browbeat/ansible/install/roles/nginx/tasks/main.yml

---
#
# Install/run nginx for browbeat
#

- name: Import EPEL GPG Key
  rpm_key: key=https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
    state=present

- name: Check for EPEL repo
  yum: name=https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    state=present

- name: Install nginx, httpd-tools, httplib2, libsemanage-python
  yum: name={{ item }} state=present
  become: true
  with_items:
    - nginx
    - httpd-tools
    - python-httplib2
    - libsemanage-python

# SELinux boolean for nginx
- name: Apply SELinux boolean httpd_can_network_connect
  seboolean: name=httpd_can_network_connect state=yes persistent=yes

# deploy kibana.conf with FQDN
- name: Setup nginx reverse proxy for kibana
  template:
    src=kibana.conf.j2
    dest=/etc/nginx/conf.d/kibana.conf
    owner=root
    group=root
    mode=0644
  become: true
  register: nginx_needs_restart

# deploy basic nginx.conf 8080 vhost
- name: Setup nginx TCP/8080 vhost for SSL certificate
  template:
    src=nginx.conf.j2
    dest=/etc/nginx/nginx.conf
    owner=root
    group=root
    mode=0644
  become: true

# start nginx service
- name: Start nginx service
  command: systemctl restart nginx.service
  ignore_errors: true
  when: nginx_needs_restart != 0

- name: Set nginx to start on boot
  command: systemctl enable nginx.service
  ignore_errors: true

# we need TCP/80 and TCP/8080 open
# determine firewall status and take action
# 1) use firewall-cmd if firewalld is utilized
# 2) insert iptables rule if iptables is used

# Firewalld
- name: Determine if firewalld is in use
  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
  ignore_errors: true
  register: firewalld_in_use

- name: Determine if firewalld is active
  shell: systemctl is-active firewalld.service | grep -vq inactive
  ignore_errors: true
  register: firewalld_is_active

- name: Determine if TCP/{{nginx_kibana_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
  ignore_errors: true
  register: firewalld_tcp80_exists

# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld)
  command: "{{ item }}"
  with_items:
    - firewall-cmd --zone=public --add-port={{nginx_kibana_port}}/tcp --permanent
    - firewall-cmd --reload
  ignore_errors: true
  become: true
  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp80_exists.rc != 0

# iptables-services
- name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services)
  shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
  register: iptables_tcp80_exists
  failed_when: iptables_tcp80_exists == 127

- name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services)
  lineinfile:
    dest: /etc/sysconfig/iptables
    line: '-A INPUT -p tcp -m tcp --dport {{nginx_kibana_port}} -j ACCEPT'
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
  register: iptables_needs_restart

- name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services)
  shell: systemctl restart iptables.service
  ignore_errors: true
  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0

# Firewalld
- name: Determine if firewalld is in use
  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
  ignore_errors: true
  register: firewalld_in_use

- name: Determine if firewalld is active
  shell: systemctl is-active firewalld.service | grep -vq inactive
  ignore_errors: true
  register: firewalld_is_active

- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
  ignore_errors: true
  register: firewalld_tcp8080_exists

# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld)
  command: "{{ item }}"
  with_items:
    - firewall-cmd --zone=public --add-port={{elk_server_ssl_cert_port}}/tcp --permanent
    - firewall-cmd --reload
  ignore_errors: true
  become: true
  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp8080_exists.rc != 0

# iptables-services
- name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
  shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
  register: iptables_tcp8080_exists
  failed_when: iptables_tcp8080_exists == 127

- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
  lineinfile:
    dest: /etc/sysconfig/iptables
    line: '-A INPUT -p tcp -m tcp --dport {{elk_server_ssl_cert_port}} -j ACCEPT'
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp8080_exists.stdout|int == 0
  register: iptables_needs_restart

- name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
  shell: systemctl restart iptables.service
  ignore_errors: true
  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0

- name: Disable EPEL Repo
  ini_file: dest=/etc/yum.repos.d/epel.repo
    section=epel
    option=enabled
    value=0