Update Ansible to 2.9.12 and explicitly set mode on relevant tasks (#309)

* Explicitly define `mode` in relevant tasks. * Explicitly define the `nginx` `apt_repository` filename in Debian based distros. * Building OpenSSL from source should now work properly in CentOS 8.
2020-08-28 10:30:23 +02:00 · 2020-08-28 10:30:23 +02:00 · bf2916fc55
commit bf2916fc55
parent 79ddc30a3a
30 changed files with 172 additions and 93 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -57,15 +57,17 @@ jobs:
    - name: "(CentOS) Install from Source"
      env:
        scenario: source_centos
-before_install: sudo apt-get -qq update
+before_install:
+  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+  - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+  - sudo apt-get update
+  - sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
 install:
-  - pip install ansible==2.9.11
-  - pip install molecule==3.0.6
-  - pip install docker==4.2.2
-  - pip install ansible-lint==4.2.0
+  - pip install ansible==2.9.12
+  - pip install ansible-lint==4.3.2
+  - pip install molecule==3.0.8
+  - pip install docker==4.3.1
 script:
-  - molecule --version
-  - ansible --version
  - travis_wait 50 molecule test -s $scenario
 notifications:
  webhooks: https://galaxy.ansible.com/api/v1/notifications/
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,25 @@
 # Changelog

+## 0.16.0 (August 28, 2020)
+
+BREAKING CHANGES:
+
+*   The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source.
+
+ENHANCEMENTS:
+
+*   Update Ansible to `2.9.12` and Ansible Lint to `4.3.2`.
+*   Explicitly define `mode` in relevant tasks.
+*   Explicitly define the `nginx` `apt_repository` filename in Debian based distros.
+
+FEATURES:
+
+*   TravisCI now always uses the latest version of Docker.
+
+BUG FIXES:
+
+*   Building OpenSSL from source should now work properly in CentOS 8.
+
 ## 0.15.0 (August 20, 2020)

 DEPRECATION WARNING:
--- a/README.md
+++ b/README.md
@ -9,8 +9,9 @@ This role installs NGINX Open Source, NGINX Plus, the NGINX Amplify agent, or NG
 **Note:** This role is still in active development. There may be unidentified issues and the role variables may change as development continues.

 **Deprecation Warnings:**
-*   There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX Config repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on. The NGINX configuration functionalities included in this role will be removed in an upcoming release.
-*   NGINX Unit now has a separate role available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on. The NGINX Unit functionalities included in this role will be removed in an upcoming release.
+
+*   There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX Config repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on (with the exception of major bugfixes). The NGINX configuration functionalities included in this role will be removed in an upcoming release.
+*   NGINX Unit now has a separate role available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on (with the exception of major bugfixes). The NGINX Unit functionalities included in this role will be removed in an upcoming release.

 Requirements
 ------------
--- a/defaults/main/linux.yml
+++ b/defaults/main/linux.yml
@ -8,6 +8,6 @@ nginx_linux_families: ['Alpine', 'Debian', 'RedHat', 'Suse']
 nginx_plus_linux_families: ['Alpine', 'Debian', 'RedHat', 'Suse']

 # Default locations and versions when 'nginx_install_from; is set to 'source'
-pcre_version: pcre-8.43
+pcre_version: pcre-8.44
 zlib_version: zlib-1.2.11
-openssl_version: openssl-1.1.1c
+openssl_version: openssl-1.1.1g
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -22,7 +22,7 @@
      changed_when: false
  when:
    - nginx_start | bool
-    - not ansible_check_mode
+    - not ansible_check_mode | bool

 - name: "(Handler: All OSs) Start NGINX Amplify Agent"
  service:
--- a/molecule/common/playbooks/module_verify.yml
+++ b/molecule/common/playbooks/module_verify.yml
@ -21,5 +21,6 @@
    - name: Check default.conf does not exist
      stat:
        path: /etc/nginx/conf.d/default.conf
+      check_mode: yes
      register: stat_result
      failed_when: stat_result.stat.exists
--- a/molecule/common/playbooks/stable_push_verify.yml
+++ b/molecule/common/playbooks/stable_push_verify.yml
@ -26,6 +26,7 @@
    - name: Check default.conf exists
      stat:
        path: /etc/nginx/conf.d/default.conf
+      check_mode: yes
      register: stat_result
      failed_when: not stat_result.stat.exists

