---
- name: service facts
  service_facts:
- name: service name is apache2
  set_fact:
    apache_service: "apache2"
  when:
    - "services['apache2.service'] is defined"
    - "services['apache2.service'].state == 'running'"
- name: service name is httpd
  set_fact:
    apache_service: "httpd"
  when:
    - "services['httpd.service'] is defined"
    - "services['httpd.service'].state == 'running'"

- name: include debian/ubuntu specific
  include_tasks: debian.yml
  when: (ansible_distribution == "Debian" or ansible_distribution == "Ubuntu")

- name: include redhat specific
  include_tasks: redhat.yml
  when: ansible_distribution == "RedHat"

- name: hardening apache
  when:
    - apache_service is defined
  block:

    - name: security.conf ServerTokens, debian11-99 ubuntu20-99 redhat
      lineinfile:
        dest: /etc/apache2/conf-available/security.conf
        regexp: "^ServerTokens"
        line: "ServerTokens Prod"
      when: 
        - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
          (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) or
          ansible_distribution == "RedHat"
      notify: restart_apache


    - name: security.conf ServerSignature, debian11-99 ubuntu20-99 redhat
      lineinfile:
        dest: /etc/apache2/conf-available/security.conf
        regexp: "^ServerSignature"
        line: "ServerSignature Off"
      when: 
        - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
          (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) or
          ansible_distribution == "RedHat"
      notify: restart_apache


# vim: set tabstop=2 shiftwidth=2 expandtab smarttab: