-
Notifications
You must be signed in to change notification settings - Fork 3
/
playbook.yml
executable file
·176 lines (151 loc) · 5.17 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
---
- name: Setup secure Nginx webserver (hosting Hello World page)
hosts: all
force_handlers: true # Force Tests to be Run
vars:
doc_root: /usr/share/nginx/html
nginx_root: /etc/nginx
private_ip: 192.168.50.4
validate_self_cert: no
tasks:
- name: Run 'apt-get update'
apt:
update_cache: yes
- name: Install Nginx
apt:
name: nginx
state: latest
########################
# - CREATE Resources - #
########################
- name: Create Nginx Backup Directory
file:
path: "{{ nginx_root }}/backup"
state: directory
notify: TEST ~ Verify Nginx Backup Dir Creation
- name: Create Document Backup Directory
file:
path: "{{ doc_root }}/backup"
state: directory
notify: TEST ~ Verify Document Backup Dir Creation
- name: Create Nginx Directory for TLS/SSL Cert & Key Files
file:
path: "{{ nginx_root }}/ssl"
state: directory
notify: TEST ~ Verify Nginx SSL Dir Creation
# NOTE - Self-cert creation command modfied from original source: https://serialized.net/2013/04/simply-generating-self-signed-ssl-certs-with-ansible/
- name: Generate a Self Signed OpenSSL certificate & key
command: openssl req -new -nodes -x509 -subj "/C=US/ST=Pennsylvania/L=Philadelphia/O=IT/CN={{ private_ip }}" -days 3650 -keyout {{ nginx_root }}/ssl/sre.key -out {{ nginx_root }}/ssl/sre.crt -extensions v3_ca creates={{ nginx_root }}/ssl/sre.crt
notify:
- TEST ~ SSL Key File Creation
- TEST ~ SSL Cert File Creation
####################
# - BACKUP Items - #
####################
- name: Backup Original Nginx Conf
command: "mv {{ nginx_root }}/nginx.conf {{ nginx_root }}/backup/nginx.conf"
- name: Backup Original index.html
command: "mv {{ doc_root }}/index.html {{ doc_root }}/backup/index.html"
################################
# - INSTALL Custom Resources - #
################################
- name: Install Custom index.html
copy:
src: index.html
dest: "{{ doc_root }}/index.html"
- name: Install Custom (TLS/SSL modified) Nginx Config File
template:
src: nginx.conf
dest: "{{ nginx_root }}/nginx.conf"
validate: "nginx -t -c %s" # TEST - Validate Nginx Config
################################
# - CONFIGURE Nginx Firewall - #
################################
- name: Allow HTTPS Traffic
ufw:
rule: allow
name: Nginx Full
- name: Delete Nginx HTTP Rule
ufw:
rule: allow
name: Nginx HTTP
delete: yes
#######################################
# - RESTART Nginx & RUN Final Tests - #
#######################################
- name: Restart Nginx
service:
name: nginx
state: restarted
- name: Check Server Status
command: service nginx status
register: nginx_status
notify:
- TEST ~ Ensure Nginx is running
- TEST ~ Ensure HTTP redirects to HTTPS
- TEST ~ Ensure Port 443 is open
- TEST ~ Check loading site via HTTPS
# Report Nginx Status in Console
- debug:
var: nginx_status
#############
# - TESTS - #
#############
handlers:
# TEST FOR: Create Nginx Backup Directory
- name: TEST ~ Verify Nginx Backup Dir Creation
wait_for:
path: "{{ nginx_root }}/backup"
state: present
timeout: 1
# TEST FOR: Create Document Backup Directory
- name: TEST ~ Verify Document Backup Dir Creation
wait_for:
path: "{{ doc_root }}/backup"
state: present
timeout: 1
# TEST FOR: Create Nginx Directory for TLS/SSL Cert & Key Files
- name: TEST ~ Verify Nginx SSL Dir Creation
wait_for:
path: "{{ nginx_root }}/ssl"
state: present
timeout: 1
# TEST FOR: Generate a Self Signed OpenSSL certificate & key
- name: TEST ~ SSL Key File Creation
wait_for:
path: "{{ nginx_root }}/ssl/sre.key"
state: present
timeout: 1
# TEST FOR: Generate a Self Signed OpenSSL certificate & key
- name: TEST ~ SSL Cert File Creation
wait_for:
path: "{{ nginx_root }}/ssl/sre.crt"
state: present
timeout: 1
# TEST FOR: Check Server Status
- name: TEST ~ Ensure Nginx is running
assert:
that: "nginx_status.stdout == ' * nginx is running'"
# TEST FOR: Restart Nginx
- name: TEST ~ Ensure HTTP redirects to HTTPS
uri:
url: http://{{ private_ip }}
method: GET
status_code: 200
validate_certs: "{{ validate_self_cert }}" # Added due to Cert being self-signed
register: https-redirect
# TEST FOR: Restart Nginx
- name: TEST ~ Ensure Port 443 is open
wait_for:
host: "{{ private_ip }}"
port: 443
state: started
timeout: 5
# TEST FOR: Restart Nginx
- name: TEST ~ Check loading site via HTTPS
uri:
url: https://{{ private_ip }}
method: GET
status_code: 200
validate_certs: "{{ validate_self_cert }}" # Added due to Cert being self-signed
register: https-redirect