--- a/molecule/common/playbooks/template_converge.yml
+++ b/molecule/common/playbooks/template_converge.yml
@ -6,7 +6,7 @@
      include_role:
        name: ansible-role-nginx
      vars:
-        nginx_debug_output: true
+        # nginx_debug_output: true

        nginx_service_modify: true
        nginx_service_timeout: 95
--- a/molecule/common/playbooks/template_verify.yml
+++ b/molecule/common/playbooks/template_verify.yml
@ -26,18 +26,21 @@
    - name: Check default.conf exists
      stat:
        path: /etc/nginx/conf.d/default.conf
+      check_mode: yes
      register: stat_result
      failed_when: not stat_result.stat.exists

    - name: Check frontend_default.conf exists
      stat:
        path: /etc/nginx/conf.d/frontend_default.conf
+      check_mode: yes
      register: stat_result
      failed_when: not stat_result.stat.exists

    - name: Check backend_default.conf exists
      stat:
        path: /etc/nginx/conf.d/backend_default.conf
+      check_mode: yes
      register: stat_result
      failed_when: not stat_result.stat.exists

--- a/tasks/amplify/install-amplify.yml
+++ b/tasks/amplify/install-amplify.yml
@ -14,6 +14,7 @@
    remote_src: yes
    src: /etc/amplify-agent/agent.conf.default
    dest: /etc/amplify-agent/agent.conf
+    mode: 0644

 - name: "(Setup: All OSs) Configure NGINX Amplify Agent API Key"
  lineinfile:
--- a/tasks/amplify/setup-debian.yml
+++ b/tasks/amplify/setup-debian.yml
@ -3,10 +3,14 @@
  apt_repository:
    filename: nginx-amplify
    repo: deb [arch=amd64] http://packages.amplify.nginx.com/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} amplify-agent
+    update_cache: yes
+    mode: 0644
  when: ansible_distribution_release != "focal"

 - name: "(Install: Debian/Ubuntu) Add NGINX Amplify Agent Repository"
  apt_repository:
    filename: nginx-amplify
    repo: deb [arch=amd64] https://packages.amplify.nginx.com/py3/ubuntu focal amplify-agent
+    update_cache: yes
+    mode: 0644
  when: ansible_distribution_release == "focal"
--- a/tasks/amplify/setup-redhat.yml
+++ b/tasks/amplify/setup-redhat.yml
@ -6,3 +6,4 @@
    description: NGINX Amplify Agent
    enabled: yes
    gpgcheck: yes
+    mode: 0644
--- a/tasks/conf/logrotate.yml
+++ b/tasks/conf/logrotate.yml
@ -31,4 +31,5 @@
  template:
    src: "logrotate/nginx.j2"
    dest: "/etc/logrotate.d/nginx"
+    mode: 0644
  notify: "(Config: All OSs) Run Logrotate"
--- a/tasks/conf/template-config.yml
+++ b/tasks/conf/template-config.yml
@ -3,6 +3,7 @@
  file:
    path: "{{ item.value.html_file_location | default('/usr/share/nginx/html') }}"
    state: directory
+    mode: 0755
  with_dict: "{{ nginx_html_demo_template }}"
  when: nginx_html_demo_template_enable | bool

@ -11,6 +12,7 @@
    src: "{{ item.value.template_file | default('www/index.html.j2') }}"
    dest: "{{ item.value.html_file_location | default('/usr/share/nginx/html') }}/{{ item.value.html_file_name | default('index.html') }}"
    backup: yes
+    mode: 0644
  with_dict: "{{ nginx_html_demo_template }}"
  when: nginx_html_demo_template_enable | bool

@ -18,6 +20,7 @@
  file:
    path: "{{ nginx_main_template.conf_file_location | default('/etc/nginx') }}"
    state: directory
+    mode: 0755
  when: nginx_main_template_enable | bool

 - name: "(Setup: All NGINX) Dynamically Generate NGINX Main Configuration File"
@ -25,6 +28,7 @@
    src: "{{ nginx_main_template.template_file | default('nginx.conf.j2') }}"
    dest: "{{ nginx_main_template.conf_file_location | default('/etc/nginx') }}/{{ nginx_main_template.conf_file_name | default('nginx.conf') }}"
    backup: yes
+    mode: 0644
  when: nginx_main_template_enable | bool
  notify: "(Handler: All OSs) Reload NGINX"

@ -32,6 +36,7 @@
  file:
    path: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/') }}"
    state: directory
+    mode: 0755
  with_dict: "{{ nginx_http_template }}"
  when: nginx_http_template_enable | bool

