- name: set up Passenger YUM repo
  get_url:
    url: https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo
    dest: /etc/yum.repos.d/passenger.repo
  become: yes

- name: install gpg key for Passenger YUM repo
  rpm_key:
    key: https://packagecloud.io/gpg.key
  become: yes

# this makecache is mostly because I can not find any other way to fully
# import the GPG. key for the Passenger repo. 'rpm_key' is not
# sufficient.
# The use of /usr/bin/env is a hack to avoid Ansible's "Consider using
# yum module..." warnings when it sees 'yum' as the primary command.
- name: yum makecache
  command: /usr/bin/env yum -q makecache -y --disablerepo='*' --enablerepo='passenger*'
  become: yes
  changed_when: False

- name: install epel-release
  yum:
    name: epel-release
  become: yes

- name: install nginx, passenger
  yum:
    name: '{{ item }}'
  become: yes
  with_items:
    - nginx
    - passenger

- name: check for dharam pem file
  stat:
    path: '{{ dharam_pem_path }}'
  register: dharam_pem

# https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score
- name: generate new Diffie-Hellman group
  command: 'openssl dhparam -out {{ dharam_pem_path }} 2048'
  become: yes
  notify: restart nginx
  when: dharam_pem.stat.exists == False

- name: install easyredmine.conf to Nginx 
  template:
    dest: '/etc/nginx/conf.d/easyredmine.conf'
    src: easyredmine.conf.j2
  become: yes
  notify: restart nginx

- name: install nginx.conf to Nginx
  template:
    dest: '/etc/nginx/nginx.conf'
    src: nginx.conf.j2
  become: yes
  notify: restart nginx

- name: install passenger.conf to Nginx
  template:
    dest: /etc/nginx/conf.d/passenger.conf
    src: passenger.conf.j2
  become: yes
  notify: restart nginx

- name: install TLS cert
  copy:
    dest: '/etc/pki/tls/certs/{{ ansible_fqdn }}.pem'
    src: '{{ nginx_pem }}'
  become: yes
  notify: restart nginx

- name: manage Nginx service
  service:
    name: nginx
    state: started
    enabled: yes
  become: yes