---

- hosts: extra_hosts

  tasks:

  - name: (apt.yml) apt update
    apt:
      update_cache: true
      cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
    when: apt_update|bool

  - name: (apt.yml) dpkg --configure
    command: >
      dpkg --configure -a
    args:
      warn: false
    changed_when: _dpkg_configure.stdout_lines | length
    register: _dpkg_configure
    when: apt_dpkg_configure|bool

  - name: Install ulogd2
    apt:
      name: ulogd2
      state: present
      default_release: "{{ ansible_distribution_release }}"
    tags:
      - ulogd
      - apt-ulogd
   
  - name: Check if file '/etc/ulogd.conf.ORIG' exists
    stat:
      path: /etc/ulogd.conf.ORIG
    register: ulogd_conf_orig_exists
    tags:
      - ulogd

  - name: Backup existing file /etc/ulogd.conf
    command: cp /etc/ulogd.conf /etc/ulogd.conf.ORIG
    when: ulogd_conf_orig_exists.stat.exists == False
    tags:
      - ulogd

  - name: Check if String 'stack=firewall11=..' is present
    shell: grep -q -E "^\s*stack=firewall11" /etc/ulogd.conf
    register: stack_firewall11_present
    failed_when: "stack_firewall11_present.rc > 1"
    changed_when: "stack_firewall11_present.rc > 0"


  - name: Adjust file '/etc/ulogd.conf' 1/2
    blockinfile:
      path: /etc/ulogd.conf
      insertafter: '^#?\s*plugin="/usr/lib'
      block: |

        # ====================================================================
        # Define two new plugin stacks inside for iptables logging
        # ====================================================================
        #  -
        #  -    firewall11 - for IPv4 Firewall
        #  -    firewall12 - for IPv6 Firewall
        #  -
        stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU
        stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU

      marker: "# {mark} ANSIBLE MANAGED BLOCK 1/2"
      state: present
    #register: ulogd_conf_1
    when: stack_firewall11_present is changed
    notify: Restart ulogd

  - name: Check if String '[firewall11]' is present
    shell: grep -q -E "^\s*\[firewall11\]" /etc/ulogd.conf
    register: stack_group_firewall11_present
    failed_when: "stack_group_firewall11_present.rc > 1"
    changed_when: "stack_group_firewall11_present.rc > 0"

  - name: Adjust file '/etc/ulogd.conf' 2/2
    blockinfile:
      path: /etc/ulogd.conf
      insertafter: EOF
      block: |

         # =========================================================
         # Define input plugins using specified netlink group inside
         # =========================================================
         [firewall11]
         group=11

         [firewall12]
         group=12


         # =====================
         # Define output plugins 
         # =====================

         [emu11]
         file="/var/log/ulog/iptables.log"
         sync=1

         [emu12]
         file="/var/log/ulog/ip6tables.log"
         sync=1

      marker: "# {mark} ANSIBLE MANAGED BLOCK 2/2"
      state: present
    #register: ulogd_conf_2
    when: stack_group_firewall11_present is changed
    notify: Restart ulogd

  # ---
  # Remove Marker set by blockinfile
  # ---

  - name: Remove marker 
    replace :
      path: /etc/ulogd.conf
      regexp: "^#.*ANSIBLE MANAGED BLOCK.*$"
      replace: ""
    #register: marker_ipv4_removed



  handlers:

    - name: Restart ulogd
      service:
        name: ulogd
        state: restarted