@ -40,6 +45,7 @@
    path: "{{ item.1.path }}"
    state: directory
    owner: "{{ nginx_main_template.user | default('nginx') }}"
+    mode: 0755
  with_subelements:
    - "{{ nginx_http_template }}"
    - proxy_cache.proxy_cache_path
@ -51,6 +57,7 @@
    src: "{{ item.value.template_file | default('http/default.conf.j2') }}"
    dest: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/') }}/{{ item.value.conf_file_name | default('default.conf') }}"
    backup: yes
+    mode: 0644
  with_dict: "{{ nginx_http_template }}"
  when: nginx_http_template_enable | bool
  notify: "(Handler: All OSs) Reload NGINX"
@ -60,21 +67,24 @@
    src: "{{ nginx_status_template_file | default('http/status.conf.j2') }}"
    dest: "{{ nginx_status_file_location | default('/etc/nginx/conf.d/status.conf') }}"
    backup: yes
-  notify: "(Handler: All OSs) Reload NGINX"
+    mode: 0644
  when: nginx_status_enable | bool
+  notify: "(Handler: All OSs) Reload NGINX"

 - name: "(Setup: All NGINX) Dynamically Generate NGINX API Configuration File"
  template:
    src: "{{ nginx_rest_api_template_file | default('http/api.conf.j2') }}"
    dest: "{{ nginx_rest_api_file_location | default('/etc/nginx/conf.d/api.conf') }}"
    backup: yes
-  notify: "(Handler: All OSs) Reload NGINX"
+    mode: 0644
  when: nginx_rest_api_enable | bool
+  notify: "(Handler: All OSs) Reload NGINX"

 - name: "(Setup: All NGINX) Ensure NGINX Stream Directory Exists"
  file:
    path: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/stream/') }}"
    state: directory
+    mode: 0755
  with_dict: "{{ nginx_stream_template }}"
  when: nginx_stream_template_enable | bool

@ -83,6 +93,7 @@
    src: "{{ item.value.template_file | default('stream/default.conf.j2') }}"
    dest: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/stream/') }}/{{ item.value.conf_file_name | default('default.conf') }}"
    backup: yes
+    mode: 0644
  with_dict: "{{ nginx_stream_template }}"
-  notify: "(Handler: All OSs) Reload NGINX"
  when: nginx_stream_template_enable | bool
+  notify: "(Handler: All OSs) Reload NGINX"
--- a/tasks/conf/upload-config.yml
+++ b/tasks/conf/upload-config.yml
@ -1,8 +1,26 @@
 ---
+- name: "(Setup: All NGINX) Ensure NGINX HTML Directory Exists"
+  file:
+    path: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}"
+    state: directory
+    mode: 0755
+  when: nginx_html_upload_enable | bool
+
+- name: "(Setup: All NGINX) Upload NGINX HTML Files"
+  copy:
+    src: "{{ item }}"
+    dest: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}"
+    backup: yes
+    mode: 0644
+  with_fileglob: "{{ nginx_html_upload_src }}"
+  when: nginx_html_upload_enable | bool
+  notify: "(Handler: All OSs) Reload NGINX"
+
 - name: "(Setup: All NGINX) Ensure NGINX Main Directory Exists"
  file:
    path: "{{ nginx_main_upload_dest | default('/etc/nginx/') }}"
    state: directory
+    mode: 0755
  when: nginx_main_upload_enable | bool

 - name: "(Setup: All NGINX) Upload NGINX Main Configuration File"
@ -10,6 +28,7 @@
    src: "{{ nginx_main_upload_src | default('conf/nginx.conf') }}"
    dest: "{{ nginx_main_upload_dest | default('/etc/nginx/') }}"
    backup: yes
+    mode: 0644
  when: nginx_main_upload_enable | bool
  notify: "(Handler: All OSs) Reload NGINX"

@ -17,6 +36,7 @@
  file:
    path: "{{ nginx_http_upload_dest | default('/etc/nginx/conf.d/') }}"
    state: directory
+    mode: 0755
  when: nginx_http_upload_enable | bool

 - name: "(Setup: All NGINX) Upload NGINX HTTP Configuration Files"
@ -24,6 +44,7 @@
    src: "{{ item }}"
    dest: "{{ nginx_http_upload_dest | default('/etc/nginx/conf.d/') }}"
    backup: yes
+    mode: 0644
  with_fileglob: "{{ nginx_http_upload_src }}"
  when: nginx_http_upload_enable | bool
  notify: "(Handler: All OSs) Reload NGINX"
@ -32,6 +53,7 @@
  file:
    path: "{{ nginx_stream_upload_dest | default('/etc/nginx/conf.d/') }}"
    state: directory
+    mode: 0755
  when: nginx_stream_upload_enable | bool

