---
- name: create nginx/conf directory
  become: true
  file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: 0644
  with_items:
    - "{{ nginx_conf_path }}"
    - "{{ modsec_rules_path }}"
  tags: modsec

- name: create modsec_includes.conf
  become: true
  copy:
    src: files/nginx/modsec_includes.conf
    dest: "{{ nginx_path }}/modsec_includes.conf"
    mode: 0644
  notify: restart_nginx
  tags: modsec

- name: clone coreruleset and modsecurity
  become: true
  git:
    repo: "{{ item.src }}"
    dest: "{{ item.dest }}"
    update: false
    version: "{{ item.ver }}"
  with_items: "{{ modsec_git_urls }}"
  notify: restart_nginx
  tags: modsec

- name: setup modsec and coreruleset configs
  become: true
  file:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    state: link
    force: true
    mode: 0644
  with_items: "{{ modsec_conf_links }}"
  notify: restart_nginx
  tags: modsec

- name: setup coreruleset rules
  become: true
  file:
    src: "{{ crs_rules_path }}/{{ item.name }}.conf"
    dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
    state: "{{ item.enabled | ternary('link', 'absent') }}"
    force: true
    mode: 0644
  with_items: "{{ crs_rule_links }}"
  notify: restart_nginx
  tags: modsec, modsec_rules

- name: setup coreruleset data
  become: true
  file:
    src: "{{ crs_rules_path }}/{{ item }}.data"
    dest: "{{ modsec_rules_path }}/{{ item }}.data"
    state: link
    force: true
    mode: 0644
  with_items: "{{ crs_data_links }}"
  notify: restart_nginx
  tags: modsec, modsec_rules

# name: fetch core rule set files for mod-security
# become: true
# get_url:
#   url: "{{ item.url }}"
#   dest: "{{ item.dest }}"
#   mode: 0644
# with_items:
#   - {"url": "{{ modsec_conf_url }}",
#      "dest": "{{ nginx_path }}/modsecurity.conf"}
#   - {"url": "{{ modsec_unicode_url }}",
#      "dest": "{{ nginx_path }}/unicode.mapping"}
#   - {"url": "{{ crs_setup_url }}",
#      "dest": "{{ nginx_conf_path }}/crs-setup.conf"}
#   - {"url": "{{ crs_before_url }}",
#      "dest": "{{ modsec_crs_before_rule_conf }}"}
#   - {"url": "{{ crs_after_url }}",
#      "dest": "{{ modsec_crs_after_rule_conf }}"}
# notify: restart_nginx
# tags: modsec

- name: activate mod-security
  become: true
  lineinfile:
    path: /etc/nginx/modsecurity.conf
    regexp: '^SecRuleEngine'
    line: 'SecRuleEngine On'
  notify: restart_nginx
  tags: modsec