From 8b47912f4688279e1920f5b4ded419662788a985 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Thu, 6 Jun 2024 13:47:26 +0200
Subject: [PATCH] [res]

---
 roles/nginx/tasks/main.json | 65 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 64 insertions(+), 1 deletion(-)

diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json
index c8e2b40..62853db 100644
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@@ -5,10 +5,73 @@
 		"ansible.builtin.apt": {
 			"update_cache": true,
 			"pkg": [
-				"nginx"
+				"nginx",
+				"openssl"
 			]
 		}
 	},
+	{
+		"name": "generate dhparams file",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
+		},
+		"args": {
+			"creates": "/etc/nginx/dhparam"
+		}
+	},
+	{
+		"name": "place hardening config",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "ssl-hardening.conf",
+			"dest": "/etc/nginx/ssl-hardening.conf"
+		}
+	},
+	{
+		"name": "ufw | check",
+		"become": true,
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port 80",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "80",
+			"proto": "tcp"
+		}
+	},
+	{
+		"name": "ufw | allow port 443",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "443",
+			"proto": "tcp"
+		}
+	},
+	{
+		"name": "auto reload",
+		"when": "auto_reload_interval != None",
+		"become": true,
+		"ansible.builtin.cron": {
+			"name": "nginx_auto_reload",
+			"disabled": true,
+			"minute": "0",
+			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
+			"day": "*",
+			"month": "*",
+			"weekday": "*",
+			"job": "systemctl reload nginx"
+		}
+	},
 	{
 		"name": "restart service",
 		"become": true,