From 5757936ab0984313f3bce4df0cb72efafdccc1e1 Mon Sep 17 00:00:00 2001 From: Felix Paetow Date: Sun, 12 Jul 2020 17:18:28 +0200 Subject: [PATCH] Add default for nginx.conf file permission The dev-sec.nginx-hardening role adapts the file permission mode for /etc/nginx with: mode: o-rw To have not everytime a changed state, the mode should be configurable in this role as well. --- README.md | 5 +++++ defaults/main.yml | 2 ++ tasks/main.yml | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e285571..11b2366 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,11 @@ See the template in `templates/nginx.conf.j2` for more details on the placement. Configures Nginx's [`log_format`](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format). options. + nginx_conf_file_permission: "0644" + +Set the `nginx.conf` file permission mode. + + nginx_default_release: "" (For Debian/Ubuntu only) Allows you to set a different repository for the installation of Nginx. As an example, if you are running Debian's wheezy release, and want to get a newer version of Nginx, you can install the `wheezy-backports` repository and set that value here, and Ansible will use that as the `-t` option while installing Nginx. diff --git a/defaults/main.yml b/defaults/main.yml index 0509dbe..b73deba 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,6 +18,8 @@ nginx_service_enabled: true nginx_conf_template: "nginx.conf.j2" nginx_vhost_template: "vhost.j2" +nginx_conf_file_permission: "0644" + nginx_worker_processes: >- "{{ ansible_processor_vcpus | default(ansible_processor_count) }}" nginx_worker_connections: "1024" diff --git a/tasks/main.yml b/tasks/main.yml index bfb5fe4..3782e33 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -37,7 +37,7 @@ dest: "{{ nginx_conf_file_path }}" owner: root group: "{{ root_group }}" - mode: 0644 + mode: "{{ nginx_conf_file_permission }}" notify: - reload nginx