---
- name: create nginx/conf directory
  become: true
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: "{{ podman_user }}"
    group: "{{ podman_user }}"
    mode: 0644
  loop:
    - "{{ nginx_conf_path }}"
    - "{{ modsec_rules_path }}"
  notify: restorecon podman
  tags: modsec

- name: create modsec_includes.conf
  become: true
  ansible.builtin.copy:
    src: files/nginx/modsec_includes.conf
    dest: "{{ nginx_path }}/etc/modsec_includes.conf"
    owner: "{{ podman_user }}"
    group: "{{ podman_user }}"
    mode: 0644
  notify:
    - restorecon podman
    - restart nginx
  tags: modsec

- name: clone coreruleset and modsecurity
  become: true
  ansible.builtin.git:
    repo: "{{ item.src }}"
    dest: "{{ item.dest }}"
    update: "{{ update_modsec | default(false) }}"
    force: true
    version: "{{ item.ver }}"
  loop: "{{ modsec_git_urls }}"
  tags: modsec

- name: setup modsec and coreruleset configs
  become: true
  ansible.builtin.copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "{{ podman_user }}"
    group: "{{ podman_user }}"
    force: "{{ update_modsec | default(false) }}"
    mode: 0644
    remote_src: true
  loop: "{{ modsec_conf_links }}"
  notify: restorecon podman
  tags: modsec

- name: setup coreruleset rules
  become: true
  ansible.builtin.copy:
    src: "{{ crs_rules_path }}/{{ item.name }}.conf"
    dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
    owner: "{{ podman_user }}"
    group: "{{ podman_user }}"
    force: "{{ update_modsec | default(false) }}"
    mode: 0644
    remote_src: true
  when: item.enabled
  loop: "{{ crs_rule_links }}"
  notify: restorecon podman
  tags:
    - modsec
    - modsec_rules

- name: setup coreruleset data
  become: true
  ansible.builtin.copy:
    src: "{{ crs_rules_path }}/{{ item }}.data"
    dest: "{{ modsec_rules_path }}/{{ item }}.data"
    force: "{{ update_modsec | default(false) }}"
    owner: "{{ podman_user }}"
    group: "{{ podman_user }}"
    mode: 0644
    remote_src: true
  loop: "{{ crs_data_links }}"
  notify: restorecon podman
  tags:
    - modsec
    - modsec_rules

- name: whitelist local ip addresses
  become: true
  ansible.builtin.lineinfile:
    path: "{{ modsec_crs_before_rule_conf }}"
    regexp: "{{ modsec_whitelist_local_re }}"
    line: "{{ modsec_whitelist_local }}"
  notify: restart nginx
  tags:
    - modsec
    - modsec_rules
    - modsec_whitelist

- name: activate mod-security
  become: true
  ansible.builtin.lineinfile:
    path: "{{ nginx_path }}/etc/modsecurity.conf"
    regexp: "{{ item.regex }}"
    line: "{{ item.line }}"
  loop: "{{ modsec_conf_replaces }} "
  notify: restart nginx
  tags: modsec