- name: Install nginx
  ansible.builtin.package:
    name:
      - nginx
    state: present

- name: Setup nginx directories
  ansible.builtin.file:
    path: '{{ item }}'
    state: directory
    owner: root
    group: root
    mode: u+rw,g+r,o+r
  loop:
    - /etc/nginx/auth
    - /etc/nginx/includes
    - /etc/nginx/sites-available
    - /etc/nginx/sites-enabled

- name: Setup nginx serving directory
  ansible.builtin.file:
    path: /srv/http
    state: directory
    owner: http
    group: http
    mode: u+rw,g+rw,o+r

- name: Configure nginx
  ansible.builtin.copy:
    src: files/nginx.conf
    dest: /etc/nginx/nginx.conf
    owner: root
    group: root
    mode: u+rw,g+r,o+r
  notify:
    - Reload nginx

- name: Configure nginx logrotate
  ansible.builtin.copy:
    src: files/nginx.logrotate
    dest: /etc/logrotate.d/nginx
    owner: root
    group: root
    mode: u+rw,g+r,o+r

- name: Copy nginx certificate renewal hook
  ansible.builtin.copy:
    src: 'files/hooks/{{ item }}/nginx.sh'
    dest: '/etc/letsencrypt/renewal-hooks/{{ item }}/nginx.sh'
    owner: root
    group: root
    mode: u+rwx,g+r,o+r
  loop:
    - pre
    - post
    # There is no deploy hook and it is intentional. As we currently stop nginx
    # before renewal and start it after, so there is no need for reload.

- name: Enable nginx systemd service
  ansible.builtin.service:
    name: nginx
    enabled: true
    state: started