noticket - reorganized podman

2024-02-01 15:35:11 -05:00
parent 27942f9178
commit 184cd2574d
25 changed files with 102 additions and 98 deletions
--- a/ansible/roles/podman/tasks/containers/base/conf-nginx-modsec.yml
+++ b/ansible/roles/podman/tasks/containers/base/conf-nginx-modsec.yml
@@ -0,0 +1,127 @@
+---
+- name: create nginx/conf directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  loop:
+    - "{{ nginx_conf_path }}"
+    - "{{ modsec_rules_path }}"
+  notify: restorecon podman
+  tags: modsec
+
+- name: create modsec_includes.conf
+  become: true
+  ansible.builtin.copy:
+    src: files/nginx/modsec_includes.conf
+    dest: "{{ nginx_path }}/etc/modsec_includes.conf"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags: modsec
+
+- name: clone coreruleset and modsecurity
+  become: true
+  ansible.builtin.git:
+    repo: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    update: "{{ update_modsec | default(false) }}"
+    force: true
+    version: "{{ item.ver }}"
+  loop: "{{ modsec_git_urls }}"
+  tags: modsec
+
+- name: setup modsec and coreruleset configs
+  become: true
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    force: "{{ update_modsec | default(false) }}"
+    mode: 0644
+    remote_src: true
+  loop: "{{ modsec_conf_links }}"
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags: modsec
+
+- name: setup coreruleset rules
+  become: true
+  ansible.builtin.copy:
+    src: "{{ crs_rules_path }}/{{ item.name }}.conf"
+    dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    force: "{{ update_modsec | default(false) }}"
+    mode: 0644
+    remote_src: true
+  when: item.enabled
+  loop: "{{ crs_rule_links }}"
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags:
+    - modsec
+    - modsec_rules
+
+- name: removed disabled coreruleset rules
+  become: true
+  ansible.builtin.file:
+    path: "{{ modsec_rules_path }}/{{ item.name }}.conf"
+    state: absent
+  when: not item.enabled
+  loop: "{{ crs_rule_links }}"
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags:
+    - modsec
+    - modsec_rules
+
+- name: setup coreruleset data
+  become: true
+  ansible.builtin.copy:
+    src: "{{ crs_rules_path }}/{{ item }}.data"
+    dest: "{{ modsec_rules_path }}/{{ item }}.data"
+    force: "{{ update_modsec | default(false) }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+    remote_src: true
+  loop: "{{ crs_data_links }}"
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags:
+    - modsec
+    - modsec_rules
+
+- name: whitelist local ip addresses
+  become: true
+  ansible.builtin.lineinfile:
+    path: "{{ modsec_crs_before_rule_conf }}"
+    regexp: "{{ modsec_whitelist_local_re }}"
+    line: "{{ modsec_whitelist_local }}"
+  notify: restart nginx
+  tags:
+    - modsec
+    - modsec_rules
+    - modsec_whitelist
+
+- name: activate mod-security
+  become: true
+  ansible.builtin.lineinfile:
+    path: "{{ nginx_path }}/etc/modsecurity.conf"
+    regexp: "{{ item.regex }}"
+    line: "{{ item.line }}"
+  loop: "{{ modsec_conf_replaces }} "
+  notify: restart nginx
+  tags: modsec