 - name: "(Setup: All NGINX) Upload NGINX Stream Configuration Files"
@ -39,44 +61,32 @@
    src: "{{ item }}"
    dest: "{{ nginx_stream_upload_dest | default('/etc/nginx/conf.d/') }}"
    backup: yes
+    mode: 0644
  with_fileglob: "{{ nginx_stream_upload_src }}"
  when: nginx_stream_upload_enable | bool
  notify: "(Handler: All OSs) Reload NGINX"

- name: "(Setup: All NGINX) Ensure NGINX HTML Directory Exists"
-  file:
-    path: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}"
-    state: directory
-  when: nginx_html_upload_enable | bool
-
- name: "(Setup: All NGINX) Upload NGINX HTML Files"
-  copy:
-    src: "{{ item }}"
-    dest: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}"
-    backup: yes
-  with_fileglob: "{{ nginx_html_upload_src }}"
-  when: nginx_html_upload_enable | bool
-  notify: "(Handler: All OSs) Reload NGINX"
-
 - name: "(Setup: All NGINX) Ensure SSL Certificate Directory Exists"
  file:
    path: "{{ nginx_ssl_crt_upload_dest | default('/etc/ssl/certs/') }}"
    state: directory
+    mode: 0755
  when: nginx_ssl_upload_enable | bool

 - name: "(Setup: All NGINX) Ensure SSL Key Directory Exists"
  file:
    path: "{{ nginx_ssl_key_upload_dest | default('/etc/ssl/private/') }}"
    state: directory
+    mode: 0755
  when: nginx_ssl_upload_enable | bool

 - name: "(Setup: All NGINX) Upload NGINX SSL Certificates"
  copy:
    src: "{{ item }}"
    dest: "{{ nginx_ssl_crt_upload_dest | default('/etc/ssl/certs/') }}"
-    mode: 0640
    decrypt: yes
    backup: yes
+    mode: 0640
  with_fileglob: "{{ nginx_ssl_crt_upload_src }}"
  when: nginx_ssl_upload_enable | bool

@ -84,9 +94,9 @@
  copy:
    src: "{{ item }}"
    dest: "{{ nginx_ssl_key_upload_dest | default('/etc/ssl/private/') }}"
-    mode: 0640
    decrypt: yes
    backup: yes
+    mode: 0640
  with_fileglob: "{{ nginx_ssl_key_upload_src }}"
  no_log: yes
  when: nginx_ssl_upload_enable | bool
--- a/tasks/keys/apk-key.yml
+++ b/tasks/keys/apk-key.yml
@ -11,3 +11,4 @@
  get_url:
    url: "{{ keysite }}"
    dest: /etc/apk/keys/nginx_signing.rsa.pub
+    mode: 0400
--- a/tasks/opensource/install-oss-linux.yml
+++ b/tasks/opensource/install-oss-linux.yml
@ -12,7 +12,7 @@
  include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml"
  when:
    - ansible_service_mgr == "systemd"
-    - nginx_service_modify
+    - nginx_service_modify | bool

 - name: "(Install: Linux) Install NGINX From Source"
  include_tasks: "{{ role_path }}/tasks/opensource/setup-source.yml"
--- a/tasks/opensource/setup-debian.yml
+++ b/tasks/opensource/setup-debian.yml
@ -15,7 +15,10 @@

 - name: "(Install: Debian/Ubuntu) Add NGINX Repository"
  apt_repository:
+    filename: nginx
    repo: "{{ item }}"
+    update_cache: yes
+    mode: 0644
  loop: "{{ repository }}"

 - name: "(Install: Debian/Ubuntu) Install NGINX"
--- a/tasks/opensource/setup-redhat.yml
+++ b/tasks/opensource/setup-redhat.yml
@ -17,6 +17,7 @@
    description: NGINX Repository
    enabled: yes
    gpgcheck: yes
+    mode: 0644
  when: ansible_distribution_major_version < "8"

 - name: "(Install: CentOS/RedHat) Add NGINX Repository for CentOS/RHEL 8"
@ -30,6 +31,7 @@
      gpgcheck = 1
      name = NGINX Repository
      module_hotfixes = true
+    mode: 0644
  when: ansible_distribution_major_version == "8"

