---
- name: Install Nginx
  ansible.builtin.apt:
    name: nginx
    state: present

- name: Ensure Nginx is enabled and started
  ansible.builtin.service:
    name: nginx
    state: started
    enabled: true

- name: Create Nginx includes directory
  ansible.builtin.file:
    path: /etc/nginx/conf.d/include
    state: directory
    mode: '0755'

- name: Create proxy.conf include
  ansible.builtin.copy:
    content: |
      add_header       X-Served-By $host;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Scheme $scheme;
      proxy_set_header X-Forwarded-Proto  $scheme;
      proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
      proxy_set_header X-Real-IP          $remote_addr;
      proxy_pass       $forward_scheme://$server:$port$request_uri;
    dest: /etc/nginx/conf.d/include/proxy.conf

- name: Create internal.conf include (access rules)
  ansible.builtin.copy:
    content: |
      deny 192.168.5.1;
      allow 192.168.100.0/24;
      allow 10.0.0.1/24;
      deny all;
      satisfy all;
    dest: /etc/nginx/conf.d/include/internal.conf

- name: Create upgrade.conf include
  ansible.builtin.copy:
    content: |
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_pass_header   X-Transmission-Session-Id;
    dest: /etc/nginx/conf.d/include/upgrade.conf

- name: Create ssl-ciphers.conf include
  ansible.builtin.template:
    src: ssl-ciphers.conf
    dest: /etc/nginx/conf.d/include/ssl-ciphers.conf

- name: Create ssl-cache.conf include
  ansible.builtin.template:
    src: ssl-cache.conf
    dest: /etc/nginx/conf.d/include/ssl-cache.conf

- name: Create force-ssl.conf include
  ansible.builtin.template:
    src: force-ssl.conf
    dest: /etc/nginx/conf.d/include/force-ssl.conf