roles/nginx: Updates to accomodate Debian 9 (stretch)

There are currently no nginx.org builds for Debian 9, so we need to
use the package from Debian's repository. This package provides a
www-data user and group instead of an nginx one.

We can revert some of this after Debian 9 is released and official
builds come from nginx.org (though it might be useful to keep the
main nginx.conf as a template).

roles/nginx/tasks/main.yml

@@ -1,9 +1,18 @@
 ---
+# There is no nginx.org build for Debian 9 (stretch) yet, so we will use the
+# builds in Debian's own repositories for now. This creates a few problems
+# in this playbook, and we need to remember to undo these workarounds when
+# the Debian stretch builds become available.
+#
+# See: https://nginx.org/packages/mainline/debian/dists/
+
 - name: Add nginx.org apt signing key
+  when: ansible_distribution_major_version | version_compare('9', '!=')
   apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
   tags: nginx, packages
 
 - name: Add nginx.org repo
+  when: ansible_distribution_major_version | version_compare('9', '!=')
   template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
   tags: nginx, packages
 
@@ -11,12 +20,17 @@
   apt: pkg=nginx update_cache=yes state=latest
   tags: nginx, packages
 
-- name: Copy nginx configs
+- name: Copy nginx.conf
+  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
+  notify:
+    - reload nginx
+  tags: nginx
+
+- name: Copy extra nginx configs
   copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
   with_items:
     - extra-security.conf
     - fastcgi_cache
-    - nginx.conf
   notify:
     - reload nginx
   tags: nginx
@@ -26,9 +40,15 @@
   tags: nginx
 
 - name: Create fastcgi cache dir
+  when: ansible_distribution_major_version | version_compare('9', '!=')
   file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
   tags: nginx
 
+- name: Create fastcgi cache dir
+  when: ansible_distribution_major_version | version_compare('9', '==')
+  file: path=/var/cache/nginx/cached/fastcgi state=directory owner=www-data group=www-data mode=0755
+  tags: nginx
+
 - include: vhosts.yml
   when: nginx_vhosts is defined
   tags: nginx

roles/nginx/tasks/vhosts.yml

@@ -17,9 +17,15 @@
     - reload nginx
 
 - name: Create vhost document roots
+  when: ansible_distribution_major_version | version_compare('9', '!=')
   file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
   with_items: "{{ nginx_vhosts }}"
 
+- name: Create vhost document roots
+  when: ansible_distribution_major_version | version_compare('9', '==')
+  file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=www-data group=www-data
+  with_items: "{{ nginx_vhosts }}"
+
 - name: Install WordPress
   git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes
   when: item.has_wordpress is defined and item.has_wordpress == True
@@ -28,7 +34,13 @@
 
 - name: Fix WordPress directory permissions
   file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes
-  when: item.has_wordpress is defined and item.has_wordpress == True
+  when: item.has_wordpress is defined and item.has_wordpress == True and ansible_distribution_major_version | version_compare('9', '!=')
+  with_items: "{{ nginx_vhosts }}"
+  tags: wordpress
+
+- name: Fix WordPress directory permissions
+  file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=www-data group=www-data recurse=yes
+  when: item.has_wordpress is defined and item.has_wordpress == True and ansible_distribution_major_version | version_compare('9', '==')
   with_items: "{{ nginx_vhosts }}"
   tags: wordpress