---
- name: Copy webserver files
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "{{ DATA_ROOT }}/nginx"
    owner: "{{ USER }}"
    group: "{{ USER }}"
    mode: '0644'
  loop:
    - www
    - user_conf.d
  notify: Restart nginx

- name: Setup nginx
  containers.podman.podman_container:
    name: webserver
    image: docker.io/jonasal/nginx-certbot
    network: "{{ NETWORK }}"
    ports:
      - "8080:80"
      - "8443:443"
    env:
      CERTBOT_EMAIL: "johannes@memzero.de"
      # STAGING: "1"
      # DEBUG: "1"
    volumes:
      # Use 'Z' to privately relable selinux contexts.
      - "{{ DATA_ROOT }}/nginx/user_conf.d:/etc/nginx/user_conf.d:ro,Z"
      - "{{ DATA_ROOT }}/nginx/www:/www:ro,Z"

# All services run in rootless-podman and nginx is the only entry point from
# the outside acting as webserver and reverse proxy.
# Since we dont want to lower the *unprivileged* port start (1024) we install
# two forwarding routes from
#   80  -> 8080
#   443 -> 8443
- name: Forward port 80/443 to 8080/8443
  ansible.builtin.iptables:
    table: nat
    chain: PREROUTING
    protocol: tcp
    match: tcp
    destination_port: "{{ item.from }}"
    jump: REDIRECT
    to_ports: "{{ item.to }}"
    comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}"
  become: true
  loop:
    - { from: 80 , to: 8080 }
    - { from: 443, to: 8443 }