Add travis builds for official nginx role (dev-sec#21)

* test official nginx role with travis

Signed-off-by: szEvEz <szivos.john@gmail.com>

* split up test playbook for different distros due to required vars

Signed-off-by: szEvEz <szivos.john@gmail.com>

* make debian distros use the debian playbook

Signed-off-by: szEvEz <szivos.john@gmail.com>

* update README

Signed-off-by: szEvEz <szivos.john@gmail.com>

.travis.yml

@@ -5,68 +5,112 @@ env:
   - distro: centos6
     version: latest
     init: /sbin/init
-
+    test_playbook: test.yml
+
   - distro: centos7
     init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     version: latest
+    test_playbook: test.yml
 
   - distro: oracle6
     version: latest
     init: /sbin/init
+    test_playbook: test.yml
+
+  - distro: ubuntu1404
+    version: latest
+    init: /sbin/init
+    test_playbook: test.yml
+
+  - distro: ubuntu1604
+    version: latest
+    init: /lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    test_playbook: test.yml
+
+  - distro: ubuntu1804
+    version: latest
+    init: /lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    test_playbook: test.yml
+
+  - distro: debian8
+    version: latest
+    init: /sbin/init
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    test_playbook: test.yml
+
+  - distro: debian9
+    version: latest
+    init: /lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    test_playbook: test.yml
 
-#  - distro: oracle7
-#    init: /usr/lib/systemd/systemd
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-#    version: latest
+  - distro: centos6
+    version: latest
+    init: /sbin/init
+    test_playbook: official-nginx-role-redhat.yml
+
+  - distro: centos7
+    init: /lib/systemd/systemd
+    container_id: $(mktemp)
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    version: latest
+    test_playbook: official-nginx-role-redhat.yml
+
+  - distro: oracle6
+    version: latest
+    init: /sbin/init
+    test_playbook: official-nginx-role-redhat.yml
 
   - distro: ubuntu1404
     version: latest
     init: /sbin/init
+    test_playbook: official-nginx-role-debian.yml
 
   - distro: ubuntu1604
     version: latest
     init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    test_playbook: official-nginx-role-debian.yml
 
   - distro: ubuntu1804
     version: latest
     init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    test_playbook: official-nginx-role-debian.yml
 
   - distro: debian8
     version: latest
     init: /sbin/init
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    test_playbook: official-nginx-role-debian.yml
 
   - distro: debian9
     version: latest
     init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    test_playbook: official-nginx-role-debian.yml
 
-#  - distro: amazon
-#    init: /lib/systemd/systemd
-#    version: latest
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
 before_install:
   # Pull container
   - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
 
 script:
   - container_id=$(mktemp)
-  # Run container in detached state.
+  # Run container in detached state
   - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-nginx-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
   # Install ansible galaxy requirements
   - 'docker exec "$(cat ${container_id})" ansible-galaxy -c install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/'
-
-  # Test role.
-  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/tests/test.yml -vv'
+  
+  # Test role
+  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/tests/"${test_playbook}" -vv'
 
   # Verify role
-  #- 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id}) --controls=nginx-01 nginx-02 nginx-03 nginx-04 nginx-05 nginx-06 nginx-07 nginx-08 nginx-09 nginx-10 nginx-12 nginx-13 nginx-14 nginx-15 nginx-17 --no-distinct-exit'
   - 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id}) --controls=nginx-01 nginx-02 nginx-03 nginx-05 nginx-06 nginx-07 nginx-08 nginx-09 nginx-10 nginx-12 nginx-13 nginx-15 nginx-17 --no-distinct-exit'
 
 notifications:
-  webhooks: https://galaxy.ansible.com/api/v1/notifications/
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

README.md

@@ -10,6 +10,7 @@ This role provides secure nginx configuration. It is intended to be compliant wi
 
 It works with the following nginx-roles, including, but not limited to:
 * [geerlingguy.nginx](https://galaxy.ansible.com/geerlingguy/nginx/)
+* [nginxinc.nginx](https://galaxy.ansible.com/nginxinc/nginx)
 * [jdauphant.nginx](https://galaxy.ansible.com/jdauphant/nginx/)
 * [franklinkim.nginx](https://galaxy.ansible.com/franklinkim/nginx/)
 

tests/official-nginx-role-debian.yml

@@ -0,0 +1,40 @@
+---
+- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
+  hosts: localhost
+  vars:
+    - nginx_main_template_enable: true
+    - nginx_main_template:
+        template_file: nginx.conf.j2
+        conf_file_name: nginx.conf
+        conf_file_location: /etc/nginx/
+        user: www-data
+        worker_processes: auto
+        error_level: warn
+        worker_connections: 1024
+        http_enable: true
+        http_settings:
+          keepalive_timeout: 65
+          cache: false
+          rate_limit: false
+          keyval: false
+        stream_enable: false
+        http_global_autoindex: false
+  pre_tasks:
+    - apt_repository:
+        repo: "deb http://ftp.debian.org/debian jessie-backports main"
+        state: present
+      when: ansible_distribution == 'Debian' and ansible_distribution_major_version == '8'
+    - set_fact:
+        nginx_default_release: "jessie-backports"
+      when: ansible_distribution == 'Debian' and ansible_distribution_major_version == '8'
+    - package: name="{{item}}" state=installed
+      with_items:
+        - "systemd"
+      ignore_errors: true
+    - apt: name="{{item}}" state=installed update_cache=true
+      with_items:
+        - "systemd"
+      ignore_errors: true
+  roles:
+    - nginxinc.nginx
+    - ansible-nginx-hardening

tests/official-nginx-role-redhat.yml

@@ -0,0 +1,15 @@
+---
+- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
+  hosts: localhost
+  pre_tasks:
+    - package: name="{{item}}" state=installed
+      with_items:
+        - "systemd"
+      ignore_errors: true
+    - apt: name="{{item}}" state=installed update_cache=true
+      with_items:
+        - "systemd"
+      ignore_errors: true
+  roles:
+    - nginxinc.nginx
+    - ansible-nginx-hardening