Kapisi/roles/WebServer/tasks/main.yml

158 lines
3.0 KiB
YAML
Raw Normal View History

2020-10-08 16:33:19 -05:00
---
- name: Install components
2020-10-08 16:33:19 -05:00
become: yes
package:
2022-09-15 14:23:34 -05:00
name: "{{ item }}"
2020-10-08 16:33:19 -05:00
state: present
2022-09-15 14:23:34 -05:00
loop:
- nginx
- libmodsecurity
- nginx-mod-modsecurity
- php
2022-09-15 14:23:34 -05:00
- php-fpm
- name: Config directories
become: yes
file:
path: "{{ item }}"
state: directory
owner: http
group: http
mode: 0750
loop:
- /usr/share/webapps/aninix
- /etc/nginx/conf
- /etc/nginx/conf.d
- /etc/modsecurity
- /var/log/modsec
- /var/log/modsec/tmp
- /var/log/modsec/data
- /var/log/modsec/audit
- /var/log/modsec/uploads
2022-09-15 14:23:34 -05:00
- name: Copy PHP config
become: yes
copy:
src: php.ini
dest: /etc/php/php.ini
owner: root
group: root
mode: 0755
2020-10-08 16:33:19 -05:00
- name: Copy conf.d
become: yes
copy:
2023-10-08 12:28:14 -05:00
src: "conf.d/{{ inventory_hostname }}/"
dest: /etc/nginx/conf.d/
2020-10-08 16:33:19 -05:00
owner: http
group: http
mode: 0660
directory_mode: 0770
2023-10-08 12:28:14 -05:00
follow: true
2022-09-15 14:23:34 -05:00
register: confd
2020-10-08 16:33:19 -05:00
2022-09-15 14:23:34 -05:00
- name: Copy conf
2020-10-08 16:33:19 -05:00
become: yes
copy:
2022-09-15 14:23:34 -05:00
src: conf/
dest: /etc/nginx/conf/
2020-10-08 16:33:19 -05:00
owner: http
group: http
mode: 0660
2023-10-08 12:28:14 -05:00
follow: true
2022-09-15 14:23:34 -05:00
register: conf
2020-10-08 16:33:19 -05:00
- name: Copy conf
become: yes
copy:
src: apps/
dest: /usr/share/webapps/aninix
owner: http
group: http
mode: 0660
follow: true
2024-01-12 16:17:55 -06:00
- name: Nginx pidfile
become: yes
ignore_errors: true
file:
path: /run/nginx.pid
state: file
owner: http
group: http
mode: 0640
- name: Nginx log folder
become: yes
file:
path: /var/log/nginx
state: directory
owner: http
group: http
mode: 0750
2022-12-18 22:21:39 -06:00
- name: Populate security config
become: yes
template:
2023-10-08 12:28:14 -05:00
src: conf/sec.conf.j2
dest: /etc/nginx/conf/sec.conf
2022-12-18 22:21:39 -06:00
owner: http
group: http
mode: 0660
2023-10-08 12:28:14 -05:00
register: secconf
2022-12-18 22:21:39 -06:00
- name: Clone OWASP-CRS
ignore_errors: true
become: yes
git:
repo: https://github.com/coreruleset/coreruleset.git
update: yes
force: yes
single_branch: yes
dest: /usr/share/owasp-modsecurity-crs
umask: "0022"
2022-12-18 22:21:39 -06:00
- name: Modsecurity config
become: yes
register: modsecconf
copy:
dest: /etc/modsecurity/main.conf
src: modsec.conf
owner: http
group: http
mode: 0750
validate: /usr/bin/modsec-rules-check %s
- name: Modsecurity logrotate
become: yes
copy:
dest: /etc/logrotate.d/modsecurity
src: logrotate.modsec.conf
owner: root
group: root
mode: 0644
- name: Copy conf
become: yes
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
owner: http
group: http
mode: 0660
follow: true
#validate: nginx -t -p /etc/nginx -c %s # Commented due to base pathing issues
register: baseconf
2020-10-08 16:33:19 -05:00
- name: Ensure service is started
become: yes
when: conf.changed or confd.changed or secconf.changed or baseconf.changed or modsecconf.changed
2020-10-08 16:33:19 -05:00
service:
name: "{{ item }}"
2020-10-08 16:33:19 -05:00
enabled: yes
state: restarted
2022-09-15 14:23:34 -05:00
loop:
- php-fpm
- nginx