---
- name: Include OS-specific variables
  ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"

- name: Enable nginx:120 module
  ansible.builtin.command:
    argv:
      - dnf
      - module
      - -y
      - enable
      - nginx:1.20
    creates: /etc/dnf/modules.d/nginx.module
    warn: false
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version | int == 8
    - ansible_distribution != "Fedora"

- name: Install packages
  ansible.builtin.package:
    name: nginx
    state: installed

- name: Fix selinux contexts from data directory
  community.general.sefcontext:
    path: /srv/web(/.*)?
    setype: httpd_sys_content_t
  when: ansible_selinux_python_present

- name: Create nginx data and config directories
  ansible.builtin.file:
    state: directory
    path: "{{ item }}"
    mode: 0755
    owner: root
    group: "{{ ansible_wheel }}"
    seuser: _default
    setype: _default
  with_items:
    - /srv/web
    - "/srv/web/{{ inventory_hostname }}"
    - "/etc/nginx/conf.d/{{ inventory_hostname }}"

- name: Create nginx base config
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart nginx

- name: Fix logdir permissions
  ansible.builtin.file:
    path: "{{ nginx_logdir }}"
    state: directory
    mode: 0755
    owner: root
    group: "{{ ansible_wheel }}"

- name: Disable system log rotate
  ansible.builtin.lineinfile:
    path: /etc/newsyslog.conf
    state: absent
    regexp: '^/var/www/logs/{{ item }}\s+.*'
  with_items:
    - access.log
    - error.log
  when: ansible_os_family == "OpenBSD"

- name: Install custom logrotate
  ansible.builtin.template:
    dest: /usr/local/sbin/nginx-logrotate
    src: nginx-logrotate.sh
    mode: 0755
    owner: root
    group: "{{ ansible_wheel }}"
  when: ansible_os_family == "OpenBSD"

- name: Add logrotate cron job
  ansible.builtin.cron:
    name: nginx-logrotate
    hour: "0"
    minute: "0"
    job: /usr/local/sbin/nginx-logrotate
  when: ansible_os_family == "OpenBSD"

- name: Import sftpuser role
  ansible.builtin.import_role:
    name: sftpuser
  vars:
    chroot: "{{ nginx_logdir }}"
    user: logsync
    publickeys: "{{ logsync_publickeys }}"

# https://bugzilla.redhat.com/show_bug.cgi?id=1725248
- name: Create drop-in directory for service
  ansible.builtin.file:
    dest: /etc/systemd/system/nginx.service.d
    state: directory
    mode: 0755
    owner: root
    group: "{{ ansible_wheel }}"
  when: ansible_os_family == "RedHat"

- name: Configure service startup dependencies
  ansible.builtin.copy:
    dest: /etc/systemd/system/nginx.service.d/dependency.conf
    src: dependency.conf
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  when: ansible_os_family == "RedHat"

- name: Enable nginx service
  ansible.builtin.service:
    name: nginx
    arguments: "{% if ansible_system == 'OpenBSD' %}-u{% endif %}"
    state: started
    enabled: true