--- - name: Load OS-specific variables ansible.builtin.include_vars: "{{ item }}" with_first_found: - "{{ ansible_facts['os_family'] }}.yml" - debian.yml - name: Set nginx_user if not already set ansible.builtin.set_fact: nginx_user: "{{ nginx_user | default('www-data') }}" - name: Add Nginx official APT signing key (Debian/Ubuntu) ansible.builtin.get_url: url: https://nginx.org/keys/nginx_signing.key dest: /etc/apt/keyrings/nginx-archive-keyring.asc mode: "0644" when: - ansible_facts['os_family'] == 'Debian' - name: Add Nginx official repository (Debian/Ubuntu) ansible.builtin.deb822_repository: name: nginx-official types: deb uris: http://nginx.org/packages/mainline/debian/ suites: "{{ ansible_facts['distribution_release'] }}" components: nginx signed_by: /etc/apt/keyrings/nginx-archive-keyring.asc state: present when: - ansible_facts['os_family'] == 'Debian' - name: Install nginx ansible.builtin.package: name: nginx state: present - name: Install nginx stream module (Debian) ansible.builtin.package: name: libnginx-mod-stream state: present when: - ansible_facts['os_family'] == 'Debian' - nginx_forwarder is defined - nginx_forwarder | length > 0 - name: Install Certbot ansible.builtin.package: name: certbot state: present when: acme_email is defined - name: Enable Certbot renewal timer ansible.builtin.systemd: name: certbot-renew.timer enabled: true state: started when: acme_email is defined ignore_errors: true - name: Ensure nginx conf.d directory exists ansible.builtin.file: path: "{{ nginx_conf_dir }}" state: directory owner: root group: root mode: "0755" - name: Ensure nginx streams.d directory exists ansible.builtin.file: path: "{{ nginx_streams_dir }}" state: directory owner: root group: root mode: "0755" - name: Ensure Certbot webroot directory exists ansible.builtin.file: path: /var/www/certbot state: directory owner: "{{ nginx_user }}" group: "{{ nginx_user }}" mode: "0755" when: acme_email is defined - name: Deploy nginx main configuration ansible.builtin.template: src: nginx.conf.j2 dest: /etc/nginx/nginx.conf owner: root group: root mode: "0644" validate: nginx -t -c %s notify: Reload nginx - name: Deploy stream forwarder configurations ansible.builtin.template: src: forwarder.conf.j2 dest: "{{ nginx_streams_dir }}/forwarder-{{ domain | replace('.', '_') }}.conf" owner: root group: root mode: "0644" loop: "{{ nginx_forwarder | dict2items }}" loop_control: loop_var: item vars: domain: "{{ item.key }}" config: "{{ item.value }}" when: - nginx_forwarder is defined - nginx_forwarder | length > 0 notify: Reload nginx - name: Validate nginx configuration after stream forwarder deployment ansible.builtin.command: nginx -t changed_when: false when: - nginx_forwarder is defined - nginx_forwarder | length > 0 - name: Deploy logrotate configuration for nginx ansible.builtin.template: src: logrotate-nginx.j2 dest: /etc/logrotate.d/nginx owner: root group: root mode: "0644" when: nginx_log_backend == 'file' - name: Remove logrotate configuration when using journald ansible.builtin.file: path: /etc/logrotate.d/nginx state: absent when: nginx_log_backend == 'journald' - name: Allow HTTP traffic through firewall community.general.ufw: rule: allow port: "80" proto: tcp comment: Nginx HTTP retries: 5 delay: 2 register: ufw_result until: ufw_result is succeeded - name: Allow HTTPS traffic through firewall community.general.ufw: rule: allow port: "443" proto: tcp comment: Nginx HTTPS retries: 5 delay: 2 register: ufw_result until: ufw_result is succeeded - name: Enable and start nginx service ansible.builtin.systemd: name: nginx enabled: true state: started