---
- name: Remove default nginx config
  file:
    name: /etc/nginx/sites-enabled
    state: absent

- name: Restore nginx/conf.d
  file:
    name: /etc/nginx/conf.d
    state: directory

- name: Install system nginx config
  copy:
    src: static/nginx/nginx.conf
    dest: /etc/nginx/nginx.conf

# helps with proxy-ing services
- name: Install nginx proxy-control.conf
  copy:
    src: static/nginx/proxy-control.conf
    dest: /etc/nginx/proxy-control.conf

- name: Install nginx restrict-conf.conf
  template:
    src: templates/nginx/restrict-auth.conf
    dest: /etc/nginx/restrict-auth.conf

- name: Install nginx config for site proxies
  copy:
    src: static/nginx/sites.conf
    dest: /etc/nginx/conf.d/sites.conf

# locks down services that shouldn't be public (if enabled)
- name: Install nginx passwd file
  htpasswd:
    path: /etc/nginx/passwdfile
    name: "{{ auth_username }}"
    password: "{{ auth_password }}"
    owner: root
    group: www-data
    mode: 0640
  when: auth_enabled == "y" # only do it when the username is specified

- name: Install updateDuckDNS
  template:
    src: templates/updateDuckDNS
    dest: /infra/updateDuckDNS
    mode: u+rx
  when: duck_enabled == "y"

# update duckdns daily
- name: Install DuckDNS cronjob
  cron:
    name: Update DuckDNS
    minute: 0
    hour: 1
    job: /infra/updateDuckDNS
  when: duck_enabled == "y"

# go ahead and run the update (before running cerbot)
- name: Setup DuckDNS
  shell: "/infra/updateDuckDNS"
  when: duck_enabled == "y"

# certbot is a life saver. thank you certbot devs!
- name: Setup certbot
  shell: "certbot --nginx --non-interactive --agree-tos -m do_not_contact@proton.me -d {{ duck_domain }}"
  when: duck_enabled == "y"

- name: Reload Nginx
  systemd:
    name: nginx
    enabled: yes
    state: restarted