Install ModSecurity in installer

README.md

@@ -5,7 +5,7 @@
 
 A modern web hosting control panel for WordPress and general PHP hosting. Built with Laravel 12, Filament v5, Livewire 4, and Tailwind CSS v4.
 
-Version: 0.9-rc19 (release candidate)
+Version: 0.9-rc20 (release candidate)
 
 This is a release candidate. Expect rapid iteration and breaking changes until 1.0.
 

VERSION

@@ -1 +1 @@
-VERSION=0.9-rc19
+VERSION=0.9-rc20

install.sh

@@ -12,7 +12,7 @@
 set -e
 
 # Version - will be read from VERSION file after clone, this is fallback
-JABALI_VERSION="0.9-rc19"
+JABALI_VERSION="0.9-rc20"
 
 # Colors
 RED='\033[0;31m'
@@ -1959,6 +1959,51 @@ configure_firewall() {
 configure_security() {
     header "Configuring Security Tools"
 
+    # Install ModSecurity + CRS (optional)
+    if [[ "$INSTALL_SECURITY" == "true" ]]; then
+        info "Installing ModSecurity (optional WAF)..."
+        local module_pkg=""
+        if apt-cache show libnginx-mod-http-modsecurity2 &>/dev/null; then
+            module_pkg="libnginx-mod-http-modsecurity2"
+        elif apt-cache show libnginx-mod-http-modsecurity &>/dev/null; then
+            module_pkg="libnginx-mod-http-modsecurity"
+        elif apt-cache show nginx-extras &>/dev/null; then
+            module_pkg="nginx-extras"
+        else
+            warn "ModSecurity nginx module not available in apt repositories"
+        fi
+
+        local crs_pkg=""
+        if apt-cache show modsecurity-crs &>/dev/null; then
+            crs_pkg="modsecurity-crs"
+        fi
+
+        if [[ -n "$module_pkg" ]]; then
+            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq "$module_pkg" $crs_pkg 2>/dev/null || warn "ModSecurity install failed"
+
+            # Ensure ModSecurity base config
+            if [[ -f /etc/modsecurity/modsecurity.conf-recommended ]] && [[ ! -f /etc/modsecurity/modsecurity.conf ]]; then
+                cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
+            fi
+
+            # Create main include file for nginx if missing
+            mkdir -p /etc/nginx/modsec
+            if [[ ! -f /etc/nginx/modsec/main.conf ]]; then
+                if [[ -f /usr/share/modsecurity-crs/crs-setup.conf ]]; then
+                    cat > /etc/nginx/modsec/main.conf <<'EOF'
+Include /etc/modsecurity/modsecurity.conf
+Include /usr/share/modsecurity-crs/crs-setup.conf
+Include /usr/share/modsecurity-crs/rules/*.conf
+EOF
+                else
+                    cat > /etc/nginx/modsec/main.conf <<'EOF'
+Include /etc/modsecurity/modsecurity.conf
+EOF
+                fi
+            fi
+        fi
+    fi
+
     # Configure Fail2ban
     info "Configuring Fail2ban..."
     cat > /etc/fail2ban/jail.local << 'FAIL2BAN'