diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 02fae83..9005f3a 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -55,6 +55,17 @@
   - 'certs/nginx/{{ inventory_hostname }}/ca.crt'
   notify: reload nginx
 
+- name: ensure nginx configuration directories exist
+  file:
+    path: '{{ item }}'
+    mode: u=rwx,go=rx
+    owner: root
+    group: root
+    state: directory
+  loop:
+  - /etc/nginx
+  - /etc/nginx/conf.d
+  - /etc/nginx/default.d
 - name: ensure nginx is configured
   template:
     src: nginx.conf.j2
@@ -70,6 +81,7 @@
     state: enabled
     permanent: no
     immediate: yes
+  when: host_uses_firewalld|d(true)
   with_items:
   - http
   - https
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
index d34f3f9..5b3f8b7 100644
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -2,7 +2,7 @@
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
 
-user nginx;
+user {{ nginx_user }};
 worker_processes auto;
 error_log /var/log/nginx/error.log;
 {% if nginx_log_syslog|bool %}
diff --git a/roles/nginx/vars/CentOS-8.yml b/roles/nginx/vars/CentOS-8.yml
index 20e09a9..1cec9dd 100644
--- a/roles/nginx/vars/CentOS-8.yml
+++ b/roles/nginx/vars/CentOS-8.yml
@@ -1,2 +1,3 @@
+nginx_user: nginx
 nginx_default_ssl_ciphers:
 - PROFILE=SYSTEM
diff --git a/roles/nginx/vars/Fedora.yml b/roles/nginx/vars/Fedora.yml
index 20e09a9..1cec9dd 100644
--- a/roles/nginx/vars/Fedora.yml
+++ b/roles/nginx/vars/Fedora.yml
@@ -1,2 +1,3 @@
+nginx_user: nginx
 nginx_default_ssl_ciphers:
 - PROFILE=SYSTEM
diff --git a/roles/nginx/vars/defaults.yml b/roles/nginx/vars/defaults.yml
index f2447c7..bff7f43 100644
--- a/roles/nginx/vars/defaults.yml
+++ b/roles/nginx/vars/defaults.yml
@@ -1,3 +1,4 @@
+nginx_user: www-data
 nginx_default_ssl_ciphers:
 - HIGH
 - '!aNULL'