main.yml

# requires:
#   - common/tasks/main.yml
---

- name: create nginx app dirs
  file: >
    path="{{ item }}"
    state=directory
    owner="{{ nginx_user }}"
    group="{{ common_web_group }}"
  with_items:
    - "{{ nginx_app_dir }}"
    - "{{ nginx_sites_available_dir }}"
    - "{{ nginx_sites_enabled_dir }}"
    - "{{ nginx_conf_dir }}"
  notify: restart nginx
  tags:
    - install
    - install:configuration

- name: create nginx data dirs
  file: >
    path="{{ item }}"
    state=directory
    owner="{{ common_web_user }}"
    group="{{ nginx_user }}"
  with_items:
    - "{{ nginx_data_dir }}"
    - "{{ nginx_log_dir }}"
    - "{{ nginx_server_static_dir }}"
  notify: restart nginx
  tags:
    - install
    - install:configuration

- name: Install needed packages
  apt: pkg={{ item }} state=present
  notify: restart nginx
  with_items: nginx_debian_pkgs
  tags:
    - install
    - install:system-requirements

- name: Add apt key
  apt_key:
    url: http://nginx.org/keys/nginx_signing.key
    state: present
  notify: restart nginx
  tags:
    - install
    - install:system-requirements

- name: Add nginx repository
  apt_repository:
    repo: "{{ NGINX_APT_REPO }}"
    state: present
  notify: restart nginx
  tags:
    - install
    - install:system-requirements

# REMOVE THIS AFTER LATEST NGINX HAS BEEN DEPLOYED EVERYWHERE
# New package does not identify conflicts properly.
# "nginx-common" only appears as requirement for ubuntu-distributed package, thus
# removing it will remove all nginx packages installed from Ubuntu's repo.
# This is only required if nginx was previously installed from Ubuntu's repo
# and you're switching to Nginx's PPA
- name: Remove old nginx packages
  apt:
    name: nginx-common
    state: absent
  tags:
    - install
    - install:system-requirements

- name: Install the nginx package
  apt:
    name: nginx
    state: latest
    update_cache: yes
  notify: restart nginx
  tags:
    - install
    - install:system-requirements

- name: Remove the default site
  file: >
    path=/etc/nginx/sites-enabled/default
    state=absent
  notify: reload nginx
  tags:
    - install
    - install:configuration

- name: Server configuration file
  template: >
    src=etc/nginx/nginx.conf.j2 dest=/etc/nginx/nginx.conf
    owner=root group={{ common_web_user }} mode=0644
  notify: restart nginx
  tags:
    - install
    - install:configuration

- name: Creating common nginx configuration
  template: >
    src=edx/app/nginx/sites-available/edx-release.j2
    dest={{ nginx_sites_available_dir }}/edx-release
    owner=root group=root mode=0600
  notify: reload nginx
  tags:
    - install
    - install:configuration

- name: Create robot rules
  template: >
    src=edx/app/nginx/robots.txt.j2 dest={{ nginx_app_dir }}/robots.txt
    owner=root group={{ common_web_user }} mode=0644
  notify: reload nginx
  when: NGINX_ROBOT_RULES|length > 0
  tags:
    - install
    - install:configuration

- name: Creating link for common nginx configuration
  file: >
    src={{ nginx_sites_available_dir }}/edx-release
    dest={{ nginx_sites_enabled_dir }}/edx-release
    state=link owner=root group=root
  notify: reload nginx
  tags:
    - install
    - install:configuration

- name: Copying nginx configs for {{ nginx_sites }}
  template: >
    src={{ nginx_template_dir }}/{{ item }}.j2
    dest={{ nginx_sites_available_dir }}/{{ item }}
    owner=root group={{ common_web_user }} mode=0640
  notify: reload nginx
  with_items: nginx_sites
  tags:
    - install
    - install:configuration

- name: Creating nginx config links for {{ nginx_sites }}
  file: >
    src={{ nginx_sites_available_dir }}/{{ item  }}
    dest={{ nginx_sites_enabled_dir }}/{{ item }}
    state=link owner=root group=root
  notify: reload nginx
  with_items: nginx_sites
  tags:
    - install
    - install:configuration

- name: Copying nginx extra configs
  template: >
    src={{ item }}
    dest={{ nginx_sites_available_dir }}/{{ item|basename|replace(".j2", "") }}
    owner=root group={{ common_web_user }} mode=0640
  notify: reload nginx
  with_items: nginx_extra_sites
  tags:
    - install
    - install:configuration

- name: Creating links for nginx extra configs
  file: >
    src={{ nginx_sites_available_dir }}/{{ item|basename|replace(".j2", "")  }}
    dest={{ nginx_sites_enabled_dir }}/{{ item|basename|replace(".j2", "") }}
    state=link owner=root group=root
  notify: reload nginx
  with_items: nginx_extra_sites
  tags:
    - install
    - install:configuration

