service-nginx role now automatically creates a secured config for ansible-fqdn and allows to include additional configs

roles/service-nginx/handlers/main.yml

@@ -1,4 +1,7 @@
 ---
 
 - name: Reload nginx
-  service: name=nginx state=reloaded
+  service: name=nginx state=reloaded
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/service-nginx/tasks/main.yml

@@ -1,3 +1,27 @@
 ---
 - include: nginx.yml
 - include: acmetool.yml
+
+- name: Ensure nginx default secure config is up to date
+  template:
+    src: nginx_secure_default.conf.j2
+    dest: /etc/nginx/site-available/secure_default.conf
+
+- stat:
+    path: "/var/lib/acme/live/{{ ansible_fqdn }}/privkey"
+  become: yes
+  register: default_key_file_stat
+
+- name: Let acmetool generate a key and a certificate
+  become: yes
+  when: not default_key_file_stat.stat.exists
+  shell: /usr/bin/acmetool want --batch {{ ansible_fqdn }}
+  notify: Restart nginx
+
+- name: Ensure unsecure node_exporter configuration for nginx is enabled
+  become: yes
+  file: 
+    state: link
+    dest: /etc/nginx/sites-enabled/secure_default.conf
+    src: /etc/nginx/sites-available/secure_default.conf
+  notify: Reload nginx

roles/service-nginx/tasks/nginx.yml

@@ -28,3 +28,8 @@
     dest: /etc/nginx/sites-enabled/unsecure_default.conf
     src: /etc/nginx/sites-available/unsecure_default.conf
   notify: Reload nginx
+
+- name: Ensure site include directory exists
+  file:
+    state: directory
+    dest: "/etc/nginx/site-include/{{ ansible_fqdn }}"

roles/service-nginx/templates/nginx_secure_default.conf.j2

@@ -0,0 +1,14 @@
+server {
+  listen          443 ssl http2 default_server;
+  listen          [::]:443 ssl http2 default_server;
+  server_name     {{ ansible_fqdn }};
+
+  include /etc/nginx/ssl.conf;
+
+  ssl_certificate /var/lib/acme/live/{{ ansible_fqdn }}/fullchain;
+  ssl_certificate_key /var/lib/acme/live/{{ ansible_fqdn }}/privkey;
+
+  access_log off;
+
+  include /etc/nginx/site-include/{{ ansible_fqdn }}/*.conf;
+}