dotfiles/roles/server/nginx/tasks/main.yml

---
- name: Packages
  ansible.builtin.include_tasks: install.yml
  tags: install

- name: Install the proxy snippet
  ansible.builtin.copy:
    src: files/proxy.conf
    dest: /etc/nginx/proxy.conf
    mode: 0644
    owner: root
    group: root

- name: Install the SSL snippet
  ansible.builtin.template:
    src: templates/ssl.conf
    dest: /etc/nginx/ssl.conf
    mode: 0644
    owner: root
    group: root

- name: Install the default config
  ansible.builtin.copy:
    src: files/nginx.conf
    dest: /etc/nginx/nginx.conf
    mode: 0644
    owner: root
    group: root

- name: Install the HTTP config
  ansible.builtin.template:
    src: templates/http.conf
    dest: /etc/nginx/http.conf
    mode: 0644
    owner: root
    group: root

- name: Enable $HOME shortcut
  ansible.builtin.template:
    src: templates/me.conf
    dest: /etc/nginx/conf.d/me.conf
    mode: 0644
    owner: root
    group: root

- name: Allow httpd in homedirs in SELinux
  ansible.posix.seboolean:
    name: httpd_enable_homedirs
    state: true
    persistent: true
  when: ansible_facts.selinux.status == 'enabled'

- name: Enable reverse proxy
  ansible.builtin.template:
    src: templates/reverse_proxy.conf
    dest: "/etc/nginx/conf.d/{{ item.domain }}.conf"
    mode: 0644
    owner: root
    group: root
  vars:
    proxy_domain: "{{ item.domain }}"
    proxy_upstream: "{{ item.upstream }}"
    proxy_protocol: "{{ item.protocol }}"
  loop: "{{ server_nginx_reverse_proxy }}"

# ‹httpd_can_network_relay› was not enough for the ubiquiti reverse proxy
- name: Allow reverse proxy in SELinux
  ansible.posix.seboolean:
    name: httpd_can_network_connect
    state: true
    persistent: true
  when: "ansible_facts.selinux.status == 'enabled' and server_nginx_reverse_proxy"

- name: Enable nginx on firewall
  ansible.posix.firewalld:
    service: "{{ item }}"
    immediate: true
    permanent: true
    state: enabled
  loop:
    - http
    - https
  tags: firewall

- name: Enable nginx
  ansible.builtin.service:
    name: nginx
    enabled: true
    state: restarted