- name: setup suricata
  gather_facts: no
  hosts: "{{target}}"
  become: "{{become}}"
  tasks:

  # todo - check absolute ruleset path (/var/lib/suricata/rules/suricata.rules)

  - name: check suricata is installed
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x `which suricata` ]]"
    changed_when: false
    check_mode: false

  # force interface just in case changes in config are not enough
  # todo - handle different path when suricata is built from source
  - name: disable checksums overall and force interface at run-time
    ansible.builtin.lineinfile:
      path: /usr/lib/systemd/system/suricata.service
      regexp: '^ExecStart='
      line: ExecStart=/usr/bin/suricata --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid --user suricata --group suricata -k none -i {{sniffnic}}
    diff: true
    notify: reload unit files and restart suricata

  # e.g. This is Suricata version 7.0.8 RELEASE
  # e.g. This is Suricata version 8.0.0-dev (d63ad75d9 2025-01-23)
  - name: define suricata version
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "suricata -V | awk '{print $5}' | cut -f1,2 -d."
    register: suricata_version
    changed_when: false
    check_mode: false

  - debug: var=suricata_version.stdout

  - assert:
      that: suricata_version.stdout == '7.0' or suricata_version.stdout == '8.0'

  - name: suricata 7.0 config templates
    ansible.builtin.template:
      src: templates/suricata70.yaml
      dest: /etc/suricata/suricata.yaml
    notify: restart suricata
    diff: true
    when: suricata_version.stdout == '7.0'

  - name: suricata 8.0 config templates
    ansible.builtin.template:
      src: templates/suricata80.yaml
      dest: /etc/suricata/suricata.yaml
    notify: restart suricata
    diff: true
    when: suricata_version.stdout == '8.0'

  - name: disable false-positives and such
    ansible.builtin.copy:
      src: disable.conf
      dest: /etc/suricata/disable.conf
    notify: restart suricata
    diff: true

  - name: suricata local rules for netbird
    ansible.builtin.copy:
      src: suricata.local.netbird
      dest: /etc/suricata/suricata.local
    notify: restart suricata
    diff: true
    when: sniffnic == 'wt0'

  - name: suricata local rules for wireguard
    ansible.builtin.copy:
      src: suricata.local.wireguard
      dest: /etc/suricata/suricata.local
    notify: restart suricata
    diff: true
    when: sniffnic == 'wg0'

  ## avoid non-zero return code which shows-up errors in the playbook output
  ## even when errors are ignored (ignore_errors: true)
  #- name: check whether suricata unit file is available
  #  ansible.builtin.shell:
  #    executable: /bin/bash
  #    cmd: "systemctl list-unit-files suricata.service >/dev/null 2>&1 && echo there_is || echo is_absent"
  #  register: suricata_unit
  #  changed_when: false
  #  check_mode: false

  #- name: non-systemd init script
  #  ansible.builtin.copy:
  #    src: templates/RESTART-SURICATA
  #    dest: /etc/suricata/
  #    mode: "0700"
  #  when: suricata_unit.stdout == 'is_absent'
  #  notify: restart suricata
  #  diff: true

  - name: update and enable sources + rules
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: |
        set -e

        echo -n updating sources ...
        suricata-update -q update-sources && echo done

        # strip out colors - https://stackoverflow.com/a/18000433
        foss_sources=`suricata-update list-sources | grep -E 'Name|License' | cut -f2 -d: | paste -d " "  - - | sort -V | \
          grep -v Commercial | awk '{print $1}' | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2};?)?)?[mGK]//g"`

        for foss_source in $foss_sources; do
                echo -n enable source $foss_source ...
                suricata-update -q enable-source $foss_source >/dev/null && echo done
        done; unset foss_source

        echo -n updating rules ...
        suricata-update -q && echo done

        echo -n checking ipv4 truncated packets rule is disabled ...
        grep sid:2200003 /var/lib/suricata/rules/suricata.rules | grep ^# >/dev/null && echo done
    register: suricata_update

  - debug: var=suricata_update.stdout
    when: suricata_update.stdout != ''
  - debug: var=suricata_update.stderr
    when: suricata_update.stderr != ''

  - name: suricata is up
    ansible.builtin.service:
      name: suricata
      enabled: true
      state: started
    diff: true

  #
  # cron job
  #

  - name: deploy RESTART-NO4-TRUNCATED script
    ansible.builtin.copy:
      content: |
        #!/bin/bash
        systemctl restart suricata
        systemctl restart fluent-bit
      dest: /root/RESTART-NO4-TRUNCATED
      mode: "0755"
    diff: true

  # randomize minute so the vpn gateways don't cycle suricata at the same time
  - name: define roughly random minute
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: printf "%02d\n" $(( RANDOM % 60 ))
    register: minute
    changed_when: false
    check_mode: false
    delegate_to: localhost
    become: false
    # in this case we precisely want to run that task multiple times!
    run_once: false

  - name: avoid suricata ipv4 truncated pkts
    ansible.builtin.cron:
      name: "avoid suricata ipv4 truncated pkts"
      minute: "{{minute.stdout}}"
      # silent - stdout and stderr goes local mail
      job: "/root/RESTART-NO4-TRUNCATED"
    diff: true

  handlers:

  # suricata-update update-sources; suricata-update; systemctl restart suricata.service

  # systemctl list-unit-files suricata.service >/dev/null 2>&1 && systemctl restart suricata.service
  # || /etc/suricata/RESTART-SURICATA {{sniffnic}}

  - name: restart suricata
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "systemctl restart suricata.service"

  - name: reload unit files and restart suricata
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: |
        systemctl daemon-reload
        systemctl restart suricata.service