--- - name: install requirements become: true ansible.builtin.apt: update_cache: true force_apt_get: true cache_valid_time: 3600 pkg: - ca-certificates - curl - debian-archive-keyring - gnupg2 - lsb-release - name: install nginx repository become: true ansible.builtin.deb822_repository: allow_downgrade_to_insecure: false allow_insecure: false allow_weak: false components: - nginx enabled: true name: nginx signed_by: 'https://nginx.org/keys/nginx_signing.key' state: present suites: '{{ ansible_facts.distribution_release }}' trusted: true uris: 'http://nginx.org/packages/mainline/debian' - name: pin nginx packages become: true ansible.builtin.copy: content: |- Package: * Pin: origin nginx.org Pin: release o=nginx Pin-Priority: 900 dest: /etc/apt/preferences.d/55-nginx mode: '0600' owner: root group: root - name: update cache and install nginx package become: true ansible.builtin.apt: cache_valid_time: 0 force_apt_get: true update_cache: true pkg: '{{ nginx_extra_packages | default([]) + ["nginx"] }}' - ansible.builtin.include_tasks: file: nginx-config.yml apply: tags: [webserver-config] tags: [webserver-config] - name: setup firewall rules become: true ansible.builtin.template: src: ../templates/ingress_http_nginx.nft.j2 dest: /etc/nftables.d/ingress_http_nginx.nft owner: root group: root mode: '0600' notify: - 'nginx : restart firewall service' - ansible.builtin.include_tasks: file: nginx-service-entry.yml apply: tags: [webserver-sites] tags: [webserver-sites] vars: nginx_entry_type: site loop: '{{ nginx_sites }}' loop_control: label: '{{ item.name }}' - ansible.builtin.include_tasks: file: nginx-service-entry.yml apply: tags: [webserver-streams] tags: [webserver-streams] vars: nginx_entry_type: stream loop: '{{ nginx_streams }}' loop_control: label: '{{ item.name }}' - name: set permissions become: true ansible.builtin.file: path: /etc/nginx owner: '{{ nginx_service_user }}' group: '{{ nginx_service_user }}' mode: 'u=rwX,g=rX,o=' recurse: true