Merge pull request #5 from bdebyl/ansible_fixes

Ansible fixes

ansible/roles/common/tasks/security.yml

@@ -5,7 +5,7 @@
     path: /etc/ssh/sshd_config
     regexp: "{{ item.re }}"
     line: "{{ item.li }}"
-  with_items:
+  loop:
     - {re: '^[# ]*PasswordAuthentication ', li: 'PasswordAuthentication no'}
     - {re: '^[# ]*PermitEmptyPasswords ', li: 'PermitEmptyPasswords no'}
     - {re: '^[# ]*PermitRootLogin ', li: 'PermitRootLogin no'}
@@ -18,7 +18,7 @@
     src: files/fail2ban/jails/{{ item }}
     dest: /etc/fail2ban/jail.d/{{ item }}
     mode: 0644
-  with_items: "{{ fail2ban_jails }}"
+  loop: "{{ fail2ban_jails }}"
   notify: restart_fail2ban
   tags: security
 

ansible/roles/http/files/nginx/nginx.conf

@@ -3,7 +3,7 @@ worker_processes  1;
 
 load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
 
-error_log  /var/log/nginx/error.log info;
+error_log /var/log/nginx/error.log notice;
 
 events {
   worker_connections 1024;

ansible/roles/http/tasks/http.yml

@@ -14,7 +14,7 @@
     path: "/etc/nginx/{{ item }}"
     state: directory
     mode: 0644
-  with_items:
+  loop:
     - sites-enabled
     - sites-available
   tags: http
@@ -43,7 +43,7 @@
     src: "templates/nginx/sites/{{ item }}.j2"
     dest: "/etc/nginx/sites-available/{{ item }}"
     mode: 0644
-  with_items:
+  loop:
     - "{{ ci_server_name }}.http.conf"
   notify: restart_nginx
   tags: http
@@ -54,7 +54,7 @@
     src: "/etc/nginx/sites-available/{{ item }}"
     dest: "/etc/nginx/sites-enabled/{{ item }}"
     state: link
-  with_items:
+  loop:
     - "{{ ci_server_name }}.http.conf"
   notify: restart_nginx
   tags: http

ansible/roles/http/tasks/https.yml

@@ -5,7 +5,7 @@
     src: "templates/nginx/sites/{{ item }}.j2"
     dest: "/etc/nginx/sites-available/{{ item }}"
     mode: 0644
-  with_items:
+  loop:
     - "{{ ci_server_name }}.https.conf"
   notify: restart_nginx
   tags: https
@@ -16,7 +16,7 @@
     src: "/etc/nginx/sites-available/{{ item }}"
     dest: "/etc/nginx/sites-enabled/{{ item }}"
     state: link
-  with_items:
+  loop:
     - "{{ ci_server_name }}.https.conf"
   notify: restart_nginx
   tags: https

ansible/roles/http/tasks/modsec.yml

@@ -7,7 +7,7 @@
     owner: root
     group: root
     mode: 0644
-  with_items:
+  loop:
     - "{{ nginx_conf_path }}"
     - "{{ modsec_rules_path }}"
   tags: modsec
@@ -28,7 +28,7 @@
     dest: "{{ item.dest }}"
     update: false
     version: "{{ item.ver }}"
-  with_items: "{{ modsec_git_urls }}"
+  loop: "{{ modsec_git_urls }}"
   notify: restart_nginx
   tags: modsec
 
@@ -40,7 +40,7 @@
     state: link
     force: true
     mode: 0644
-  with_items: "{{ modsec_conf_links }}"
+  loop: "{{ modsec_conf_links }}"
   notify: restart_nginx
   tags: modsec
 
@@ -52,7 +52,7 @@
     state: "{{ item.enabled | ternary('link', 'absent') }}"
     force: true
     mode: 0644
-  with_items: "{{ crs_rule_links }}"
+  loop: "{{ crs_rule_links }}"
   notify: restart_nginx
   tags: modsec, modsec_rules
 
@@ -64,14 +64,14 @@
     state: link
     force: true
     mode: 0644
-  with_items: "{{ crs_data_links }}"
+  loop: "{{ crs_data_links }}"
   notify: restart_nginx
   tags: modsec, modsec_rules
 
 - name: whitelist local ip addresses
   become: true
   lineinfile:
-    path: "{{ nginx_path }}/modsecurity.conf"
+    path: "{{ modsec_crs_before_rule_conf }}"
     regexp: "{{ modsec_whitelist_local_re }}"
     line: "{{ modsec_whitelist_local }}"
     mode: 0644

ansible/roles/ssl/tasks/cron.yml

@@ -4,7 +4,7 @@
   cron:
     name: certbot_renew
     special_time: weekly
-    job: |
-      certbot renew --pre-hook "systemctl stop nginx" \
+    job: >-
+      certbot renew --pre-hook "systemctl stop nginx"
       --post-hook "systemctl start nginx"
   tags: cron