From df22074aeb78fa1f4edee001cbb5673629a087c4 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 03:59:08 +0100
Subject: [PATCH] nginx(role): simplify installation by removing version spec

We always just want the latest anyway and therefore don't use it, so no
need to keep the complexity introduced by that setting.
Also merge repo_setup and nginx_install task lists into one
nginx_install task list as keeping two files isn't necessary.
Finally improving naming a bit.
---
 roles/nginx/README.md                     |  4 --
 roles/nginx/meta/argument_specs.yaml      |  9 ----
 roles/nginx/tasks/main.yaml               |  7 +--
 roles/nginx/tasks/main/nginx_install.yaml | 53 ++++++++++++++++++++---
 roles/nginx/tasks/main/repo_setup.yaml    | 45 -------------------
 5 files changed, 47 insertions(+), 71 deletions(-)
 delete mode 100644 roles/nginx/tasks/main/repo_setup.yaml

diff --git a/roles/nginx/README.md b/roles/nginx/README.md
index 9abf2ea..e162123 100644
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@@ -20,10 +20,6 @@ The following distributions are supported:
 
 For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
 
-## Updates
-
-This role updates NGINX to the latest version covered by the provided version spec., if needed.
-
 ## `hosts`
 
 The `hosts` for this role need to be the machines, for which you want to make sure the `nginx` package is installed from the NGINX repos and a desirable baseline of NGINX configs is deployed.
diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml
index d79ba9e..693e196 100644
--- a/roles/nginx/meta/argument_specs.yaml
+++ b/roles/nginx/meta/argument_specs.yaml
@@ -1,15 +1,6 @@
 argument_specs:
   main:
     options:
-      nginx__version_spec:
-        description: >-
-          The version specification to use for installing the `nginx` package. The
-          provided version specification will be used like the following: `nginx={{
-          nginx__version_spec }}*`. This makes it possible to e.g. specify
-          until a minor version (like `1.3.`) and then have patch versions be
-          installed automatically (like `1.3.1` and so on).
-        type: str
-        required: true
       nginx__deploy_redirect_conf:
         description: >-
           Whether or not to deploy a `redirect.conf` to
diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml
index 6ecb2da..89c9be2 100644
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@@ -3,12 +3,7 @@
     name: nginx
     tasks_from: make_sure_nginx_configuration_names_are_valid
 
-- name: make sure NGINX repos are setup
-  ansible.builtin.include_role:
-    name: nginx
-    tasks_from: main/repo_setup
-
-- name: make sure NGINX is installed
+- name: ensure NGINX is installed
   ansible.builtin.include_role:
     name: nginx
     tasks_from: main/nginx_install
diff --git a/roles/nginx/tasks/main/nginx_install.yaml b/roles/nginx/tasks/main/nginx_install.yaml
index 6d63ad3..b58ec69 100644
--- a/roles/nginx/tasks/main/nginx_install.yaml
+++ b/roles/nginx/tasks/main/nginx_install.yaml
@@ -1,13 +1,52 @@
-- name: make sure the `nginx` package is installed
+- name: gather package facts
+  ansible.builtin.package_facts:
+    manager: apt
+
+- name: make sure `gnupg` package is installed
   ansible.builtin.apt:
-    name: nginx={{ nginx__version_spec }}*
+    name: gnupg
     state: present
-    allow_change_held_packages: true
     update_cache: true
   become: true
+  when: "'gnupg' not in ansible_facts.packages"
 
-- name: apt-mark hold `nginx`
-  ansible.builtin.dpkg_selections:
-    name: nginx
-    selection: hold
+- name: make sure NGINX signing key is added
+  ansible.builtin.get_url:
+    url: https://nginx.org/keys/nginx_signing.key
+    dest: /etc/apt/trusted.gpg.d/nginx.asc
+    mode: "0644"
+    owner: root
+    group: root
+  become: true
+
+- name: make sure NGINX APT repository is added
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+    state: present
+  become: true
+
+- name: make sure NGINX APT source repository is added
+  ansible.builtin.apt_repository:
+    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+    state: present
+  become: true
+
+- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories
+  ansible.builtin.copy:
+    content: |
+      Package: *
+      Pin: origin nginx.org
+      Pin: release o=nginx
+      Pin-Priority: 900
+    dest: /etc/apt/preferences.d/99nginx
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+
+- name: Ensure nginx is installed
+  ansible.builtin.apt:
+    name: nginx
+    state: present
+    update_cache: true
   become: true
diff --git a/roles/nginx/tasks/main/repo_setup.yaml b/roles/nginx/tasks/main/repo_setup.yaml
deleted file mode 100644
index 253beb1..0000000
--- a/roles/nginx/tasks/main/repo_setup.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-- name: gather package facts
-  ansible.builtin.package_facts:
-    manager: apt
-
-- name: make sure `gnupg` package is installed
-  ansible.builtin.apt:
-    name: gnupg
-    state: present
-    update_cache: true
-  become: true
-  when: "'gnupg' not in ansible_facts.packages"
-
-- name: make sure NGINX signing key is added
-  ansible.builtin.get_url:
-    url: https://nginx.org/keys/nginx_signing.key
-    dest: /etc/apt/trusted.gpg.d/nginx.asc
-    mode: "0644"
-    owner: root
-    group: root
-  become: true
-
-- name: make sure NGINX APT repository is added
-  ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
-    state: present
-  become: true
-
-- name: make sure NGINX APT source repository is added
-  ansible.builtin.apt_repository:
-    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
-    state: present
-  become: true
-
-- name: set up repository pinning to make sure nginx package gets installed from NGINX repositories
-  ansible.builtin.copy:
-    content: |
-      Package: *
-      Pin: origin nginx.org
-      Pin: release o=nginx
-      Pin-Priority: 900
-    dest: /etc/apt/preferences.d/99nginx
-    owner: root
-    group: root
-    mode: "0644"
-  become: true