openneo-analytics/setup-nginx.yml

---
- name: Install and configure the nginx web server
  hosts: webserver
  become: yes
  become_user: root
  vars:
    admin_email: emi@matchu.dev
  tasks:
    - name: Update the apt cache
      apt:
        update_cache: yes

    - name: Install nginx
      apt:
        name: nginx

    - name: Install certbot
      apt:
        name:
          - certbot
          - python3-certbot-nginx

    - name: Set up the SSL certificate for analytics.openneo.net
      command: "certbot certonly --nginx -n --agree-tos --email {{ admin_email }} --domains analytics.openneo.net"

    - name: Add plausible config file to nginx
      copy:
        dest: /etc/nginx/sites-available/plausible.conf
        content: |
          server {
            server_name analytics.openneo.net;
            listen 80;
            listen [::]:80;
            if ($host = analytics.openneo.net) {
              return 301 https://$host$request_uri;
            }
          }

          server {
            server_name analytics.openneo.net;
            listen 443;
            listen [::]:443 ssl;
            ssl_certificate /etc/letsencrypt/live/analytics.openneo.net/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/analytics.openneo.net/privkey.pem;
            include /etc/letsencrypt/options-ssl-nginx.conf;
            ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
            ssl_session_cache shared:SSL:10m; # https://superuser.com/q/1484466/14127

            location / {
              proxy_pass http://127.0.0.1:8000;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
          }          
      notify:
        - Restart nginx

    - name: Enable plausible config file in nginx
      file:
        src: /etc/nginx/sites-available/plausible.conf
        dest: /etc/nginx/sites-enabled/plausible.conf
        state: link
      notify:
        - Restart nginx

  handlers:
    - name: Restart nginx
      systemd:
        name: nginx
        state: restarted