---

 - name: Install components
   become: yes
   package:
     name: "{{ item }}"
     state: present
   loop:
     - nginx
     - libmodsecurity
     - nginx-mod-modsecurity
     - php
     - php-fpm

 - name: Config directories
   become: yes
   file:
     path: "{{ item }}"
     state: directory
     owner: http
     group: http
     mode: 0750
   loop:
     - /usr/share/webapps/aninix
     - /etc/nginx/conf
     - /etc/nginx/conf.d
     - /etc/modsecurity
     - /var/log/modsec
     - /var/log/modsec/tmp
     - /var/log/modsec/data
     - /var/log/modsec/audit
     - /var/log/modsec/uploads

 - name: Copy PHP config
   become: yes
   copy:
     src: php.ini
     dest: /etc/php/php.ini
     owner: root
     group: root
     mode: 0755

 - name: Copy conf.d
   become: yes
   copy:
     src: "conf.d/{{ inventory_hostname }}/"
     dest: /etc/nginx/conf.d/
     owner: http
     group: http
     mode: 0660
     directory_mode: 0770
     follow: true
   register: confd

 - name: Copy conf
   become: yes
   copy:
     src: conf/
     dest: /etc/nginx/conf/
     owner: http
     group: http
     mode: 0660
     follow: true
   register: conf

 - name: Copy conf
   become: yes
   copy:
     src: apps/
     dest: /usr/share/webapps/aninix
     owner: http
     group: http
     mode: 0660
     follow: true

 - name: Nginx pidfile
   become: yes
   ignore_errors: true
   file:
     path: /run/nginx.pid
     state: file
     owner: http
     group: http
     mode: 0640

 - name: Nginx log folder
   become: yes
   file:
     path: /var/log/nginx
     state: directory
     owner: http
     group: http
     mode: 0750

 - name: Populate security config
   become: yes
   template:
     src: conf/sec.conf.j2
     dest: /etc/nginx/conf/sec.conf
     owner: http
     group: http
     mode: 0660
   register: secconf

 - name: Clone OWASP-CRS
   ignore_errors: true
   become: yes
   git:
     repo: https://github.com/coreruleset/coreruleset.git
     update: yes
     force: yes
     single_branch: yes
     dest: /usr/share/owasp-modsecurity-crs
     umask: "0022"

 - name: Modsecurity config
   become: yes
   register: modsecconf
   copy:
     dest: /etc/modsecurity/main.conf
     src: modsec.conf
     owner: http
     group: http
     mode: 0750
     validate: /usr/bin/modsec-rules-check %s

 - name: Modsecurity logrotate
   become: yes
   copy:
     dest: /etc/logrotate.d/modsecurity
     src: logrotate.modsec.conf
     owner: root
     group: root
     mode: 0644

 - name: Copy conf
   become: yes
   copy:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: http
     group: http
     mode: 0660
     follow: true
     #validate: nginx -t -p /etc/nginx -c %s # Commented due to base pathing issues
   register: baseconf

 - name: Ensure service is started
   become: yes
   when: conf.changed or confd.changed or secconf.changed or baseconf.changed or modsecconf.changed
   service:
     name: "{{ item }}"
     enabled: yes
     state: restarted
   loop:
     - php-fpm
     - nginx