---
#
# Install/run logstash for browbeat
#

- name: Copy logstash yum repo file
  copy:
    src=logstash.repo
    dest=/etc/yum.repos.d/logstash.repo
    owner=root
    group=root
    mode=0644
  become: true

- name: Install logstash rpms
  package:
    name: "{{ item }}"
    state: present
  become: true
  with_items:
    - logstash

- name: Copy logstash input filters
  copy:
    src=01-lumberjack-input.conf
    dest=/etc/logstash/conf.d/01-lumberjack-input.conf
    owner=root
    group=root
    mode=0644
  become: true

- name: Copy logstash output filters
  copy:
    src=30-elasticsearch-output.conf
    dest=/etc/logstash/conf.d/30-lumberjack-output.conf
    owner=root
    group=root
    mode=0644
  become: true

- name: Copy logstash syslog filters
  copy:
    src=10-syslog.conf
    dest=/etc/logstash/conf.d/10-syslog.conf
    owner=root
    group=root
    mode=0644
  become: true

- name: Copy logstash local syslog filter
  copy:
    src=10-syslog-filter.conf
    dest=/etc/logstash/conf.d/10-syslog-filter.conf
    owner=root
    group=root
    mode=0644
  become: true
  register: logstash_needs_restart

- name: Copy filebeat input filter
  template:
    src=02-beats-input.conf.j2
    dest=/etc/logstash/conf.d/02-beats-input.conf
    owner=root
    group=root
    mode=0644
  become: true

- name: Load OpenSSL CA Extended Configuration
  template:
    src=openssl_extras.cnf.j2
    dest=/etc/pki/tls/openssl_extras.cnf
    owner=root
    group=root
    mode=0644
  become: true

- name: Check OpenSSL SANs (SubjectAltName) entry for CA
  shell: grep "{{ ansible_default_ipv4.address }}" /etc/pki/tls/openssl.cnf | wc -l
  ignore_errors: true
  register: subjectAltName_exists
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
    # Need to understand if an entry exists
    - skip_ansible_lint

- name: Add OpenSSL SANs (SubjectAltName) entry for CA
  lineinfile:
    dest: /etc/pki/tls/openssl.cnf
    line: 'subjectAltName = "{{ ansible_default_ipv4.address }}"'
    regexp: '^ Extensions for a typical CA'
    insertbefore: '# Extensions for a typical CA'
    backup: yes
  when: subjectAltName_exists.stdout|int == 0

- name: Load filebeat JSON index template
  uri:
    url: http://localhost:9200/_template/filebeat?pretty
    method: POST
    body: "{{ lookup('file', 'filebeat-index-template.json') }}"
    body_format: json
  ignore_errors: true
  become: true

- name: Enable logstash service
  service: name=logstash state=started enabled=true
  become: true

# we need TCP/80 and TCP/8080 open
# determine firewall status and take action
# 1) use firewall-cmd if firewalld is utilized
# 2) insert iptables rule if iptables is used

# Firewalld
- name: Determine if firewalld is in use
  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
  ignore_errors: true
  register: firewalld_in_use
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
    # Check if firewall is enabled
    - skip_ansible_lint

- name: Determine if firewalld is active
  shell: systemctl is-active firewalld.service | grep -vq inactive
  ignore_errors: true
  register: firewalld_is_active
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
    # Check if firewall is active
    - skip_ansible_lint

- name: Determine if TCP/{{logstash_syslog_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{logstash_syslog_port}}/tcp"
  ignore_errors: true
  register: firewalld_logstash_syslog_port_exists
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
    # Need to validate if port already configured
    - skip_ansible_lint

# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{logstash_syslog_port}} (firewalld)
  command: "{{ item }}"
  with_items:
    - firewall-cmd --zone=public --add-port={{logstash_syslog_port}}/tcp --permanent
    - firewall-cmd --reload
  ignore_errors: true
  become: true
  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_logstash_syslog_port_exists.rc != 0

# iptables-services
- name: check firewall rules for TCP/{{logstash_syslog_port}} (iptables-services)
  shell: grep "dport {{logstash_syslog_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
  register: iptables_logstash_syslog_port_exists
  failed_when: iptables_logstash_syslog_port_exists == 127
  tags:
    # Skip ANSIBLE0012 Commands should not change things if nothing needs doing
    # Need to validate if port already configured
    - skip_ansible_lint

- name: Add firewall rule for TCP/{{logstash_syslog_port}} (iptables-services)
  lineinfile:
    dest: /etc/sysconfig/iptables
    line: '-A INPUT -p tcp -m tcp --dport {{logstash_syslog_port}} -j ACCEPT'
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_logstash_syslog_port_exists.stdout|int == 0
  register: iptables_needs_restart

- name: Restart iptables-services for TCP/{{logstash_syslog_port}} (iptables-services)
  shell: systemctl restart iptables.service
  ignore_errors: true
  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
  tags:
    # Skip ANSIBLE0013 Use shell only when shell functionality is required
    # No systemctl module available in current stable release (Ansible 2.1)
    - skip_ansible_lint