 - name: "(Install: CentOS/RedHat) Install Required CentOS/RedHat Dependencies"
--- a/tasks/opensource/setup-source.yml
+++ b/tasks/opensource/setup-source.yml
@ -1,20 +1,21 @@
 ---
 - name: "(Install: Linux) Check For Build Tools"
  block:
-    - name: "(Install: Centos/RHEL) Install Python"
-      yum:
-        name:
-          - python3
-          - python3-pip
-          - python3-devel
-        update_cache: yes
-      when: ansible_os_family == "RedHat"
+    - name: "(Install: Centos/RHEL) Setup Python 3"
+      block:
+        - name: "(Install: Centos/RHEL) Install Python 3"
+          yum:
+            name:
+              - python3
+              - python3-pip
+              - python3-devel
+            update_cache: yes

-    - name: "(Install: Centos/RHEL) Set Python3 Default"
-      alternatives:
-        name: python
-        path: /usr/bin/python3
-        link: /usr/bin/python
+        - name: "(Install: Centos/RHEL) Set Python 3 Default"
+          alternatives:
+            name: python
+            path: /usr/bin/python3
+            link: /usr/bin/python
      when:
        - ansible_os_family == "RedHat"
        - ansible_distribution_major_version == "8"
@ -37,7 +38,10 @@

    - name: "(Install: Debian) Install Backports Repo For Buster"
      apt_repository:
+        filename: buster-backports
        repo: deb http://ftp.us.debian.org/debian buster-backports main
+        update_cache: yes
+        mode: 0644
      when: ansible_distribution_release == "buster"

    - name: "(Install: Debian/Ubuntu) Install Build Tools"
@ -76,7 +80,7 @@
        owner: root
        mode: 0644
      when: ansible_os_family == "Alpine"
-  when: nginx_install_source_build_tools
+  when: nginx_install_source_build_tools | bool

 - name: "(Install: Linux) Check For Source Installs"
  block:
@ -100,7 +104,7 @@
    name: pcre-devel
    update_cache: yes
  when:
-    - nginx_install_source_pcre
+    - nginx_install_source_pcre | bool
    - ansible_os_family == "RedHat"

 - name: "(Install: Debian/Ubuntu) Install PCRE Dependency From Package"
@ -108,7 +112,7 @@
    name: libpcre3-dev
    update_cache: yes
  when:
-    - nginx_install_source_pcre
+    - nginx_install_source_pcre | bool
    - ansible_os_family == "Debian"

 - name: "(Install: Alpine) Install PCRE Dependency From Package"
@ -116,7 +120,7 @@
    name: pcre-dev
    update_cache: yes
  when:
-    - nginx_install_source_pcre
+    - nginx_install_source_pcre | bool
    - ansible_os_family == "Alpine"

 - name: "(Install: Linux) Install PCRE Dependence From Source"
@ -125,6 +129,7 @@
      get_url:
        url: "http://ftp.pcre.org/pub/pcre/{{ pcre_version }}.tar.gz"
        dest: "/tmp/{{ pcre_version }}.tar.gz"
+        mode: 0600
      register: pcre_source

    - name: "(Install: Linux) Unpack PCRE Dependency"
@ -132,13 +137,12 @@
        copy: no
        dest: /tmp/
        src: "{{ pcre_source.dest }}"
-      register: pcre_source_unpack
+        mode: 0700

    - name: "(Install: Linux) Configure PCRE Dependency"
      command: "./configure"
      args:
        chdir: "/tmp/{{ pcre_version }}"
-      register: pcre_configure

    - name: "(Install: Linux) Make PCRE Dependency"
      make:
@ -149,15 +153,15 @@
        chdir: "/tmp/{{ pcre_version }}"
        target: install
  when:
-    - not pcre_result.stat.exists
-    - not nginx_install_source_pcre
+    - not pcre_result.stat.exists | bool
+    - not nginx_install_source_pcre | bool

 - name: "(Install: Centos/RHEL) Install ZLib Dependency From Package"
  yum:
    name: zlib-devel
    update_cache: yes
  when:
-    - nginx_install_source_zlib
+    - nginx_install_source_zlib | bool
    - ansible_os_family == "RedHat"

 - name: "(Install: Debian/Ubuntu) Install ZLib Dependency From Package"
@ -165,7 +169,7 @@
    name: zlib1g-dev
    update_cache: true
  when:
-    - nginx_install_source_zlib
+    - nginx_install_source_zlib | bool
    - ansible_os_family == "Debian"

