debian-opensuse.yml

---

- name: Debian | Ensure apt-transport-https is present
  ansible.builtin.package:
    name: apt-transport-https
    state: present
  register: pkg_result
  until: pkg_result is success

- name: Debian | Set opensuse repo url
  ansible.builtin.set_fact:
    opensuse_url: "https://download.opensuse.org/repositories/security:/zeek/Debian_{{ ansible_distribution_major_version }}"
  when: ansible_distribution == 'Debian'

- name: Ubuntu | Set opensuse repo url
  ansible.builtin.set_fact:
    opensuse_url: "https://download.opensuse.org/repositories/security:/zeek/xUbuntu_{{ ansible_distribution_version }}"
  when: ansible_distribution == 'Ubuntu'

- name: Opensuse repository
  when: >
    (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int >= 20) or
    (ansible_distribution == "Debian" and ansible_distribution_major_version | int >= 11)
  block:
    - name: Debian | Add zeek repository key
      ansible.builtin.apt_key:
        url: >
          {{ opensuse_url }}/Release.key
        state: present
      register: pkg_result
      until: pkg_result is success
      when:
        - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int <= 18) or
          (ansible_distribution == "Debian" and ansible_distribution_major_version | int > 10)

    - name: Setup Opensuse Zeek APT key
      ansible.builtin.get_url:
        url: https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key
        dest: /etc/apt/trusted.gpg.d/security_zeek.asc
        mode: '0644'
      register: dl_result
      until: dl_result is success
      when:
        - proxy_url is not defined or not proxy_url | string
        - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int > 18)

    - name: Proxy
      when:
        - proxy_url is defined and proxy_url | string
        - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int > 18)
      block:
        # workaround for apt_key not supporting proxy (ansible#31691)
        - name: Download Opensuse Zeek Apt signing key  # noqa command-instead-of-module
          ansible.builtin.shell:
            cmd: |
              set -o pipefail
              curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.asc > /dev/null
          args:
            creates: /etc/apt/trusted.gpg.d/security_zeek.asc
            executable: /bin/bash
          environment:
            http_proxy: "{{ proxy_url | default(omit) }}"

    - name: Debian | Add zeek repository
      ansible.builtin.apt_repository:
        repo: >
          deb {{ opensuse_url }}/ /
        state: present
      register: pkg_result
      until: pkg_result is success
    - name: Use Zeek opensuse variable
      ansible.builtin.include_vars: opensuse.yml

- name: Debian distrib | Set fact
  ansible.builtin.set_fact:
    zeek_opensuse_packages_all: "{{ broids_packages + broids_packages_deps + broids_packages_deps_debian }}"
  when: ansible_distribution == "Debian"
- name: Ubuntu distrib | Set fact
  ansible.builtin.set_fact:
    zeek_opensuse_packages_all: "{{ broids_packages + broids_packages_deps + broids_packages_deps_ubuntu }}"
  when: ansible_distribution == "Ubuntu"
## WARNING: The following packages cannot be authenticated! = force
- name: Debug | broids_packages
  ansible.builtin.debug:
    var: broids_packages
- name: Debug | broids_packages_deps
  ansible.builtin.debug:
    var: broids_packages_deps
- name: Debian/Ubuntu | Install Zeek and dependencies
  ansible.builtin.apt:
    name: "{{ zeek_opensuse_packages_all }}"
    state: "present"
    update_cache: "yes"
    cache_valid_time: "3600"
    force: "yes"
  register: pkg_result
  until: pkg_result is success

- name: Update zeek port
  ansible.builtin.lineinfile:
    dest: "{{ broids_ctlcfg }}"
    regexp: "{{ item.re }}"
    line: "{{ item.rep }}"
    mode: '0644'
    backup: yes
  with_items:
    - { re: '^ZeekPort = .*', rep: "ZeekPort = {{ zeek_port }}" }
  when:
    zeek_port|string and (
      (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int >= 20) or
      (ansible_distribution == "Debian" and ansible_distribution_major_version | int >= 11)
    )

- name: Update zeekctl LogDir
  ansible.builtin.replace:
    dest: "{{ broids_ctlcfg }}"
    regexp: "{{ item.re }}"
    replace: "{{ item.rep }}"
    mode: '0644'
    backup: yes
  with_items:
    - { re: '^LogDir = .*', rep: "LogDir = {{ broids_log }}" }
  when:
    - broids_ctlcfg|string

- name: Enable zeekctl MailConnectionSummary
  ansible.builtin.replace:
    dest: "{{ broids_ctlcfg }}"
    regexp: "^MailConnectionSummary = .*"
    replace: "MailConnectionSummary = 1"
    mode: '0644'
    backup: yes
  when:
    - bro_email_notification
    - broids_ctlcfg|string
- name: Disable zeekctl MailConnectionSummary
  ansible.builtin.replace:
    dest: "{{ broids_ctlcfg }}"
    regexp: "^MailConnectionSummary = .*"
    replace: "MailConnectionSummary = 0"
    mode: '0644'
    backup: yes
  when:
    - not bro_email_notification
    - broids_ctlcfg|string

- name: Ensure aide hids directory exists
  ansible.builtin.file:
    dest: /etc/aide/aide.conf.d
    state: directory
    mode: '0755'
- name: Add custom configuration for aide HIDS
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "/etc/aide/aide.conf.d"
    owner: "root"
    mode: "0644"
  with_items:
    - aide-criticalstack

## from https://github.com/geerlingguy/drupal-vm/pull/456/files#diff-b1546b21a9366075f1e1245d7551eee6R11
- name: Detect if AppArmor is installed.
  ansible.builtin.stat:
    path: /etc/init.d/apparmor
  register: apparmor_installed
  when: travisci is defined and travisci

- name: Ensure MySQL AppArmor profile is disabled (for slow query log).
  ansible.builtin.file:
    path: /etc/apparmor.d/disable/usr.sbin.mysqld
    src: /etc/apparmor.d/usr.sbin.mysqld
    mode: '0644'
    state: link
  when: travisci is defined and travisci and apparmor_installed.stat.exists
  notify:
    - Restart apparmor