---
- name: Configure Angie Web Server (ALT Linux)
  hosts: server
  become: true
  vars:
    ssl_cert_path: "/etc/angie/ssl/www.au.team.crt"
    ssl_key_path: "/etc/angie/ssl/www.au.team.key"
    server_name: "www.au.team"
    listen_port_http: 80
    listen_port_https: 443

  tasks:
    - name: Update package cache (ALT Linux)
      ansible.builtin.command:
        cmd: apt-rpm update
      changed_when: false
      tags:
        - angie

    - name: Install Angie web server (ALT Linux)
      ansible.builtin.package:
        name: angie
        state: present
      tags:
        - angie

    - name: Create SSL directory
      ansible.builtin.file:
        path: /etc/angie/ssl
        state: directory
        mode: '0755'
        owner: root
        group: root
      tags:
        - ssl

    - name: Generate self-signed SSL certificate
      ansible.builtin.command:
        cmd: >
          openssl req -x509 -nodes -days 3650 -newkey rsa:2048
          -keyout {{ ssl_key_path }}
          -out {{ ssl_cert_path }}
          -subj "/C=RU/ST=Moscow/L=Moscow/O=AU Team/CN={{ server_name }}"
        creates: "{{ ssl_cert_path }}"
      notify: Reload angie
      tags:
        - ssl

    - name: Set proper permissions for SSL key
      ansible.builtin.file:
        path: "{{ ssl_key_path }}"
        mode: '0600'
        owner: root
        group: root
      tags:
        - ssl

    - name: Create index.html with server name
      ansible.builtin.copy:
        content: "{{ inventory_hostname }} by Angie!\n"
        dest: /var/www/html/index.html
        mode: '0644'
        owner: root
        group: root
      tags:
        - web

    - name: Configure Angie vhost with HTTPS and HTTP redirect
      ansible.builtin.copy:
        content: |
          # HTTP server - redirect to HTTPS
          server {
              listen {{ listen_port_http }};
              listen [::]:{{ listen_port_http }};
              server_name {{ server_name }};
              return 301 https://$host$request_uri;
          }

          # HTTPS server
          server {
              listen {{ listen_port_https }} ssl;
              listen [::]:{{ listen_port_https }} ssl;
              server_name {{ server_name }};

              ssl_certificate {{ ssl_cert_path }};
              ssl_certificate_key {{ ssl_key_path }};
              ssl_protocols TLSv1.2 TLSv1.3;
              ssl_ciphers HIGH:!aNULL:!MD5;
              ssl_prefer_server_ciphers on;

              root /var/www/html;
              index index.html;

              location / {
                  try_files $uri $uri/ =404;
              }

              add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
          }
        dest: /etc/angie/conf.d/www.au.team.conf
        mode: '0644'
        backup: true
      notify: Reload angie
      tags:
        - web

    - name: Enable and start Angie service
      ansible.builtin.systemd:
        name: angie
        enabled: true
        state: started
      tags:
        - angie

  handlers:
    - name: Reload angie
      ansible.builtin.systemd:
        name: angie
        state: reloaded