create nginx user/group

defaults/main.yml

@@ -38,3 +38,6 @@ nginx__infrastructure_domain__enabled: true
 
 # disable this variable if you don't want to use our acmetool role to manage tls certificates
 nginx__acmetool_enabled: true
+
+nginx__user: 'www-data'
+nginx__group: 'www-data'

tasks/main.yml

@@ -6,6 +6,9 @@
 - name: Install nginx
   ansible.builtin.include_tasks: installation.yml
 
+- name: create nginx user and group
+  ansible.builtin.include_tasks: users.yml
+
 - name: Configure nginx
   ansible.builtin.include_tasks: nginx.yml
 

tasks/nginx.yml

@@ -1,8 +1,8 @@
 ---
 - name: Copy main nginx configuration file
   become: true
-  ansible.builtin.copy:
+  ansible.builtin.template:
-    src: 'nginx/nginx.conf'
+    src: 'templates/nginx/nginx.conf.j2'
     dest: '/etc/nginx/'
     owner: root
     group: root

tasks/users.yml

@@ -0,0 +1,17 @@
+---
+- name: "create {{ nginx__group }} Group"
+  become: true
+  ansible.builtin.group:
+    name: "{{ nginx__group }}"
+    system: true
+    state: 'present'
+
+- name: "create {{ nginx__user }} user"
+  become: true
+  ansible.builtin.user:
+    name: "{{ nginx__user }}"
+    comment: "NGINX user"
+    home: '/var/www'
+    groups: "{{ nginx__group }}"
+    shell: '/usr/sbin/nologin'
+    system: true

templates/nginx/nginx.conf.j2

@@ -1,4 +1,5 @@
-user www-data;
+{{ ansible_managed | comment }}
+user {{ nginx__user }};
 worker_processes auto;
 pid /run/nginx.pid;
 error_log /var/log/nginx/error.log;

vars/main.yml

@@ -1,3 +1,3 @@
 ---
-playbook_version_number: 24  # should be int
+playbook_version_number: 25
 playbook_version_path: 'do1jlr.nginx_roles-ansible.version'