 - name: "(Install: Alpine) Install ZLib Dependency From Package"
@ -173,7 +177,7 @@
    name: zlib-dev
    update_cache: yes
  when:
-    - nginx_install_source_zlib
+    - nginx_install_source_zlib | bool
    - ansible_os_family == "Alpine"

 - name: "(Install: Linux) Install ZLib Dependency From Source"
@ -182,6 +186,7 @@
      get_url:
        url: "http://zlib.net/{{ zlib_version }}.tar.gz"
        dest: "/tmp/{{ zlib_version }}.tar.gz"
+        mode: 0600
      register: zlib_source

    - name: "(Install: Linux) Unpack ZLib Dependency"
@ -189,13 +194,12 @@
        copy: no
        dest: /tmp/
        src: "{{ zlib_source.dest }}"
-      register: zlib_source_unpack
+        mode: 0700

    - name: "(Install: Linux) Configure zlib Dependency"
      command: "./configure"
      args:
        chdir: "/tmp/{{ zlib_version }}"
-      register: zlib_configure

    - name: "(Install: Linux) Make ZLib Dependency"
      make:
@ -206,15 +210,15 @@
        chdir: "/tmp/{{ zlib_version }}"
        target: install
  when:
-    - not zlib_result.stat.exists
-    - not nginx_install_source_zlib
+    - not zlib_result.stat.exists | bool
+    - not nginx_install_source_zlib | bool

 - name: "(Install: Centos/RHEL) Install OpenSSL Dependency From Package"
  yum:
    name: openssl-devel
    update_cache: yes
  when:
-    - nginx_install_source_openssl
+    - nginx_install_source_openssl | bool
    - ansible_os_family == "RedHat"

 - name: "(Install: Debian/Ubuntu) Install OpenSSL Dependency From Package"
@ -222,7 +226,7 @@
    name: libssl-dev
    update_cache: yes
  when:
-    - nginx_install_source_openssl
+    - nginx_install_source_openssl | bool
    - ansible_os_family == "Debian"

 - name: "(Install: Alpine) Install OpenSSL Dependency From Package"
@ -230,7 +234,7 @@
    name: openssl-dev
    update_cache: yes
  when:
-    - nginx_install_source_openssl
+    - nginx_install_source_openssl | bool
    - ansible_os_family == "Alpine"

 - name: "(Install: Linux) Install OpenSSL Dependency From Source"
@ -239,6 +243,7 @@
      get_url:
        url: "http://www.openssl.org/source/{{ openssl_version }}.tar.gz"
        dest: "/tmp/{{ openssl_version }}.tar.gz"
+        mode: 0600
      register: openssl_source

    - name: "(Install: Linux) Unpack OpenSSL Dependency"
@ -246,13 +251,12 @@
        copy: no
        dest: /tmp/
        src: "{{ openssl_source.dest }}"
-      register: openssl_source_unpack
+        mode: 0700

    - name: "(Install: Linux) Configure OpenSSL Dependency"
-      command: "./config --prefix=/usr"
+      command: "./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib"
      args:
        chdir: "/tmp/{{ openssl_version }}"
-      register: openssl_configure

    - name: "(Install: Linux) Make OpenSSL Dependency"
      make:
@ -263,8 +267,8 @@
        chdir: "/tmp/{{ openssl_version }}"
        target: install
  when:
-    - not openssl_result.stat.exists
-    - not nginx_install_source_openssl
+    - not openssl_result.stat.exists | bool
+    - not nginx_install_source_openssl | bool

 - name: "(Install: Linux) Get NGINX Version"
  block:
@ -309,6 +313,7 @@
      get_url:
        url: "http://nginx.org/download/{{ nginx_download_name }}.tar.gz"
        dest: "/tmp/{{ nginx_download_name }}.tar.gz"
+        mode: 0600
      register: nginx_source

    - name: "(Install: Linux) Unpack NGINX"
@ -316,7 +321,7 @@
        copy: no
        dest: /tmp/
        src: "{{ nginx_source.dest }}"
-      register: nginx_source_unpack
+        mode: 0755

    - name: "(Install: Linux) Configure NGINX"
      command: >-
@ -353,7 +358,7 @@
        dest: /lib/systemd/system/nginx.service
        owner: root
        group: root
-        mode: '0644'
+        mode: 0644
      when: ansible_service_mgr == "systemd"

    - name: "(Install: Linux) Enable systemd NGINX Service File"
@ -362,8 +367,8 @@
        name: nginx
        state: restarted
        enabled: yes
-      notify: "(Handler: All OSs) Start NGINX"
      when: ansible_service_mgr == "systemd"
+      notify: "(Handler: All OSs) Start NGINX"

