159 lines
3.0 KiB
YAML
159 lines
3.0 KiB
YAML
---
|
|
|
|
- name: Install components
|
|
become: yes
|
|
package:
|
|
name: "{{ item }}"
|
|
state: present
|
|
loop:
|
|
- nginx
|
|
- libmodsecurity
|
|
- nginx-mod-modsecurity
|
|
- php
|
|
- php-fpm
|
|
|
|
- name: Config directories
|
|
become: yes
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: http
|
|
group: http
|
|
mode: 0750
|
|
loop:
|
|
- /usr/share/webapps/aninix
|
|
- /var/lib/letsencrypt
|
|
- /etc/nginx/conf
|
|
- /etc/nginx/conf.d
|
|
- /etc/modsecurity
|
|
- /var/log/modsec
|
|
- /var/log/modsec/tmp
|
|
- /var/log/modsec/data
|
|
- /var/log/modsec/audit
|
|
- /var/log/modsec/uploads
|
|
|
|
- name: Copy PHP config
|
|
become: yes
|
|
copy:
|
|
src: php.ini
|
|
dest: /etc/php/php.ini
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
|
|
- name: Copy conf.d
|
|
become: yes
|
|
copy:
|
|
src: "conf.d/{{ inventory_hostname }}/"
|
|
dest: /etc/nginx/conf.d/
|
|
owner: http
|
|
group: http
|
|
mode: 0660
|
|
directory_mode: 0770
|
|
follow: true
|
|
register: confd
|
|
|
|
- name: Copy conf
|
|
become: yes
|
|
copy:
|
|
src: conf/
|
|
dest: /etc/nginx/conf/
|
|
owner: http
|
|
group: http
|
|
mode: 0660
|
|
follow: true
|
|
register: conf
|
|
|
|
- name: Copy conf
|
|
become: yes
|
|
copy:
|
|
src: apps/
|
|
dest: /usr/share/webapps/aninix
|
|
owner: http
|
|
group: http
|
|
mode: 0660
|
|
follow: true
|
|
|
|
- name: Nginx pidfile
|
|
become: yes
|
|
ignore_errors: true
|
|
file:
|
|
path: /run/nginx.pid
|
|
state: touch
|
|
owner: http
|
|
group: http
|
|
mode: 0640
|
|
|
|
- name: Nginx log folder
|
|
become: yes
|
|
file:
|
|
path: /var/log/nginx
|
|
state: directory
|
|
owner: http
|
|
group: http
|
|
mode: 0750
|
|
|
|
- name: Populate security config
|
|
become: yes
|
|
template:
|
|
src: conf/sec.conf.j2
|
|
dest: /etc/nginx/conf/sec.conf
|
|
owner: http
|
|
group: http
|
|
mode: 0660
|
|
register: secconf
|
|
|
|
- name: Clone OWASP-CRS
|
|
ignore_errors: true
|
|
become: yes
|
|
git:
|
|
repo: https://github.com/coreruleset/coreruleset.git
|
|
update: yes
|
|
force: yes
|
|
single_branch: yes
|
|
dest: /usr/share/owasp-modsecurity-crs
|
|
umask: "0022"
|
|
|
|
- name: Modsecurity config
|
|
become: yes
|
|
register: modsecconf
|
|
copy:
|
|
dest: /etc/modsecurity/main.conf
|
|
src: modsec.conf
|
|
owner: http
|
|
group: http
|
|
mode: 0750
|
|
validate: /usr/bin/modsec-rules-check %s
|
|
|
|
- name: Modsecurity logrotate
|
|
become: yes
|
|
copy:
|
|
dest: /etc/logrotate.d/modsecurity
|
|
src: logrotate.modsec.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Copy conf
|
|
become: yes
|
|
copy:
|
|
src: nginx.conf
|
|
dest: /etc/nginx/nginx.conf
|
|
owner: http
|
|
group: http
|
|
mode: 0660
|
|
follow: true
|
|
#validate: nginx -t -p /etc/nginx -c %s # Commented due to base pathing issues
|
|
register: baseconf
|
|
|
|
- name: Ensure service is started
|
|
become: yes
|
|
when: conf.changed or confd.changed or secconf.changed or baseconf.changed or modsecconf.changed
|
|
service:
|
|
name: "{{ item }}"
|
|
enabled: yes
|
|
state: restarted
|
|
loop:
|
|
- php-fpm
|
|
- nginx
|