diff --git a/.travis.yml b/.travis.yml index a355aca..7966f94 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,14 +10,14 @@ install: # - pip install ansible - pip install yamllint - bundle -before_script: +before_script: script: - find . -name "*.yml" -exec yamllint {} \; - cd tests/content - inspec exec categories -after_success: -after_failure: -after_script: +after_success: +after_failure: +after_script: notifications: slack: secure: QVsFzD+yZnQvqXEazoCr04N+z1dFLxagP8rJ3EMpq//YyA52xwPDPrEXaKBmiFYGYaOBWsLV4O01Ds4x0eJRkkYFZT24+gY4Mb3fcLrEKvTvzLqCWj8N5PyZ8sgqiyUJ6E8YTnnarmKhZheoO0j6xBuDfbxPDtYe6z/9g+IOHuw0f/GgfDVUDfniFVNnAs0kbpInr9gERwx6/OVI9ugtZP3ZIb7pNKWwTZKMgiDaGO/Vifcxuy55TH3BBePwp0T1PorV42MqBH1LIsCpqb/zHB9ce0KqlMcWT0iQMVl11pQe9N20PoHUtj5mBKyU8+nq5OI7qW51+CVDPnlopv1ST/jlfuTTXViICpfe+EfCjE8JScxvT1v96KwMx9/gw0eSSB8njA3gBz9rULSfJu5fskuX/SmDSj7mRGWYCEzGzidp8GqPSsvXBTRknQgmfOwx28H0ab3u6Adag/JktiOrk+4dcLKVtAe9GPvRdcZtUOCXd/wBIUjj8W0Wo63m217IVGXLIGIRjjfO6NB6GzdM67H4kAz2Um21F1OhBGP/TgHXJz4yV4o85sbcenaE6JcRbMv13gKoK+W6h5C1rvDAqIlyyzOcctbYH0KRBDWa7KPwjEzZOOmrNz4uf6l7lPfkLuFsbU/nC+UbVALoWfD6511NHf1rvkpq7nvzAiURc5s= diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..addf0aa --- /dev/null +++ b/.yamllint @@ -0,0 +1,7 @@ +extends: default + +rules: + # 80 chars should be enough, but don't fail if a line is longer + line-length: + max: 80 + level: warning diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..f2fbaf0 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,6 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure('2') do |config| + config.vm.box = 'geerlingguy/centos7' +end diff --git a/group_vars/forum.yml b/group_vars/forum.yml index becf732..1042942 100644 --- a/group_vars/forum.yml +++ b/group_vars/forum.yml @@ -8,21 +8,21 @@ ssh_server_enabled: true # sshd ssh_use_dns: false # sshd # true or value if compression is needed ssh_compression: false # sshd -# For which components (client and server) to generate the configuration for. +# For which components (client and server) to generate the configuration for. # Can be useful when running against a client without an SSH server. ssh_client_hardening: true # ssh ssh_server_hardening: true # sshd -# true if CBC for ciphers is required. -# This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. -# CBC is a weak alternative. +# true if CBC for ciphers is required. +# This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. +# CBC is a weak alternative. # Anything weaker should be avoided and is thus not available. ssh_client_cbc_required: false # ssh ssh_server_cbc_required: false # sshd -# true if weaker HMAC mechanisms are required. +# true if weaker HMAC mechanisms are required. # This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. ssh_client_weak_hmac: false # ssh ssh_server_weak_hmac: false # sshd -# true if weaker Key-Exchange (KEX) mechanisms are required. +# true if weaker Key-Exchange (KEX) mechanisms are required. # This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. ssh_client_weak_kex: false # ssh ssh_server_weak_kex: false # sshd @@ -33,12 +33,12 @@ ssh_server_password_login: false # sshd ssh_server_ports: ['22'] # sshd # port to which ssh-client should connect ssh_client_port: '22' # ssh -# one or more ip addresses, to which ssh-server should listen to. +# one or more ip addresses, to which ssh-server should listen to. # Default is empty, but should be configured for security reasons! ssh_listen_to: ['0.0.0.0'] # sshd # Host keys to look for when starting sshd. ssh_host_key_files: [] # sshd -# Specifies the maximum number of authentication attempts permitted per connection. +# Specifies the maximum number of authentication attempts permitted per connection. # Once the number of failures reaches half this value, additional failures are logged. ssh_max_auth_retries: 2 ssh_client_alive_interval: 600 # sshd @@ -147,30 +147,30 @@ ssh_server_revoked_keys: [] cert_location: /etc/ssl/certs/ nginx_sites: http: - - listen 80 default + - listen 80 default - server_name community.egi.eu ## redirect http to https ## - return 301 https://$server_name$request_uri https: - - listen 443 - - listen [::]:443 - - ssl on - - ssl_certificate /etc/ssl/certs/server.crt - - ssl_certificate_key /etc/ssl/certs/server.key - - ssl_session_timeout 1d - - ssl_protocols TLSv1.2 - - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' - - ssl_prefer_server_ciphers on - - ssl_session_cache shared:SSL:10m - - add_header Strict-Transport-Security max-age=15768000 - - server_name community.egi.eu - - | - location / { - proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:; - proxy_set_header Host $http_host; proxy_http_version 1.1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } + - listen 443 + - listen [::]:443 + - ssl on + - ssl_certificate /etc/ssl/certs/server.crt + - ssl_certificate_key /etc/ssl/certs/server.key + - ssl_session_timeout 1d + - ssl_protocols TLSv1.2 + - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' + - ssl_prefer_server_ciphers on + - ssl_session_cache shared:SSL:10m + - add_header Strict-Transport-Security max-age=15768000 + - server_name community.egi.eu + - | + location / { + proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:; + proxy_set_header Host $http_host; proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } # Discourse stuff #discourse_hostname: developer_emails: 'brucellino@gmail.com' diff --git a/tests/content/categories/files/categories.yml b/tests/content/categories/files/categories.yml index 937122b..1401074 100644 --- a/tests/content/categories/files/categories.yml +++ b/tests/content/categories/files/categories.yml @@ -1,9 +1,9 @@ --- -categories: -# These should also somehow reflect the hierarchy of the categories. +categories: + # These should also somehow reflect the hierarchy of the categories. - name: 'AAI' slug: 'aai' - name: 'EGI Operations' slug: 'egi-ops' - name: 'EGI Services' - slug: 'egi-services' \ No newline at end of file + slug: 'egi-services' diff --git a/tests/content/categories/inspec.yml b/tests/content/categories/inspec.yml index 64cc86d..bb33feb 100644 --- a/tests/content/categories/inspec.yml +++ b/tests/content/categories/inspec.yml @@ -4,7 +4,7 @@ title: Category profile for EGI community forum maintainer: EGI Operations copyright: EGI Operations copyright_email: bruce.becker@egi.eu -license: Apache-2.0 +license: Apache-2.0 summary: An Inspect profile for the discussion forum categories version: 0.1.0 supports: diff --git a/tests/content/files/server.yml b/tests/content/files/server.yml new file mode 100644 index 0000000..85f3063 --- /dev/null +++ b/tests/content/files/server.yml @@ -0,0 +1,2 @@ +--- +base_url: 'https://community.egi.eu'