infrastructure/roles/nginx/tasks/main.yml

- name: Install nginx
  pacman: name=nginx,nginx-mod-brotli state=present

- name: Install extra nginx modules
  pacman: name={{ nginx_extra_modules | map(attribute='name') | map('regex_replace', '^', 'nginx-mod-') }} state=present

- name: Install nginx.service snippet
  copy: src=nginx.service.d dest=/etc/systemd/system owner=root group=root mode=0644

- name: Configure nginx
  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=0644
  notify:
    - Reload nginx

- name: Snippets directories
  file: state=directory path=/etc/nginx/{{ item }} owner=root group=root mode=0755
  with_items:
    - toplevel-snippets
    - snippets

- name: Copy snippets
  template: src={{ item }} dest=/etc/nginx/snippets/{{ item | regex_replace('\\.j2$', '') }} owner=root group=root mode=0644
  with_items:
    - letsencrypt.conf
    - sslsettings.conf
    - headers.conf
    - listen-443.conf.j2
  notify:
    - Reload nginx

- name: Install cert renewal hook
  template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/nginx owner=root group=root mode=0755
  when: "'certbot' in ansible_play_role_names"

- name: Create nginx.d directory
  file: state=directory path=/etc/nginx/nginx.d owner=root group=root mode=0755

- name: Create auth directory
  file: state=directory path=/etc/nginx/auth owner=root group=root mode=0755

- name: Create maps directory
  file: state=directory path=/etc/nginx/maps owner=root group=root mode=0755

- name: Create default nginx log directory
  file: state=directory path=/var/log/nginx/default owner=root group=root mode=0755

- name: Create unique DH group
  command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem

- name: Create directory to store validation stuff in
  file: owner=root group=http mode=0750 path={{ letsencrypt_validation_dir }} state=directory

- name: Install logrotate config
  copy: src=logrotate.conf dest=/etc/logrotate.d/nginx-ansible owner=root group=root mode=0644

- name: Install inventory_hostname vhost
  template: src=nginx-hostname-vhost.conf.j2 dest=/etc/nginx/nginx.d/nginx-hostname-vhost.conf owner=root group=root mode=0644
  notify:
    - Reload nginx
  tags: ['nginx']

- name: Enable nginx
  service: name=nginx enabled=yes

- name: Open firewall holes
  ansible.posix.firewalld: service={{ item }} zone={{ nginx_firewall_zone }} permanent=true state=enabled immediate=yes
  with_items:
    - http
    - https
    - "{{ 'http3' if nginx_enable_http3 else omit }}"
  when: configure_firewall
  tags:
    - firewall