- name: Copy first stage nginx config
  copy:
      src: nginx_nossl.conf
      dest: /etc/nginx/nginx.conf

- name: Add nginx user to uwsgi group for access to uwsgi socket
  user:
      name: nginx
      groups: uwsgi
      append: yes

- name: Create blog.jaseg.net content dir
  file:
    path: /var/www/blog.jaseg.net
    state: directory
    owner: nginx
    group: nginx
    mode: 0550

- name: Copy uwsgi systemd socket config
  copy:
      src: uwsgi-app@.socket
      dest: /etc/systemd/system/

- name: Copy uwsgi systemd service config
  copy:
      src: uwsgi-app@.service
      dest: /etc/systemd/system/

- name: Set SELinux to permissive mode # FIXME this is to let nginx talk to uwsgi
  selinux:
    state: permissive
    policy: targeted

- name: Enable and launch nginx systemd service
  systemd:
      name: nginx.service
      enabled: yes
      state: restarted

- name: Create letsencrypt certificate for gerbolyze.jaseg.net
  command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net
  args:
      creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem

- name: Create letsencrypt certificate for blog.jaseg.net
  command: certbot --nginx certonly -d blog.jaseg.net -n --agree-tos --email blog@jaseg.net
  args:
      creates: /etc/letsencrypt/live/blog.jaseg.net/fullchain.pem

- name: Copy final nginx config
  copy:
      src: nginx.conf
      dest: /etc/nginx/nginx.conf

- name: Restart nginx to load new cert
  systemd:
      name: nginx.service
      state: restarted

- name: Enable certbot renewal timer
  systemd:
      name: certbot-renew.timer
      enabled: yes