---
- name: config should not be worldwide read- or writeable
  file:
    path: "/etc/nginx"
    mode: "o-rw"
    owner: "root"
    group: "root"
    recurse: yes

- name: create additional configuration
  template:
    src: "hardening.conf.j2"
    dest: "/etc/nginx/conf.d/90.hardening.conf"
    owner: "root"
    group: "root"
  notify: restart nginx

- name: change configuration in main nginx.conf
  lineinfile:
    dest: "/etc/nginx/nginx.conf"
    regexp: '^\s*server_tokens'
    line: "    server_tokens {{ nginx_server_tokens }};"
    insertafter: "http {"
  notify: restart nginx

- name: change ssl_protocols in main nginx.conf
  lineinfile:
    dest: "/etc/nginx/nginx.conf"
    regexp: '^\s*ssl_protocols'
    line: "    ssl_protocols {{ nginx_ssl_protocols }};"
    insertafter: "http {"
  notify: restart nginx

- name: change ssl_prefer_server_ciphers in main nginx.conf
  lineinfile:
     dest: "/etc/nginx/nginx.conf"
     regexp: '^\s*ssl_prefer_server_ciphers'
     line: "    ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers }};"
     insertafter: "http {"
  notify: restart nginx

- name: change client_max_body_size in main nginx.conf
  lineinfile:
    dest: "/etc/nginx/nginx.conf"
    regexp: '^\s*client_max_body_size'
    line: "    client_max_body_size {{ nginx_client_max_body_size }};"
    insertafter: "http {"
  notify: restart nginx

- name: change client_body_buffer_size in main nginx.conf
  lineinfile:
    dest: "/etc/nginx/nginx.conf"
    regexp: '^\s*client_body_buffer_size'
    line: "    client_body_buffer_size {{ nginx_client_body_buffer_size }};"
    insertafter: "http {"
  notify: restart nginx

- name: change keepalive_timeout in main nginx.conf
  lineinfile:
    dest: "/etc/nginx/nginx.conf"
    regexp: '^\s*keepalive_timeout'
    line: "    keepalive_timeout {{ nginx_keepalive_timeout }};"
    insertafter: "http {"
  notify: restart nginx

- name: remove default.conf
  file:
    path: "{{ item }}"
    state: absent
  when: nginx_remove_default_site
  notify: restart nginx
  loop:
    - "/etc/nginx/conf.d/default.conf"
    - "/etc/nginx/sites-enabled/default"

- name: generate dh group
  command: "openssl dhparam -out /etc/nginx/dh{{ nginx_dh_size }}.pem {{ nginx_dh_size }}"
  args:
    creates: "/etc/nginx/dh{{ nginx_dh_size }}.pem"
  notify: restart nginx