- name: Install nginx
  ansible.builtin.apt:
    name: nginx
    state: present
    update_cache: true

- name: Start nginx and enable on boot
  ansible.builtin.service:
    name: nginx
    state: started
    enabled: true

- name: Generate DH Parameters
  community.crypto.openssl_dhparam:
    path: /etc/ssl/dhparams.pem
    size: 4096

- name: Install nginx base configuration
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    mode: "644"
  notify: reload_nginx

- name: Install nginx sites configuration
  ansible.builtin.template:
    src: server-nginx.conf.j2
    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
    mode: "400"
  loop: "{{ proxy.servers }}"
  notify: reload_nginx
  register: nginx_sites

- name: Generate self-signed certificate
  ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
          -keyout /etc/ssl/private/nginx-selfsigned.key \
          -out    /etc/ssl/certs/nginx-selfsigned.crt'
  args:
    creates: /etc/ssl/certs/nginx-selfsigned.crt
  when: proxy.production is not defined or not proxy.production
  notify: reload_nginx

- name: Install LE's certbot
  ansible.builtin.apt:
    name: ['certbot', 'python3-certbot-dns-cloudflare']
    state: present
  when: proxy.production is defined and proxy.production

- name: Install Cloudflare API token
  ansible.builtin.template:
    src: cloudflare.ini.j2
    dest: /root/.cloudflare.ini
    mode: "400"
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined

- name: Create nginx post renewal hook directory
  ansible.builtin.file:
    path: /etc/letsencrypt/renewal-hooks/post
    state: directory
    mode: "500"
  when: proxy.production is defined and proxy.production

- name: Install nginx post renewal hook
  ansible.builtin.copy:
    src: reload-nginx.sh
    dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
    mode: '0755'
  when: proxy.production is defined and proxy.production

- name: Run Cloudflare DNS-01 challenges on wildcard domains
  ansible.builtin.shell: '/usr/bin/certbot certonly \
            --non-interactive \
            --agree-tos \
            --email "{{ proxy.dns_cloudflare.email }}" \
            --dns-cloudflare \
            --dns-cloudflare-credentials /root/.cloudflare.ini \
            -d "*.{{ item }}" \
            -d "{{ item }}" \
            {{ proxy.dns_cloudflare.opts | default("") }}'
  args:
    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
  notify: reload_nginx

- name: Add HTTP and HTTPS firewall rule
  community.general.ufw:
    rule: allow
    port: "{{ item }}"
    proto: tcp
  loop:
    - "80"
    - "443"