- name: Nginx reverse proxy configuration
  hosts: reverseproxy
  handlers:
    - name: Restart nginx
      ansible.builtin.service:
        name: nginx
        state: restarted
  tasks:
    - name: Makes sure the nginx package is installed
      ansible.builtin.apt:
        pkg:
          - nginx-full

    - name: Nginx security configuration template
      ansible.builtin.template:
        src: "templates/nginx/snippets/security-hardening.conf.j2"
        dest: "/etc/nginx/snippets/security-hardening.conf"
        mode: '0644'
      notify: Restart nginx

    - name: Nginx security headers configuration template
      ansible.builtin.template:
        src: "templates/nginx/snippets/security-headers.conf.j2"
        dest: "/etc/nginx/snippets/security-headers.conf"
        mode: '0644'
      notify: Restart nginx

    - name: Create dhparam files
      community.crypto.openssl_dhparam:
        path: "/etc/nginx/dhparam.pem"
        size: 4096

    - name: Certificates generation
      ansible.builtin.include_role:
        name: geerlingguy.certbot
      loop: "{{ site | dict2items }}"
      when: "{{ item.value.tls | default(False) }}"
      vars:
        certbot_admin_email: "{{ acme_account.email }}"
        certbot_install_method: package
        certbot_auto_renew: true
        certbot_auto_renew_user: "root"
        certbot_create_if_missing: true
        certbot_testmode: "{{ acme_account.testing | default(False) }}"
        certbot_certs:
          - name: "{{ item.key }}"
            domains:
              - "{{ item.key }}"

    - name: Nginx website configuration template
      ansible.builtin.template:
        src: "templates/nginx/sites-available/default-reverse.j2"
        dest: "/etc/nginx/sites-available/{{ item.key }}"
        mode: '0644'
      loop: "{{ site | dict2items }}"
      when: "item.value.enabled"
      notify: Restart nginx

    - name: Removing disabled websites from nginx configuration
      ansible.builtin.file:
        path: "/etc/nginx/sites-available/{{ item.key }}"
        state: absent
      loop: "{{ site | dict2items }}"
      when: "not item.value.enabled"

    - name: Disable websites in nginx configuration
      ansible.builtin.file:
        path: "/etc/nginx/sites-enabled/{{ item.key }}"
        state: absent
      loop: "{{ site | dict2items }}"
      when: "not item.value.enabled"
      notify: Restart nginx

    - name: Enable websites in nginx configuration
      ansible.builtin.file:
        src: "/etc/nginx/sites-available/{{ item.key }}"
        dest: "/etc/nginx/sites-enabled/{{ item.key }}"
        state: link
      loop: "{{ site | dict2items }}"
      when: "item.value.enabled"
      notify: Restart nginx