---
- block:
    - name: Copy certs and private key to nginx proxy
      copy:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
        mode: "{{ item.mode }}"
      loop:
        - { src: "{{ homeassistant_tls_key_source }}", dest: '/etc/pki/tls/private/{{ homeassistant_nginx_tls_key_file }}', mode: '0600' }
        - { src: "{{ homeassistant_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ homeassistant_nginx_tls_cert_file }}', mode: '0750' }
      loop_control:
        label: "{{ item.dest }}"
      notify: __nginx_reload
  delegate_to: "{{ homeassistant_nginx_server }}"
  when: homeassistant_nginx_tls_enabled | bool
  become: True
  become_user: root
  tags: tls_renewal

- block:
    - name: Add vhost configuration file
      template:
        src: nginx/vhost.j2
        dest: "{{ homeassistant_nginx_vhost_dir }}/homeassistant"
        owner: root
        group: root
        mode: 0640
      notify: __nginx_reload

    - name: Enable homeassistant vhost
      file:
        src: "{{ homeassistant_nginx_vhost_dir }}/homeassistant"
        dest: "{{ homeassistant_nginx_vhost_symlink }}/homeassistant"
        owner: root
        group: root
        state: link
      notify: __nginx_reload
      when: homeassistant_nginx_vhost_symlink is defined

    - name: Open ports in iptables
      iptables_raw:
        name: allow_homeassistant_nginx_proxy
        state: present
        rules: "-A OUTPUT -m state --state NEW -p tcp -d {{ homeassistant_nginx_proxy_url | urlsplit('hostname') }} --dport {{ homeassistant_nginx_proxy_url | urlsplit('port') }} -j ACCEPT"
      when:
        - homeassistant_nginx_iptables_enabled | bool
        - (not homeassistant_nginx_server == inventory_hostname or not homeassistant_nginx_server == "localhost")
  delegate_to: "{{ homeassistant_nginx_server }}"
  become: True
  become_user: root