128 lines
3.0 KiB
YAML
128 lines
3.0 KiB
YAML
---
|
|
- name: create nginx/conf directory
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: "{{ podman_user }}"
|
|
group: "{{ podman_user }}"
|
|
mode: 0644
|
|
loop:
|
|
- "{{ nginx_conf_path }}"
|
|
- "{{ modsec_rules_path }}"
|
|
notify: restorecon podman
|
|
tags: modsec
|
|
|
|
- name: create modsec_includes.conf
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: files/nginx/modsec_includes.conf
|
|
dest: "{{ nginx_path }}/etc/modsec_includes.conf"
|
|
owner: "{{ podman_user }}"
|
|
group: "{{ podman_user }}"
|
|
mode: 0644
|
|
notify:
|
|
- restorecon podman
|
|
- restart nginx
|
|
tags: modsec
|
|
|
|
- name: clone coreruleset and modsecurity
|
|
become: true
|
|
ansible.builtin.git:
|
|
repo: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
update: "{{ update_modsec | default(false) }}"
|
|
force: true
|
|
version: "{{ item.ver }}"
|
|
loop: "{{ modsec_git_urls }}"
|
|
tags: modsec
|
|
|
|
- name: setup modsec and coreruleset configs
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: "{{ podman_user }}"
|
|
group: "{{ podman_user }}"
|
|
force: "{{ update_modsec | default(false) }}"
|
|
mode: 0644
|
|
remote_src: true
|
|
loop: "{{ modsec_conf_links }}"
|
|
notify:
|
|
- restorecon podman
|
|
- restart nginx
|
|
tags: modsec
|
|
|
|
- name: setup coreruleset rules
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: "{{ crs_rules_path }}/{{ item.name }}.conf"
|
|
dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
|
|
owner: "{{ podman_user }}"
|
|
group: "{{ podman_user }}"
|
|
force: "{{ update_modsec | default(false) }}"
|
|
mode: 0644
|
|
remote_src: true
|
|
when: item.enabled
|
|
loop: "{{ crs_rule_links }}"
|
|
notify:
|
|
- restorecon podman
|
|
- restart nginx
|
|
tags:
|
|
- modsec
|
|
- modsec_rules
|
|
|
|
- name: removed disabled coreruleset rules
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: "{{ modsec_rules_path }}/{{ item.name }}.conf"
|
|
state: absent
|
|
when: not item.enabled
|
|
loop: "{{ crs_rule_links }}"
|
|
notify:
|
|
- restorecon podman
|
|
- restart nginx
|
|
tags:
|
|
- modsec
|
|
- modsec_rules
|
|
|
|
- name: setup coreruleset data
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: "{{ crs_rules_path }}/{{ item }}.data"
|
|
dest: "{{ modsec_rules_path }}/{{ item }}.data"
|
|
force: "{{ update_modsec | default(false) }}"
|
|
owner: "{{ podman_user }}"
|
|
group: "{{ podman_user }}"
|
|
mode: 0644
|
|
remote_src: true
|
|
loop: "{{ crs_data_links }}"
|
|
notify:
|
|
- restorecon podman
|
|
- restart nginx
|
|
tags:
|
|
- modsec
|
|
- modsec_rules
|
|
|
|
- name: whitelist local ip addresses
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ modsec_crs_before_rule_conf }}"
|
|
regexp: "{{ modsec_whitelist_local_re }}"
|
|
line: "{{ modsec_whitelist_local }}"
|
|
notify: restart nginx
|
|
tags:
|
|
- modsec
|
|
- modsec_rules
|
|
- modsec_whitelist
|
|
|
|
- name: activate mod-security
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ nginx_path }}/etc/modsecurity.conf"
|
|
regexp: "{{ item.regex }}"
|
|
line: "{{ item.line }}"
|
|
loop: "{{ modsec_conf_replaces }} "
|
|
notify: restart nginx
|
|
tags: modsec
|