---
- name: Install nagios
  ansible.builtin.package:
    name:
      - nagios4
      - git
      - nagios-nrpe-plugin
      - python3-jinja2
      - python3-requests
      - python3-jsonschema
      - python3-pexpect

- name: Generate nagios configurations
  ansible.builtin.template:
    src: "nagios/conf.d/{{ item }}.cfg.j2"
    dest: "/etc/nagios4/conf.d/{{ item }}.cfg"
    mode: "0644"
  loop:
    - commands
    - hosts
    - hostgroups
    - services
    - templates

- name: Copy nagios contacts configuration
  ansible.builtin.template:
    src: nagios/contacts.cfg.j2
    dest: /etc/nagios4/objects/contacts.cfg
    mode: "0644"

- name: Copy check_timesyncd
  ansible.builtin.copy:
    src: files/nagios/check_timesyncd
    dest: /usr/lib/nagios/plugins/check_timesyncd
    mode: '0755'

- name: Deploy sudoers rule for nagios
  community.general.sudoers:
    name: nagios
    user: nagios
    commands:
      - /usr/lib/nagios/plugins/

- name: Clone notify-by-telegram source code
  ansible.builtin.git:
    repo: https://github.com/jouir/notify-by-telegram.git
    dest: /opt/notify-by-telegram

- name: Configure notify-by-telegram
  ansible.builtin.copy:
    content: "{{ {'auth_key': nagios_telegram_auth_key, 'chat_id': nagios_telegram_chat_id} | to_json }}"
    dest: /etc/nagios4/telegram.json
    owner: root
    group: nagios
    mode: '0640'

- name: Clone nagios-plugin-bacula source code
  ansible.builtin.git:
    repo: https://github.com/jouir/nagios-plugin-bacula.git
    dest: /opt/nagios-plugin-bacula

- name: Copy global configuration
  ansible.builtin.copy:
    src: files/nagios/nagios.cfg
    dest: /etc/nagios4/nagios.cfg
    mode: "0644"

- name: Copy CGI configuration
  ansible.builtin.copy:
    src: files/nagios/cgi.cfg
    dest: /etc/nagios4/cgi.cfg
    mode: "0644"

- name: Reload nagios
  ansible.builtin.service:
    name: nagios4
    state: reloaded
    enabled: true

- name: Configure htaccess for the web interface
  ansible.builtin.template:
    src: nagios/htdigest.users.j2
    dest: /etc/nagios4/htdigest.users
    mode: "0644"

- name: Secure Apache
  ansible.builtin.copy:
    src: files/nagios/security.conf
    dest: /etc/apache2/conf-available/security.conf
    mode: "0644"

- name: Configure vhost for the web interface
  ansible.builtin.copy:
    src: files/nagios/apache2.conf
    dest: /etc/nagios4/apache2.conf
    mode: "0644"

- name: Enable Apache modules
  ansible.builtin.command:
    cmd: "a2enmod {{ item }}"
  loop:
    - auth_digest
    - headers
    - cgi
  changed_when: true

- name: Restart apache
  ansible.builtin.service:
    name: apache2
    state: restarted
    enabled: true

- name: Allow HTTP from vpn
  ansible.builtin.iptables:
    chain: INPUT
    protocol: tcp
    source: "{{ openvpn_subnet }}"
    destination_port: "80"
    jump: ACCEPT
    comment: allow http from vpn