---
- name: Secure Nginx Web Server
  hosts: your_web_server
  become: yes
  tasks:
    - name: Copy nginx configuration file with XSS protection and dot file access denial
      template:
        src: nginx_secure_config.j2
        dest: /etc/nginx/sites-available/default
      notify:
        - Reload Nginx

    - name: Ensure nginx snakeoil.conf is included
      lineinfile:
        path: /etc/nginx/sites-available/default
        regexp: '^include snippets/snakeoil.conf;'
        line: 'include snippets/snakeoil.conf;'
      notify:
        - Reload Nginx

    - name: Ensure nginx PHP location is configured correctly
      lineinfile:
        path: /etc/nginx/sites-available/default
        regexp: '^location ~ \.php\$ {'
        line: 'location ~ \.php$ {'
      notify:
        - Reload Nginx

  handlers:
    - name: Reload Nginx
      systemd:
        name: nginx
        state: restarted