---

- name: Install nginx
  apt:
    name: nginx
    state: present

- name: Allow nginx user to traverse the directory with TLS private keys
  user:
    name: www-data
    append: true
    groups: ssl-cert
  notify:
    - Restart nginx

- name: Deploy nginx TLS private key
  copy:
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_https.key"
    content: "{{ default_https_tls_key }}"
    mode: 0640
    owner: root
    group: root
  notify:
    - Restart nginx

- name: Deploy nginx TLS certificate
  copy:
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
    content: "{{ default_https_tls_certificate }}"
    mode: 0644
    owner: root
    group: root
  notify:
    - Restart nginx

- name: Generate the HTTPS server Diffie-Hellman parameter
  openssl_dhparam:
    owner: root
    group: root
    mode: 0640
    path: "/etc/ssl/private/{{ ansible_fqdn }}_https.dh.pem"
    size: 2048
  notify:
    - Restart nginx

- name: Deploy configuration file for checking certificate validity via cron
  copy:
    content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
    dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
    owner: root
    group: root
    mode: 0644

- name: Remove TLS protocol configuration from the main configuration file
  lineinfile:
    dest: "/etc/nginx/nginx.conf"
    backrefs: true
    regexp: "^\\s*ssl_protocols"
    state: absent
  notify:
    - Restart nginx

- name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
  template:
    dest: "/etc/nginx/conf.d/tls.conf"
    src: "tls.conf.j2"
    owner: "root"
    group: "root"
    mode: 0644
  notify:
    - Restart nginx

- name: Deploy script for verification of nginx vhost configurations
  copy:
    src: "nginx_verify_site.sh"
    dest: "/usr/local/bin/nginx_verify_site.sh"
    owner: root
    group: root
    mode: 0755

- name: Deploy default vhost configuration
  template:
    src: "nginx-default.j2"
    dest: "/etc/nginx/sites-available/default"
    owner: root
    group: root
    mode: 0640
    validate: "/usr/local/bin/nginx_verify_site.sh -n default %s"
  notify:
    - Restart nginx

- name: Enable default website
  file:
    src: "/etc/nginx/sites-available/default"
    dest: "/etc/nginx/sites-enabled/default"
    state: link
  notify:
    - Restart nginx

- name: Deploy firewall configuration for web server
  copy:
    src: "ferm_http.conf"
    dest: "/etc/ferm/conf.d/30-web.conf"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart ferm

- name: Remove the default Debian html files
  file:
    path: "{{ item }}"
    state: absent
  with_items:
    - /var/www/html/index.nginx-debian.html
    - /var/www/html/

- name: Create directory for storing the default website page
  file:
    path: "/var/www/default/"
    state: directory
    owner: root
    group: www-data
    mode: 0750

- name: Deploy the default index.html
  template:
    src: "index.html.j2"
    dest: /var/www/default/index.html
    owner: root
    group: www-data
    mode: 0640

- name: Enable nginx service
  service:
    name: nginx
    enabled: true
    state: started

- name: Install base packages for Python web applications
  apt:
    name:
      - python-setuptools
      - python3-setuptools
      - virtualenv
      - virtualenvwrapper
    state: present

- name: Install base packages for PHP web applications
  apt:
    name: "{{ php_fpm_package_name }}"
    state: present

- name: Create directories for storing per-site socket files
  file:
    path: "/run/{{ item }}"
    state: directory
    owner: root
    group: www-data
    mode: 0750
  with_items:
    - wsgi
    - php

- name: Create directories for storing per-site socket files on boot
  copy:
    content: "d /run/{{ item.socket_dir }}/ 0750 root www-data - -"
    dest: "/etc/tmpfiles.d/{{ item.tmpfiles_d }}"
    owner: root
    group: root
    mode: 0644
  with_items:
    - socket_dir: wsgi
      tmpfiles_d: "wsgi.conf"
    - socket_dir: php
      tmpfiles_d: "{{ php_fpm_service_name }}.conf"

- name: Create directory for storing PHP-FPM service configuration overrides
  file:
    path: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/"
    state: directory
    owner: root
    group: root
    mode: 0755

- name: Configure PHP-FPM service to run with umask 0007
  copy:
    src: "php_fpm_umask.conf"
    dest: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/umask.conf"
    owner: root
    group: root
    mode: 0644
  notify:
    - Reload systemd
    - Restart PHP-FPM

- name: Enable service used for running PHP web applications
  service:
    name: "{{ php_fpm_service_name }}"
    enabled: true
    state: started

- name: Read timezone on server
  slurp:
    src: "/etc/timezone"
  register: server_timezone

- name: Configure timezone for PHP
  template:
    src: "php_timezone.ini.j2"
    dest: "{{ item }}/30-timezone.ini"
    owner: root
    group: root
    mode: 0644
  with_items:
    - "{{ php_base_config_dir }}/cli/conf.d/"
    - "{{ php_base_config_dir }}/fpm/conf.d/"
  notify:
    - Restart PHP-FPM

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers