---
- name: "(CentOS/RHEL) Install dependencies"
  block:
    - name: "(CentOS/RHEL 6/7) Install dependencies"
      yum:
        name:
          - policycoreutils-python
          - setools
      when: ansible_facts['distribution_major_version'] is version('8', '!=')

    - name: "(CentOS/RHEL 8) Install dependencies"
      yum:
        name:
          - libselinux-utils
          - policycoreutils
          - selinux-policy-targeted
      when: ansible_facts['distribution_major_version'] is version('8', '==')
  when: ansible_facts['os_family'] == "RedHat"

- name: "Set SELinux mode to permissive"
  selinux:
    state: permissive
    policy: targeted
  changed_when: false
  when: ansible_facts['selinux.mode'] == "enforcing"

- name: "Allow SELinux HTTP network connections"
  seboolean:
    name: httpd_can_network_connect
    state: yes
    persistent: yes

- name: "Allow SELinux HTTP network connections"
  seboolean:
    name: httpd_can_network_relay
    state: yes
    persistent: yes

- name: "Allow SELinux TCP connections on status ports"
  seport:
    ports: "{{ nginx_status_port }}"
    proto: tcp
    setype: http_port_t
    state: present
  when: nginx_status_port is defined

- name: "Allow SELinux TCP connections on Rest API ports"
  seport:
    ports: "{{ nginx_rest_api_port }}"
    proto: tcp
    setype: http_port_t
    state: present
  when: nginx_rest_api_port is defined

- name: "Allow SELinux TCP connections on specific ports"
  seport:
    ports: "{{ nginx_selinux_tcp_ports }}"
    proto: tcp
    setype: http_port_t
    state: present
  when: nginx_selinux_tcp_ports is defined

- name: "Allow SELinux UDP connections on specific ports"
  seport:
    ports: "{{ nginx_selinux_udp_ports }}"
    proto: udp
    setype: http_port_t
    state: present
  when: nginx_selinux_udp_ports is defined

- name: "Create SELinux NGINX Plus Module"
  template:
    src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2"
    dest: "{{ nginx_selinux_tempdir }}/nginx-plus-module.te"
    mode: 0644
  register: nginx_selinux_module

- name: "Check SELinux NGINX Plus Module"
  command: "checkmodule -M -m -o {{ nginx_selinux_tempdir }}/nginx-plus-module.mod {{ nginx_selinux_tempdir }}/nginx-plus-module.te"
  args:
    creates: "{{ nginx_selinux_tempdir }}/nginx-plus-module.mod"
  changed_when: false

- name: "Compile SELinux NGINX Plus Module"
  command: "semodule_package -o {{ nginx_selinux_tempdir }}/nginx-plus-module.pp -m {{ nginx_selinux_tempdir }}/nginx-plus-module.mod"
  args:
    creates: "{{ nginx_selinux_tempdir }}/nginx-plus-module.pp"
  changed_when: false

- name: "Import SELinux NGINX Plus Module"
  command: "semodule -i {{ nginx_selinux_tempdir }}/nginx-plus-module.pp"  # noqa 503
  changed_when: false
  when: nginx_selinux_module.changed | bool

- name: "Set SELinux mode to enforcing"
  selinux:
    state: enforcing
    policy: targeted
  changed_when: false
  when:
    - nginx_selinux_enforcing | bool
    - ansible_facts['selinux.mode'] == "permissive"