diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..d83295a --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,129 @@ +--- +# .ansible-lint + +profile: production # min, basic, moderate,safety, shared, production + +# Allows dumping of results in SARIF format +# sarif_file: result.sarif + +# exclude_paths included in this file are parsed relative to this file's location +# and not relative to the CWD of execution. CLI arguments passed to the --exclude +# option are parsed relative to the CWD of execution. +exclude_paths: + - .github/ + - .ansible-lint +# parseable: true +# quiet: true +# strict: true +# verbosity: 1 + +# Mock modules or roles in order to pass ansible-playbook --syntax-check +#mock_modules: +# - zuul_return +# note the foo.bar is invalid as being neither a module or a collection +# - fake_namespace.fake_collection.fake_module +# - fake_namespace.fake_collection.fake_module.fake_submodule +#mock_roles: +# - mocked_role +# - author.role_name # old standalone galaxy role +# - fake_namespace.fake_collection.fake_role # role within a collection + +# Enable checking of loop variable prefixes in roles +loop_var_prefix: "^(__|{role}_)" + +# Enforce variable names to follow pattern below, in addition to Ansible own +# requirements, like avoiding python identifiers. To disable add `var-naming` +# to skip_list. +var_naming_pattern: "^[a-z_][a-z0-9_]*$" + +use_default_rules: true +# Load custom rules from this specific folder +# rulesdir: +# - ./rule/directory/ + +# Ansible-lint is able to recognize and load skip rules stored inside +# `.ansible-lint-ignore` (or `.config/ansible-lint-ignore.txt`) files. +# To skip a rule just enter filename and tag, like "playbook.yml package-latest" +# on a new line. +# Optionally you can add comments after the tag, prefixed by "#". We discourage +# the use of skip_list below because that will hide violations from the output. +# When putting ignores inside the ignore file, they are marked as ignored, but +# still visible, making it easier to address later. +skip_list: + - risky-shell-pipe +# - skip_this_tag + +# Ansible-lint does not automatically load rules that have the 'opt-in' tag. +# You must enable opt-in rules by listing each rule 'id' below. +enable_list: + - args + - empty-string-compare # opt-in + - no-log-password # opt-in + - no-same-owner # opt-in + - name[prefix] # opt-in + - galaxy-version-incorrect # opt-in + # add yaml here if you want to avoid ignoring yaml checks when yamllint + # library is missing. Normally its absence just skips using that rule. + - yaml +# Report only a subset of tags and fully ignore any others +# tags: +# - jinja[spacing] + +# Ansible-lint does not fail on warnings from the rules or tags listed below +#warn_list: +# - skip_this_tag +# - experimental # experimental is included in the implicit list +# - role-name +# - yaml[document-start] # you can also use sub-rule matches + +# Some rules can transform files to fix (or make it easier to fix) identified +# errors. `ansible-lint --fix` will reformat YAML files and run these transforms. +# By default it will run all transforms (effectively `write_list: ["all"]`). +# You can disable running transforms by setting `write_list: ["none"]`. +# Or only enable a subset of rule transforms by listing rules/tags here. +# write_list: +# - all + +# Offline mode disables installation of requirements.yml and schema refreshing +offline: true + + # Define required Ansible's variables to satisfy syntax check + #extra_vars: + # foo: bar + # multiline_string_variable: | + # line1 + # line2 + # complex_variable: ":{;\t$()" + + # Uncomment to enforce action validation with tasks, usually is not + # needed as Ansible syntax check also covers it. + # skip_action_validation: false + + # List of additional kind:pattern to be added at the top of the default + # match list, first match determines the file kind. + #kinds: + # - playbook: "**/examples/*.{yml,yaml}" + # - galaxy: "**/folder/galaxy.yml" + # - tasks: "**/tasks/*.yml" + # - vars: "**/vars/*.yml" +# - meta: "**/meta/main.yml" +# - yaml: "**/*.yaml-too" + +# List of additional collections to allow in only-builtins rule. +# only_builtins_allow_collections: +# - example_ns.example_collection + +# List of additions modules to allow in only-builtins rule. +# only_builtins_allow_modules: +# - example_module + +# Allow setting custom prefix for name[prefix] rule +#task_name_prefix: "{stem} | " +# Complexity related settings + +# Limit the depth of the nested blocks: +# max_block_depth: 20 + +# Also recognize these versions of Ansible as supported: +# supported_ansible_also: +# - "2.14" diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml new file mode 100644 index 0000000..4505a53 --- /dev/null +++ b/.github/workflows/pull-request.yml @@ -0,0 +1,12 @@ +--- +name: Pull request + +on: pull_request + +jobs: + ansible-lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Run ansible-lint + uses: ansible/ansible-lint@main diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..723ef36 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea \ No newline at end of file diff --git a/README.md b/README.md index 57d4d1d..343e427 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,22 @@ Example Playbook roles: - { role: f500.nginx } +Linting +------- +Github actions will check this role with ansible-lint. To run this locally, you will need to follow the following steps: + +```bash +brew install ansible-lint +brew install yamllint +ansible-lint +``` + +to fix the linting errors, run: + +```bash +ansible-lint --fix +``` + License ------- diff --git a/defaults/main.yml b/defaults/main.yml index f012105..b4b8f57 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,35 +7,38 @@ nginx_worker_processes: "{{ ansible_processor_count }}" nginx_pid: "/var/run/nginx.pid" nginx_www_dir: "/var/www" -nginx_use_realpath_root: no -nginx_php_force_cgi_redirect: no -nginx_set_default_server: yes +nginx_use_realpath_root: false +nginx_php_force_cgi_redirect: false +nginx_set_default_server: true nginx_dhparam_bits: 4096 nginx_http_params_default: server_names_hash_bucket_size: 64 - server_tokens: off + server_tokens: false - sendfile: on - tcp_nopush: on - tcp_nodelay: on + sendfile: true + tcp_nopush: true + tcp_nodelay: true - gzip: on + gzip: true gzip_disable: "msie6" gzip_min_length: 256 - gzip_types: application/json application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/xml application/xml+rss font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/xml + gzip_types: > + application/json application/vnd.ms-fontobject application/x-font-ttf + application/x-javascript application/xml application/xml+rss font/opentype image/svg+xml + image/x-icon text/css text/javascript text/plain text/xml ssl_ciphers: "HIGH:!aNULL:!MD5" ssl_dhparam: "/etc/nginx/dh{{ nginx_dhparam_bits }}.pem" - ssl_prefer_server_ciphers: on + ssl_prefer_server_ciphers: true ssl_protocols: TLSv1.2 TLSv1.3 ssl_session_cache: shared:SSL:50m - ssl_session_tickets: off + ssl_session_tickets: false ssl_session_timeout: 1d - ssl_stapling: on - ssl_stapling_verify: on - resolver: "{{ ansible_dns.nameservers|join(' ') }} valid=300s" + ssl_stapling: true + ssl_stapling_verify: true + resolver: "{{ ansible_dns.nameservers | join(' ') }} valid=300s" nginx_http_headers_default: Content-Security-Policy: "default-src 'self'; form-action 'self'; frame-ancestors 'none'" @@ -47,5 +50,4 @@ nginx_http_headers_default: nginx_http_params: {} nginx_http_headers: {} - nginx_server_templates: [] diff --git a/handlers/main.yml b/handlers/main.yml index 06fe6d6..3ba7687 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,6 +1,5 @@ --- - - name: Restart nginx - service: + ansible.builtin.service: name: nginx state: restarted diff --git a/meta/main.yml b/meta/main.yml index 154dff8..396bdc0 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,15 +2,16 @@ galaxy_info: author: "Jasper N. Brouwer, Ramon de la Fuente" role_name: "nginx" + namespace: "f500" description: Install and start Nginx company: Future500 license: LGPL-3.0 min_ansible_version: "1.4" platforms: - - name: Debian - versions: - - bullseye - - bookworm + - name: Debian + versions: + - bullseye + - bookworm galaxy_tags: - web dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index b4ad188..5792dff 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,75 +1,76 @@ --- - - name: Add the nginx.org trusted key ansible.builtin.get_url: url: "http://nginx.org/keys/nginx_signing.key" dest: /etc/apt/trusted.gpg.d/nginx.asc - mode: '0644' + mode: "0644" force: true - name: Add the nginx.org repository - apt_repository: + ansible.builtin.apt_repository: repo: "deb http://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" - update_cache: no + update_cache: false - name: Add the nginx.org source repository - apt_repository: + ansible.builtin.apt_repository: repo: "deb-src http://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx" - update_cache: yes + update_cache: true - name: Install nginx - apt: + ansible.builtin.apt: name: nginx -- name: create www directory - file: +- name: Create www directory + ansible.builtin.file: path: "{{ nginx_www_dir }}" state: directory owner: "{{ nginx_user }}" group: "{{ nginx_group }}" - mode: 0755 + mode: "0755" - name: Create config directories - file: + ansible.builtin.file: path: "/etc/nginx/{{ item }}" state: directory owner: root group: root - mode: 0755 + mode: "0755" with_items: - conf.d - sites-available - sites-enabled - name: Copy dhparam file - copy: - src: ffdhe4096.pem - dest: /etc/nginx/dh{{ nginx_dhparam_bits }}.pem - owner: root - group: root - mode: 0644 + ansible.builtin.copy: + src: ffdhe4096.pem + dest: /etc/nginx/dh{{ nginx_dhparam_bits }}.pem + owner: root + group: root + mode: "0644" notify: Restart nginx - name: Write nginx.conf - template: + ansible.builtin.template: src: nginx.conf.j2 dest: /etc/nginx/nginx.conf owner: root group: root - mode: 0644 + mode: "0644" notify: Restart nginx - name: Write fastcgi_params - template: + ansible.builtin.template: src: fastcgi_params.j2 dest: /etc/nginx/fastcgi_params owner: root group: root - mode: 0644 + mode: "0644" notify: Restart nginx - name: Remove dist servers - file: "dest=/etc/nginx/{{ item }} state=absent" + ansible.builtin.file: + dest: "/etc/nginx/{{ item }}" + state: absent with_items: - conf.d/default.conf - conf.d/default @@ -78,7 +79,9 @@ notify: Restart nginx - name: Remove default server - file: "dest=/etc/nginx/{{ item }} state=absent" + ansible.builtin.file: + dest: "/etc/nginx/{{ item }}" + state: absent with_items: - sites-available/default.conf - sites-enabled/default.conf @@ -86,17 +89,17 @@ notify: Restart nginx - name: Write default server - copy: + ansible.builtin.copy: src: default.conf dest: /etc/nginx/sites-available/default.conf owner: root group: root - mode: 0644 + mode: "0644" when: nginx_set_default_server | bool notify: Restart nginx - name: Activate default server - file: + ansible.builtin.file: src: /etc/nginx/sites-available/default.conf dest: /etc/nginx/sites-enabled/default.conf state: link @@ -104,17 +107,17 @@ notify: Restart nginx - name: Write other servers - template: + ansible.builtin.template: src: "{{ item.src }}" dest: "/etc/nginx/sites-available/{{ item.name }}.conf" owner: root group: root - mode: 0644 + mode: "0644" with_items: "{{ nginx_server_templates }}" notify: Restart nginx - name: Activate other servers - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/{{ item.name }}.conf" dest: "/etc/nginx/sites-enabled/{{ item.name }}.conf" state: link