[
	{
		"name": "install packages",
		"become": true,
		"ansible.builtin.apt": {
			"update_cache": true,
			"pkg": [
				"nginx",
				"openssl"
			]
		}
	},
	{
		"name": "generate dhparams file",
		"ansible.builtin.command": "openssl dhparam -out /etc/nginx/dhparam 4096",
		"args": {
			"creates": "/etc/nginx/dhparam"
		}
	},
	{
		"name": "place hardening config",
		"become": true,
		"ansible.builtin.copy": {
			"src": "ssl-hardening.conf",
			"dest": "/etc/nginx/ssl-hardening.conf"
		}
	},
	{
		"name": "Check wether enabling UFW would be considered a changed",
		"check_mode": true,
		"community.general.ufw": {
			"state": "enabled",
			"register": "ufw_enable_check"
		}
	},
	{
		"name": "Allow port 80 in ufw",
		"community.general.ufw": {
			"rule": "allow",
			"port": "80",
			"proto": "tcp"
		},
		"when": "not ufw_enable_check.changed"
	},
	{
		"name": "Allow port 443 in ufw",
		"community.general.ufw": {
			"rule": "allow",
			"port": "443",
			"proto": "tcp"
		},
		"when": "not ufw_enable_check.changed"
	},
	{
		"name": "restart service",
		"become": true,
		"ansible.builtin.systemd_service": {
			"state": "restarted",
			"name": "nginx"
		}
	}
]