---
- name: Configure nginx
  ansible.builtin.import_role:
    name: nginx_core.nginx_config
  vars:
    # overriding any numeric values in the main nginx config requires replacing the entire dictionary
    # See: https://github.com/nginxinc/ansible-role-nginx-config/issues/352
    nginx_config_main_template_enable: true
    nginx_config_main_template:
      template_file: nginx.conf.j2
      deployment_location: /etc/nginx/nginx.conf
      backup: false
      config: # https://nginx.org/en/docs/ngx_core_module.html
        main:
          user:
            username: nginx
            group: nginx
          worker_processes: auto
          error_log:
            file: /var/log/nginx/error.log
            level: notice
          #pid: /var/run/nginx.pid

          # worker_rlimit_nofile changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes.
          # Used to increase the limit without restarting the main process.
          # The recommended value seems to be worker_connections * 2
          worker_rlimit_nofile: 12288

        events:
          worker_connections: 4096

        http: # https://nginx.org/en/docs/http/ngx_http_core_module.html
          default_type: application/octet-stream
          sendfile: true
          server_tokens: false
          tcp_nodelay: true
          tcp_nopush: true
          include:
            - /etc/nginx/mime.types
            - /etc/nginx/http.conf
            - /etc/nginx/conf.d/*.conf

    nginx_config_http_template_enable: true
    nginx_config_http_template:
      - template_file: http/default.conf.j2
        deployment_location: /etc/nginx/http.conf
        backup: false
        config:
          core:
            default_type: application/octet-stream
            sendfile: true
            server_tokens: false
            tcp_nodelay: true
            tcp_nopush: true
            resolver: # required for oscp stapling
              address: 
              - '1.1.1.1'
              - '8.8.8.8'
            resolver_timeout: 10s
          log:
            format:
              - name: main
                format: |
                  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"  "$realip_remote_addr"'
          gzip: # https://nginx.org/en/docs/http/ngx_http_gzip_module.html
            enable: true
            comp_level: 9
            min_length: 100
            proxied: any
            types:
              - application/json
              - text/plain
              - text/css 
            vary: true

      - template_file: http/default.conf.j2
        deployment_location: "/etc/nginx/conf.d/mappings.conf"
        backup: false
        config:
          map:
            mappings: # https://nginx.org/en/docs/http/websocket.html
              - string: $http_upgrade
                variable: $connection_upgrade
                content:
                  - value: default
                    new_value: upgrade
                  - value: "''"
                    new_value: close