[
	{
		"name": "install packages",
		"become": true,
		"ansible.builtin.apt": {
			"update_cache": true,
			"pkg": [
				"nginx",
				"openssl"
			]
		}
	},
	{
		"name": "generate dhparams file",
		"become": true,
		"ansible.builtin.command": {
			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
		},
		"args": {
			"creates": "/etc/nginx/dhparam"
		}
	},
	{
		"name": "place hardening config",
		"become": true,
		"ansible.builtin.copy": {
			"src": "ssl-hardening.conf",
			"dest": "/etc/nginx/ssl-hardening.conf"
		}
	},
	{
		"name": "ufw | check",
		"become": true,
		"check_mode": true,
		"community.general.ufw": {
			"state": "enabled"
		},
		"register": "ufw_enable_check"
	},
	{
		"name": "ufw | allow port 80",
		"when": "not ufw_enable_check.changed",
		"become": true,
		"community.general.ufw": {
			"rule": "allow",
			"port": "80",
			"proto": "tcp"
		}
	},
	{
		"name": "ufw | allow port 443",
		"when": "not ufw_enable_check.changed",
		"become": true,
		"community.general.ufw": {
			"rule": "allow",
			"port": "443",
			"proto": "tcp"
		}
	},
	{
		"name": "auto reload",
		"when": "var_nginx_auto_reload_interval == None",
		"become": true,
		"ansible.builtin.cron": {
			"name": "nginx_auto_reload",
			"disabled": true,
			"minute": "0",
			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
			"day": "*",
			"month": "*",
			"weekday": "*",
			"job": "systemctl reload nginx"
		}
	},
	{
		"name": "auto reload",
		"when": "var_nginx_auto_reload_interval != None",
		"become": true,
		"ansible.builtin.cron": {
			"name": "nginx_auto_reload",
			"disabled": false,
			"minute": "0",
			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
			"day": "*",
			"month": "*",
			"weekday": "*",
			"job": "systemctl reload nginx"
		}
	},
	{
		"name": "restart service",
		"become": true,
		"ansible.builtin.systemd_service": {
			"state": "restarted",
			"name": "nginx"
		}
	}
]