From 02c756d077d2eec9b55a5602b76591527e41923e Mon Sep 17 00:00:00 2001
From: root <root@jabali.lan>
Date: Wed, 28 Jan 2026 19:35:34 +0200
Subject: [PATCH] Install ModSecurity in installer

---
 README.md  |  2 +-
 VERSION    |  2 +-
 install.sh | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 88a87f3..107b305 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 
 A modern web hosting control panel for WordPress and general PHP hosting. Built with Laravel 12, Filament v5, Livewire 4, and Tailwind CSS v4.
 
-Version: 0.9-rc19 (release candidate)
+Version: 0.9-rc20 (release candidate)
 
 This is a release candidate. Expect rapid iteration and breaking changes until 1.0.
 
diff --git a/VERSION b/VERSION
index 66db36f..8ba4fa6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-VERSION=0.9-rc19
+VERSION=0.9-rc20
diff --git a/install.sh b/install.sh
index 6abeb61..6b7b741 100755
--- a/install.sh
+++ b/install.sh
@@ -12,7 +12,7 @@
 set -e
 
 # Version - will be read from VERSION file after clone, this is fallback
-JABALI_VERSION="0.9-rc19"
+JABALI_VERSION="0.9-rc20"
 
 # Colors
 RED='\033[0;31m'
@@ -1959,6 +1959,51 @@ configure_firewall() {
 configure_security() {
     header "Configuring Security Tools"
 
+    # Install ModSecurity + CRS (optional)
+    if [[ "$INSTALL_SECURITY" == "true" ]]; then
+        info "Installing ModSecurity (optional WAF)..."
+        local module_pkg=""
+        if apt-cache show libnginx-mod-http-modsecurity2 &>/dev/null; then
+            module_pkg="libnginx-mod-http-modsecurity2"
+        elif apt-cache show libnginx-mod-http-modsecurity &>/dev/null; then
+            module_pkg="libnginx-mod-http-modsecurity"
+        elif apt-cache show nginx-extras &>/dev/null; then
+            module_pkg="nginx-extras"
+        else
+            warn "ModSecurity nginx module not available in apt repositories"
+        fi
+
+        local crs_pkg=""
+        if apt-cache show modsecurity-crs &>/dev/null; then
+            crs_pkg="modsecurity-crs"
+        fi
+
+        if [[ -n "$module_pkg" ]]; then
+            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq "$module_pkg" $crs_pkg 2>/dev/null || warn "ModSecurity install failed"
+
+            # Ensure ModSecurity base config
+            if [[ -f /etc/modsecurity/modsecurity.conf-recommended ]] && [[ ! -f /etc/modsecurity/modsecurity.conf ]]; then
+                cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
+            fi
+
+            # Create main include file for nginx if missing
+            mkdir -p /etc/nginx/modsec
+            if [[ ! -f /etc/nginx/modsec/main.conf ]]; then
+                if [[ -f /usr/share/modsecurity-crs/crs-setup.conf ]]; then
+                    cat > /etc/nginx/modsec/main.conf <<'EOF'
+Include /etc/modsecurity/modsecurity.conf
+Include /usr/share/modsecurity-crs/crs-setup.conf
+Include /usr/share/modsecurity-crs/rules/*.conf
+EOF
+                else
+                    cat > /etc/nginx/modsec/main.conf <<'EOF'
+Include /etc/modsecurity/modsecurity.conf
+EOF
+                fi
+            fi
+        fi
+    fi
+
     # Configure Fail2ban
     info "Configuring Fail2ban..."
     cat > /etc/fail2ban/jail.local << 'FAIL2BAN'