---
- name: (CentOS/RHEL) Install dependencies
  block:
    - name: (CentOS/RHEL 6/7) Install dependencies
      yum:
        name:
          - policycoreutils-python
          - setools
      when: ansible_facts['distribution_major_version'] is version('8', '!=')

    - name: (CentOS/RHEL 8) Install dependencies
      yum:
        name:
          - libselinux-utils
          - policycoreutils
          - selinux-policy-targeted
      when: ansible_facts['distribution_major_version'] is version('8', '==')
  when: ansible_facts['os_family'] == "RedHat"

- name: Set SELinux mode to permissive
  selinux:
    state: permissive
    policy: targeted

- name: Allow SELinux HTTP network connections
  seboolean:
    name: httpd_can_network_connect
    state: true
    persistent: true

- name: Allow SELinux HTTP network connections
  seboolean:
    name: httpd_can_network_relay
    state: true
    persistent: true

- name: (DEPRECATED) Allow SELinux TCP connections on status ports
  seport:
    ports: "{{ nginx_status_port }}"
    proto: tcp
    setype: http_port_t
    state: present
  when: nginx_status_port is defined

- name: (DEPRECATED) Allow SELinux TCP connections on Rest API ports
  seport:
    ports: "{{ nginx_rest_api_port }}"
    proto: tcp
    setype: http_port_t
    state: present
  when: nginx_rest_api_port is defined

- name: Allow SELinux TCP connections on specific ports
  seport:
    ports: "{{ nginx_selinux_tcp_ports }}"
    proto: tcp
    setype: http_port_t
    state: present
  when: nginx_selinux_tcp_ports is defined

- name: Allow SELinux UDP connections on specific ports
  seport:
    ports: "{{ nginx_selinux_udp_ports }}"
    proto: udp
    setype: http_port_t
    state: present
  when: nginx_selinux_udp_ports is defined

- name: Create SELinux NGINX Plus module
  template:
    src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2"
    dest: "{{ nginx_selinux_tempdir }}/nginx-plus-module.te"
    mode: 0644
  register: nginx_selinux_module

- name: Check SELinux NGINX Plus module
  command: "checkmodule -M -m -o {{ nginx_selinux_tempdir }}/nginx-plus-module.mod {{ nginx_selinux_tempdir }}/nginx-plus-module.te"
  args:
    creates: "{{ nginx_selinux_tempdir }}/nginx-plus-module.mod"
  changed_when: false

- name: Compile SELinux NGINX Plus module
  command: "semodule_package -o {{ nginx_selinux_tempdir }}/nginx-plus-module.pp -m {{ nginx_selinux_tempdir }}/nginx-plus-module.mod"
  args:
    creates: "{{ nginx_selinux_tempdir }}/nginx-plus-module.pp"
  changed_when: false

- name: Import SELinux NGINX Plus module
  command: "semodule -i {{ nginx_selinux_tempdir }}/nginx-plus-module.pp"  # noqa no-handler
  changed_when: false
  when: nginx_selinux_module.changed | bool

- name: Set SELinux mode to enforcing
  selinux:
    state: enforcing
    policy: targeted
  when: nginx_selinux_enforcing | bool