---
- name:
  yum_repository:
    name: nginx
    file: nginx
    description: NGINX High Performance Web Server
    baseurl: "http://nginx.org/packages/centos/{{ ansible_distribution_major_version }}/$basearch/"
    gpgkey: https://nginx.org/keys/nginx_signing.key
    gpgcheck: yes

- name: Installing nginx
  yum:
    name: nginx
    state: installed

- name: Prepare vhost directories
  file:
    path: '{{ item }}'
    state: directory
    owner: nginx
    group: nginx
    mode: 0750
  with_items:
    - /var/www/vhosts
    - /var/www/vhosts/default

- name: Prepare nginx directories
  file:
    path: '{{ item }}'
    state: directory
    owner: root
    group: root
    mode: 0640
  with_items:
    - /etc/nginx/sites-available
    - /etc/nginx/sites-enabled

- name: Add default page
  template:
    src: 'var/www/vhosts/default/index.html.j2'
    dest: '/var/www/vhosts/default/index.html'
    owner: nginx
    group: nginx
    mode: 0750

- name: Update nginx.conf
  template:
    src: 'etc/nginx/nginx.conf.j2'
    dest: '/etc/nginx/nginx.conf'
    owner: root
    group: root
    mode: 0640
  notify:
    - nginx_reload

- name: Update conf.d files
  template:
    src: 'etc/nginx/conf.d/{{ item }}.j2'
    dest: '/etc/nginx/conf.d/{{ item }}'
    owner: root
    group: root
    mode: 0640
  with_items:
    - header.conf
    - tls.conf
  notify:
    - nginx_reload

- name: Remove default.conf from conf.d
  file:
    path: /etc/nginx/conf.d/default.conf
    state: absent

- name: Add default page config
  template:
    src: 'etc/nginx/sites-available/default.j2'
    dest: '/etc/nginx/sites-available/default'
    owner: root
    group: root
    mode: 0640
  notify:
    - nginx_reload

- name: Enable default page
  file:
    src: /etc/nginx/sites-available/default
    dest: /etc/nginx/sites-enabled/default
    owner: root
    group: root
    state: link
  notify:
    - nginx_reload

- block:
  - name: Copy tls certificate
    copy:
      content: '{{ nginx_tls_cert }}'
      dest: /etc/pki/tls/certs/my-chained.crt
      owner: root
      group: root
      mode: 0644
    notify:
      - nginx_reload

  - name: Copy ssl intermediate cert
    copy:
      content: '{{ nginx_tls_intermediate_ca }}'
      dest: /etc/pki/tls/certs/my-intermediate.crt
      owner: root
      group: root
      mode: 0644
    notify:
      - nginx_reload

  - name: Copy tls private key
    copy:
      content: '{{ nginx_tls_private_key }}'
      dest: /etc/pki/tls/private/my-private.key
      owner: root
      group: root
      mode: 0600
    notify:
      - nginx_reload
  become: True
  become_user: root
  when: nginx_tls_enabled

- block:
  - name: Register dhparam file
    stat:
      path: "{{ nginx_dhparam_file }}"
    register: dh_file

  - name: Generate Diffie-Hellman parameter file
    shell: "/usr/bin/openssl dhparam -out '{{ nginx_dhparam_file }}' {{ nginx_dhparam_size }}"
    async: 3600
    poll: 60
    when: not dh_file.stat.exists
    notify:
      - nginx_reload
  become: True
  become_user: root
  when: nginx_pfs_enabled

- name: Open ports in iptables
  iptables_raw:
    name: allow_nginx_ports
    state: present
    rules: '-A INPUT -p tcp -m multiport --dports {{ nginx_open_ports|join(",") }} -j ACCEPT'

- name: Enable nginx service
  systemd:
    state: started
    daemon_reload: yes
    enabled: yes
    name: nginx
  become: True
  become_user: root