- name: Copying custom nginx config
  template: >
    src={{ item }}
    dest={{ nginx_conf_dir }}/{{ item|basename|replace(".j2", "") }}
    owner=root group={{ common_web_user }} mode=0640
  notify: reload nginx
  with_items: nginx_extra_configs
  tags:
    - install
    - install:configuration

- name: Copying nginx redirect configs for {{ nginx_redirects }}
  template: >
    src={{ nginx_template_dir }}/nginx_redirect.j2
    dest={{ nginx_sites_available_dir }}/{{ item.key }}
    owner=root group={{ common_web_user }} mode=0640
  notify: reload nginx
  with_dict: nginx_redirects
  tags:
    - install
    - install:configuration

- name: Creating nginx redirect links for {{ nginx_redirects }}
  file: >
    src={{ nginx_sites_available_dir }}/{{ item.key  }}
    dest={{ nginx_sites_enabled_dir }}/{{ item.key }}
    state=link owner=root group=root
  notify: reload nginx
  with_dict: nginx_redirects
  tags:
    - install
    - install:configuration

  # These are static pages that can be used
  # for nginx rate limiting, 500 errors, etc.

- name: Create NGINX server templates
  template: >
    src=edx/var/nginx/server-static/server-template.j2
    dest={{ nginx_server_static_dir }}/{{ item.file }}
    owner=root group={{ common_web_user }} mode=0640
  with_items: NGINX_SERVER_HTML_FILES
  tags:
    - install
    - install:configuration

- name: Write out htpasswd file
  htpasswd: >
    name={{ item.name }}
    password={{ item.password }}
    state={{ item.state  }}
    path={{ nginx_htpasswd_file }}
  when: NGINX_CREATE_HTPASSWD_FILE
  tags:
    - install
    - install:configuration
  with_items: NGINX_USERS

- name: Create nginx log file location (just in case)
  file: >
    path={{ nginx_log_dir}} state=directory
    owner={{ common_web_user }} group={{ common_web_user }}
  tags:
    - install
    - install:configuration

# Check to see if the ssl cert/key exists before copying.
# This extra check is done to prevent failures when
# ansible-playbook is run locally
- local_action:
    module: stat
    path: "{{ NGINX_SSL_CERTIFICATE }}"
  sudo: False
  register: ssl_cert
  tags:
    - install
    - install:configuration

- local_action:
    module: stat
    path: "{{ NGINX_SSL_KEY }}"
  sudo: False
  register: ssl_key
  tags:
    - install
    - install:configuration

- name: copy ssl cert
  copy: >
    src={{ NGINX_SSL_CERTIFICATE }}
    dest=/etc/ssl/certs/
    owner=root group=root mode=0644
  when: ssl_cert.stat.exists and NGINX_ENABLE_SSL and NGINX_SSL_CERTIFICATE != 'ssl-cert-snakeoil.pem'
  tags:
    - install
    - install:configuration

- name: copy ssl key
  copy: >
    src={{ NGINX_SSL_KEY }}
    dest=/etc/ssl/private/
    owner=root group=root mode=0640
  when: ssl_key.stat.exists and NGINX_ENABLE_SSL and NGINX_SSL_KEY != 'ssl-cert-snakeoil.key'
  tags:
    - install
    - install:configuration

# removing default link
- name: Removing default nginx config and restart (enabled)
  file: path={{ nginx_sites_enabled_dir }}/default state=absent
  notify: reload nginx
  tags:
    - install
    - install:configuration

# Note that nginx logs to /var/log until it reads its configuration, so /etc/logrotate.d/nginx is still good

- name: Set up nginx access log rotation
  template: >
    src=etc/logrotate.d/edx_logrotate_nginx_access.j2
    dest=/etc/logrotate.d/nginx-access
    owner=root group=root mode=644
  tags:
    - install
    - install:configuration

- name: Set up nginx access log rotation
  template: >
    src=etc/logrotate.d/edx_logrotate_nginx_error.j2
    dest=/etc/logrotate.d/nginx-error
    owner=root group=root mode=644
  tags:
    - install
    - install:configuration

# nginx is started during package installation, before any of the configuration files are in place.
# The handler that reloads the configuration would be run only at the very end of the playbook, so
# none of the local services would be available in the meantime, e.g. causing certs to error out
# since it can't reach xqueue on the its nginx port.  For this reason, we flush the handlers here
# to ensure the nginx configuration is reloaded when necessary.
- name: Restart or reload nginx if necessary
  meta: flush_handlers
  tags:
    - install
    - install:configuration

# If tasks that notify restart nginx don't change the state of the remote system
# their corresponding notifications don't get run.  If nginx has been stopped for
# any reason, this will ensure that it is started up again.
- name: make sure nginx has started
  service: name=nginx state=started
  tags:
    - manage
    - manage:start