---

- name: Set architecture alias
  set_fact:
    architecture_alias: "amd64"  # noqa: var-naming[no-role-prefix]
  when: ansible_architecture == "x86_64"

- name: Set architecture alias
  set_fact:
    architecture_alias: "arm64"  # noqa: var-naming[no-role-prefix]
  when: ansible_architecture == "aarch64"

- name: Add Nginx GPG apt Key
  apt_key:
    url: https://nginx.org/keys/nginx_signing.key
    keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
    state: present

- name: Add Nginx Mainline Repository
  apt_repository:
    repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
          http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx"
    state: present
    update_cache: true

- name: Install Nginx
  apt:
    name: nginx
    state: latest
    update_cache: true
    cache_valid_time: 3600

- name: Remove default.conf
  ansible.builtin.file:
    path: /etc/nginx/conf.d/default.conf
    state: absent

- name: Create global config folder
  file:
    path: "/etc/nginx/global"
    mode: "0755"
    state: directory

- name: Copy Nginx SSL Config
  template:
    dest: /etc/nginx/global/ssl.conf
    src: ssl.conf.j2
    mode: "0644"
  notify: Reload nginx

- name: Download pre-defined DHE group  # as recommended by IETF RFC 7919
  get_url:
    url: https://github.com/internetstandards/dhe_groups/raw/main/ffdhe4096.pem
    dest: "{{ nginx_ssl_dhparam }}"
    mode: "0644"
  register: nginx_ffdhe4096_download_file
  until: nginx_ffdhe4096_download_file is succeeded
  retries: 3
  delay: 5
  notify: Reload nginx

- name: Set nginx user to www-data
  replace:
    path: /etc/nginx/nginx.conf
    regexp: "user  nginx;"
    replace: "user  www-data;"
  notify: Reload nginx