Adding geoip module and instituting a deny variable for vhosts to consume

roles/WebServer/tasks/main.yml

@@ -9,6 +9,7 @@
      - nginx
      - libmodsecurity
      - nginx-mod-modsecurity
+     - nginx-mod-geoip2
      - php
      - php-fpm
 
@@ -103,6 +104,27 @@
      mode: 0660
    register: secconf
 
+ - name: Populate GeoIP config
+   become: yes
+   template:
+     src: conf/geoip.conf.j2
+     dest: /etc/nginx/conf/geoip.conf
+     owner: http
+     group: http
+     mode: 0660
+   register: geoipconf
+
+ - name: Ensure MaxMindDB is present
+   become: yes
+   file:
+     path: /etc/nginx/conf/maxmind-geoip2.mmdb
+     state: file
+     owner: http
+     group: http
+     mode: 0440
+     # This requires a https://maxmind.com/ account, so the source will have to come from that site.
+     # This file should be the current country database.
+
  - name: Clone OWASP-CRS
    ignore_errors: true
    become: yes
@@ -148,7 +170,7 @@
 
  - name: Ensure service is started
    become: yes
-   when: conf.changed or confd.changed or secconf.changed or baseconf.changed or modsecconf.changed
+   when: conf.changed or confd.changed or geoipconf.changed or secconf.changed or baseconf.changed or modsecconf.changed
    service:
      name: "{{ item }}"
      enabled: yes