    - name: "(Install: Linux) Upload upstart NGINX Service File"
      copy:
@ -371,7 +376,7 @@
        dest: /etc/init.d/nginx
        owner: root
        group: root
-        mode: '0755'
+        mode: 0755
      when: ansible_service_mgr == "upstart"

    - name: "(Install: Linux) Upload upstart NGINX Service Conf File"
@ -380,7 +385,7 @@
        dest: /etc/init/nginx.conf
        owner: root
        group: root
-        mode: '0644'
+        mode: 0644
      when: ansible_service_mgr == "upstart"

    - name: "(Install: Linux) Enable upstart NGINX Service Reload"
@ -389,8 +394,8 @@

    - name: "(Install: Linux) Start upstart NGINX Service Reload"
      command: "nginx"
-      notify: "(Handler: All OSs) Start NGINX"
      when: ansible_service_mgr == "upstart"
+      notify: "(Handler: All OSs) Start NGINX"

    - name: "(Install: Linux) Upload sysvinit NGINX Service File"
      copy:
@ -398,9 +403,9 @@
        dest: /etc/init.d/nginx
        owner: root
        group: root
-        mode: '0755'
-      notify: "(Handler: All OSs) Start NGINX"
+        mode: 0755
      when: ansible_service_mgr == "sysvinit"
+      notify: "(Handler: All OSs) Start NGINX"

    - name: "(Install: Linux) Upload openrc NGINX Service File"
      copy:
@ -408,7 +413,7 @@
        dest: /etc/init.d/nginx
        owner: root
        group: root
-        mode: '0755'
+        mode: 0755
      when: ansible_service_mgr == "openrc"

    - name: "(Install: Linux) Enable openrc NGINX Service"
--- a/tasks/plus/install-plus-linux.yml
+++ b/tasks/plus/install-plus-linux.yml
@ -1,5 +1,6 @@
 ---
- include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml"
+- name: "(Setup: Linux) Setup NGINX Plus Repository"
+  include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml"
  when: ansible_os_family == "Alpine"
        or ansible_os_family == "Debian"
        or ansible_os_family == "RedHat"
@ -9,7 +10,7 @@
  include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml"
  when:
    - ansible_service_mgr == "systemd"
-    - nginx_service_modify
+    - nginx_service_modify | bool

 - name: "(Install: Linux) Install NGINX Plus"
  package:
--- a/tasks/plus/setup-bsd.yml
+++ b/tasks/plus/setup-bsd.yml
@ -10,6 +10,7 @@
      MIRROR_TYPE: SRV
      }
    state: "{{ nginx_license_status | default ('present') }}"
+    mode: 0644

 - name: "(Setup: FreeBSD) Setup NGINX Plus License"
  blockinfile:
--- a/tasks/plus/setup-debian.yml
+++ b/tasks/plus/setup-debian.yml
@ -1,11 +1,4 @@
 ---
- name: "(Setup: Debian/Ubuntu) Setup NGINX Plus Repository"
-  apt_repository:
-    repo: deb [arch=amd64] https://plus-pkgs.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus
-    filename: nginx-plus
-    update_cache: no
-    state: "{{ nginx_license_status | default ('present') }}"
-
 - name: "(Setup: Debian/Ubuntu) Setup NGINX Plus License"
  blockinfile:
    path: /etc/apt/apt.conf.d/90nginx
@ -16,7 +9,12 @@
      Acquire::https::plus-pkgs.nginx.com::SslCert     "/etc/ssl/nginx/nginx-repo.crt";
      Acquire::https::plus-pkgs.nginx.com::SslKey      "/etc/ssl/nginx/nginx-repo.key";
    state: "{{ nginx_license_status | default ('present') }}"
+    mode: 0444

- name: "(Setup: Debian/Ubuntu) Update APT Cache"
-  apt:
+- name: "(Setup: Debian/Ubuntu) Setup NGINX Plus Repository"
+  apt_repository:
+    filename: nginx-plus
+    repo: deb [arch=amd64] https://plus-pkgs.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus
    update_cache: yes
+    state: "{{ nginx_license_status | default ('present') }}"
+    mode: 0644
--- a/tasks/plus/setup-license.yml
+++ b/tasks/plus/setup-license.yml
@ -5,12 +5,14 @@
      file:
        path: /etc/ssl/nginx
        state: directory
+        mode: 0755

    - name: "(Setup: All OSs Besides Alpine Linux) Copy NGINX Plus Certificate and License Key"
      copy:
        src: "{{ item }}"
        dest: /etc/ssl/nginx
        decrypt: yes
+        mode: 0444
      loop:
        - "{{ nginx_license.certificate }}"
        - "{{ nginx_license.key }}"
@ -22,16 +24,19 @@
      file:
        path: /etc/apk
        state: directory
+        mode: 0755

    - name: "(Setup: Alpine Linux) Copy NGINX Plus Key"
      copy:
        src: "{{ nginx_license.key }}"
        dest: /etc/apk/cert.key
        decrypt: yes
+        mode: 0444

    - name: "(Setup: Alpine Linux) Copy NGINX Plus Certificate"
      copy:
        src: "{{ nginx_license.certificate }}"
        dest: /etc/apk/cert.pem
        decrypt: yes
+        mode: 0444
  when: ansible_distribution == "Alpine"
--- a/tasks/plus/setup-redhat.yml
+++ b/tasks/plus/setup-redhat.yml
@ -11,6 +11,7 @@
    enabled: yes
    gpgcheck: yes
    state: "{{ nginx_license_status | default ('present') }}"
+    mode: 0644
  when: ansible_distribution != "Amazon"

 - name: "(Setup: Amazon Linux) Setup NGINX Plus Repository"
@ -25,4 +26,5 @@
    enabled: yes
    gpgcheck: yes
    state: "{{ nginx_license_status | default ('present') }}"
+    mode: 0644
  when: ansible_distribution == "Amazon"
--- a/tasks/plus/setup-suse.yml
+++ b/tasks/plus/setup-suse.yml
@ -3,6 +3,7 @@
  assemble:
    src: /etc/ssl/nginx
    dest: /etc/ssl/nginx/nginx-repo-bundle.crt
+    mode: 0444

 - name: "(Setup: SUSE) Setup NGINX Plus Repository"
  zypper_repository:
--- a/tasks/prerequisites/setup-selinux.yml
+++ b/tasks/prerequisites/setup-selinux.yml
@ -80,6 +80,7 @@
  template:
    src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2"
    dest: "{{ nginx_tempdir }}/nginx-plus-module.te"
+    mode: 0644
  register: nginx_selinux_module

 - name: "(Setup: SELinux) Check NGINX Plus Module"
--- a/tasks/prerequisites/setup-systemd.yml
+++ b/tasks/prerequisites/setup-systemd.yml
@ -12,10 +12,10 @@
    owner: root
    group: root
    mode: 0644
-  notify: "(Handler: All OSs) Systemd Daemon-Reload"
  when:
    - not nginx_service_custom | bool
    - not nginx_service_clean | bool
+  notify: "(Handler: All OSs) Systemd Daemon-Reload"

 - name: "(Setup: Linux) Customize Override For NGINX Systemd Service"
  copy:
@ -24,14 +24,14 @@
    owner: root
    group: root
    mode: 0644
-  notify: "(Handler: All OSs) Systemd Daemon-Reload"
  when:
    - nginx_service_custom | bool
    - not nginx_service_clean | bool
+  notify: "(Handler: All OSs) Systemd Daemon-Reload"

 - name: "(Setup: Linux) Remove Override For NGINX Systemd Service"
  file:
    path: "{{ nginx_service_overridepath }}"
    state: absent
-  notify: "(Handler: All OSs) Systemd Daemon-Reload"
  when: nginx_service_clean | bool
+  notify: "(Handler: All OSs) Systemd Daemon-Reload"
--- a/tasks/unit/setup-debian.yml
+++ b/tasks/unit/setup-debian.yml
@ -2,6 +2,7 @@
 - name: "(Install: Debian/Ubuntu) Add NGINX Unit Repository"
  apt_repository:
    repo: "{{ item }}"
+    mode: 0644
  loop:
    - deb [arch=amd64] https://packages.nginx.org/unit/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release }} unit
    - deb-src https://packages.nginx.org/unit/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release }} unit
--- a/tasks/unit/setup-redhat.yml
+++ b/tasks/unit/setup-redhat.yml
@ -6,6 +6,7 @@
    description: NGINX Unit Repository
    enabled: yes
    gpgcheck: yes
+    mode: 0644
  when: ansible_distribution != "Amazon"

 - name: "(Install: Amazon Linux) Add NGINX Unit Repository"
@ -15,4 +16,5 @@
    description: NGINX Unit Repository
    enabled: yes
    gpgcheck: yes
+    mode: 0644
  when: ansible_distribution == "Amazon"