ansible-ffibk/roles/service-nginx/tasks/main.yml

---
- name: add official nginx apt key
  apt_key:
    state: present
    id: 7BD9BF62
    url: "https://nginx.org/keys/nginx_signing.key"

- name: add official nginx apt repository
  apt_repository:
    state: present
    repo: "{{ item }}"
    update_cache: yes
    filename: nginx
  with_items:
    - deb http://nginx.org/packages/debian/ stretch nginx
    - deb-src http://nginx.org/packages/debian/ stretch nginx

- name: install nginx packages
  package:
    name: nginx
    state: present

- name: install ssl-cert packages
  package:
    name: ssl-cert
    state: present

- name: Add remote server to known_hosts
  known_hosts:
    path: /etc/ssh/ssh_known_hosts
    name: zuckerwatte.ffmwu.org
    key: "{{ lookup('file', 'known_hosts') }}"

- name: create cronjob to sync ssl certs
  template:
    src: ssl_certs.cron.j2
    dest: /etc/cron.daily/ssl_certs
    mode: 0755
    owner: root
    group: root
  notify: restart cron

- name: create config snippets directory
  file:
    path: /etc/nginx/snippets
    state: directory
    mode: 0755
    owner: root
    group: root

- name: create certs directory
  file:
    path: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}
    state: directory
    mode: 0550
    owner: www-data
    group: admin

- name: create snakeoil cert
  shell: make-ssl-cert generate-default-snakeoil
  args:
    creates: /etc/ssl/certs/ssl-cert-snakeoil.pem

- name: copy snakeoil ssl key for first start
  copy:
    src: /etc/ssl/private/ssl-cert-snakeoil.key
    dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
    remote_src: yes
    force: no
    owner: www-data
    group: admin
    mode: 0440

- name: copy snakeoil ssl cert for first start
  copy:
    src: /etc/ssl/certs/ssl-cert-snakeoil.pem
    dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem
    remote_src: yes
    force: no
    owner: www-data
    group: admin
    mode: 0440

- name: sync ssl certs
  shell: /etc/cron.daily/ssl_certs

- name: write nginx configuration letsencrypt-acme-challenge.conf
  template:
    src: letsencrypt-acme-challenge.conf.j2
    dest: /etc/nginx/snippets/letsencrypt-acme-challenge.conf
    mode: 0644
    owner: root
    group: root
  notify: restart nginx

- name: write nginx configuration nginx.conf
  template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    mode: 0644
    owner: root
    group: root
  notify: restart nginx

- name: write nginx configuration default.conf
  template:
    src: default.conf.j2
    dest: /etc/nginx/conf.d/default.conf
    mode: 0644
  notify: restart nginx

- name: manage html directory for static files
  file:
    path: /var/www/html/static
    state: directory
    mode: 0755

- name: copy css stylesheet
  copy:
    src: style.css
    dest: /var/www/html/static/style.css
    mode: 0644

- name: write index.html
  template:
    src: index.html.j2
    dest: /var/www/html/index.html
    mode: 0644

- name: configure systemd unit nginx
  systemd:
    name: nginx
    state: started
    enabled: yes