Use nginx role with custom nginx.conf support

playbooks/roles/nginx/tasks/main/config_deploy.yaml

@@ -0,0 +1,130 @@
+- name: check, if a save of a previous `nginx.conf` is present
+  ansible.builtin.stat:
+    path: /etc/nginx/nginx.conf.ansiblesave
+  register: nginx__nginx_conf_ansiblesave_stat_result
+
+- name: handle the case, where a custom `nginx.conf` is to be used
+  when: nginx__use_custom_nginx_conf
+  block:
+    - name: when no `nginx.conf.ansiblesave` is present, save the current `nginx.conf`
+      when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists == false
+      ansible.builtin.copy:
+        force: true
+        dest: /etc/nginx/nginx.conf.ansiblesave
+        mode: 0644
+        owner: root
+        group: root
+        remote_src: true
+        src: /etc/nginx/nginx.conf
+      become: true
+
+    - name: deploy the custom `nginx.conf`
+      ansible.builtin.copy:
+        content: "{{ nginx__custom_nginx_conf }}"
+        dest: "/etc/nginx/nginx.conf"
+        mode: 0644
+        owner: root
+        group: root
+      become: true
+
+- name: handle the case, where no custom `nginx.conf` is to be used
+  when: not nginx__use_custom_nginx_conf
+  block:
+    - name: when a `nginx.conf.ansiblesave` is present, copy it to `nginx.conf`
+      when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists
+      ansible.builtin.copy:
+        force: true
+        dest: /etc/nginx/nginx.conf
+        mode: 0644
+        owner: root
+        group: root
+        remote_src: true
+        src: /etc/nginx/nginx.conf.ansiblesave
+      become: true
+
+    - name: delete the `nginx.conf.ansiblesave`, if it is present
+      when: nginx__nginx_conf_ansiblesave_stat_result.stat.exists
+      ansible.builtin.file:
+        path: /etc/nginx/nginx.conf.ansiblesave
+        state: absent
+      become: true
+
+- name: make sure mozilla dhparam is deployed
+  ansible.builtin.get_url:
+    force: true
+    dest: /etc/nginx-mozilla-dhparam
+    mode: 0644
+    url: https://ssl-config.mozilla.org/ffdhe2048.txt
+  become: true
+  notify: Restart `nginx.service`
+
+- name: set `nginx__config_files_to_exist` fact initially to an empty list
+  ansible.builtin.set_fact:
+    nginx__config_files_to_exist: [ ]
+
+- name: handle the case, where tls.conf should be deployed
+  when: nginx__deploy_tls_conf
+  block:
+    - name: make sure tls.conf is deployed
+      ansible.builtin.copy:
+        force: true
+        dest: /etc/nginx/conf.d/tls.conf
+        mode: 0644
+        owner: root
+        group: root
+        src: tls.conf
+      become: true
+      notify: Restart `nginx.service`
+
+    - name: add tls.conf to nginx__config_files_to_exist
+      ansible.builtin.set_fact:
+        nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'tls.conf' ] }}"  # noqa: jinja[spacing]
+
+- name: handle the case, where redirect.conf should be deployed
+  when: nginx__deploy_redirect_conf
+  block:
+    - name: make sure redirect.conf is deployed
+      ansible.builtin.copy:
+        force: true
+        dest: /etc/nginx/conf.d/redirect.conf
+        mode: 0644
+        owner: root
+        group: root
+        src: redirect.conf
+      become: true
+      notify: Restart `nginx.service`
+
+    - name: add redirect.conf to nginx__config_files_to_exist
+      ansible.builtin.set_fact:
+        nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ 'redirect.conf' ] }}"  # noqa: jinja[spacing]
+
+- name: make sure all given configuration files are deployed
+  ansible.builtin.copy:
+    content: "{{ item.content }}"
+    dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
+    mode: 0644
+    owner: root
+    group: root
+  become: true
+  loop: "{{ nginx__configurations }}"
+  notify: Restart `nginx.service`
+
+- name: add names plus suffix from `nginx__configurations` to `nginx__config_files_to_exist` fact
+  ansible.builtin.set_fact:
+    nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ item.name + '.conf' ] }}"  # noqa: jinja[spacing]
+  loop: "{{ nginx__configurations }}"
+
+- name: find configuration files to remove
+  ansible.builtin.find:
+    paths: /etc/nginx/conf.d/
+    recurse: false
+    excludes: "{{ nginx__config_files_to_exist }}"
+  register: nginx__config_files_to_remove
+
+- name: remove all configuration file, which should be removed
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: absent
+  become: true
+  loop: "{{ nginx__config_files_to_remove.files }}"
+  notify: Restart `nginx.service`

playbooks/roles/nginx/tasks/main/nginx_install.yaml

@@ -0,0 +1,13 @@
+- name: make sure the `nginx` package is installed
+  ansible.builtin.apt:
+    name: nginx={{ nginx__version_spec }}*
+    state: present
+    allow_change_held_packages: true
+    update_cache: true
+  become: true
+
+- name: apt-mark hold `nginx`
+  ansible.builtin.dpkg_selections:
+    name: nginx
+    selection: hold
+  become: true

playbooks/roles/nginx/tasks/main/repo_setup.yaml

@@ -0,0 +1,30 @@
+- name: make sure `gnupg` package is installed
+  ansible.builtin.apt:
+    name: gnupg
+    state: present
+    update_cache: true
+  become: true
+
+- name: make sure NGINX signing key is added
+  ansible.builtin.apt_key:
+    url: https://nginx.org/keys/nginx_signing.key
+    state: present
+  become: true
+  notify: apt-get update
+
+- name: make sure NGINX APT repository is added
+  ansible.builtin.apt_repository:
+    repo: deb https://nginx.org/packages/debian/ bullseye nginx
+    state: present
+  become: true
+  notify: apt-get update
+
+- name: make sure NGINX APT source repository is added
+  ansible.builtin.apt_repository:
+    repo: deb-src https://nginx.org/packages/debian/ bullseye nginx
+    state: present
+  become: true
+  notify: apt-get update
+
+- name: Flush handlers to make sure "apt-get update" handler runs, if needed
+  ansible.builtin.meta: flush_handlers