tasks/https.yml b/ansible/roles/http/tasks/https.yml index 567e44f..f6582c9 100644 --- a/ansible/roles/http/tasks/https.yml +++ b/ansible/roles/http/tasks/https.yml @@ -5,7 +5,7 @@ src: "templates/nginx/sites/{{ item }}.j2" dest: "/etc/nginx/sites-available/{{ item }}" mode: 0644 - with_items: + loop: - "{{ ci_server_name }}.https.conf" notify: restart_nginx tags: https @@ -16,7 +16,7 @@ src: "/etc/nginx/sites-available/{{ item }}" dest: "/etc/nginx/sites-enabled/{{ item }}" state: link - with_items: + loop: - "{{ ci_server_name }}.https.conf" notify: restart_nginx tags: https diff --git a/ansible/roles/http/tasks/modsec.yml b/ansible/roles/http/tasks/modsec.yml index 5827941..e13d9a0 100644 --- a/ansible/roles/http/tasks/modsec.yml +++ b/ansible/roles/http/tasks/modsec.yml @@ -7,7 +7,7 @@ owner: root group: root mode: 0644 - with_items: + loop: - "{{ nginx_conf_path }}" - "{{ modsec_rules_path }}" tags: modsec @@ -28,7 +28,7 @@ dest: "{{ item.dest }}" update: false version: "{{ item.ver }}" - with_items: "{{ modsec_git_urls }}" + loop: "{{ modsec_git_urls }}" notify: restart_nginx tags: modsec @@ -40,7 +40,7 @@ state: link force: true mode: 0644 - with_items: "{{ modsec_conf_links }}" + loop: "{{ modsec_conf_links }}" notify: restart_nginx tags: modsec @@ -52,7 +52,7 @@ state: "{{ item.enabled | ternary('link', 'absent') }}" force: true mode: 0644 - with_items: "{{ crs_rule_links }}" + loop: "{{ crs_rule_links }}" notify: restart_nginx tags: modsec, modsec_rules @@ -64,7 +64,7 @@ state: link force: true mode: 0644 - with_items: "{{ crs_data_links }}" + loop: "{{ crs_data_links }}" notify: restart_nginx tags: modsec, modsec_rules From deaea0b14d73558eaefd9065800392693f443d19 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 2 Oct 2020 22:41:03 -0400 Subject: [PATCH 3/5] ansible_fixes Moved whitelisting to before_crs_rules --- ansible/roles/http/tasks/modsec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/http/tasks/modsec.yml b/ansible/roles/http/tasks/modsec.yml index e13d9a0..aa62128 100644 --- a/ansible/roles/http/tasks/modsec.yml +++ b/ansible/roles/http/tasks/modsec.yml @@ -71,7 +71,7 @@ - name: whitelist local ip addresses become: true lineinfile: - path: "{{ nginx_path }}/modsecurity.conf" + path: "{{ modsec_crs_before_rule_conf }}" regexp: "{{ modsec_whitelist_local_re }}" line: "{{ modsec_whitelist_local }}" mode: 0644 From f72fb8a841f6e4d1bb302f1dc74bae5e4b9a8f59 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 2 Oct 2020 22:43:38 -0400 Subject: [PATCH 4/5] ansible_fixes Changed error_log to notice from info (noisy) --- ansible/roles/http/files/nginx/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/http/files/nginx/nginx.conf b/ansible/roles/http/files/nginx/nginx.conf index e97d81f..e0984b4 100644 --- a/ansible/roles/http/files/nginx/nginx.conf +++ b/ansible/roles/http/files/nginx/nginx.conf @@ -3,7 +3,7 @@ worker_processes 1; load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; -error_log /var/log/nginx/error.log info; +error_log /var/log/nginx/error.log notice; events { worker_connections 1024; From f430fcc88d2f7d4c28405f5067860d2789b77b1c Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 2 Oct 2020 22:46:03 -0400 Subject: [PATCH 5/5] ansible_fixes Cleaned up nginx.conf indentation/alignment --- ansible/roles/http/files/nginx/nginx.conf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ansible/roles/http/files/nginx/nginx.conf b/ansible/roles/http/files/nginx/nginx.conf index e0984b4..8076812 100644 --- a/ansible/roles/http/files/nginx/nginx.conf +++ b/ansible/roles/http/files/nginx/nginx.conf @@ -1,24 +1,24 @@ user http; -worker_processes 1; +worker_processes 1; load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; -error_log /var/log/nginx/error.log notice; +error_log /var/log/nginx/error.log notice; events { - worker_connections 1024; + worker_connections 1024; } http { include mime.types; - default_type application/octet-stream; + default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /var/log/nginx/access.log main; sendfile on; server_tokens off;