diff --git a/ubuntu/dresden.silvestris.systems.yml b/ubuntu/dresden.silvestris.systems.yml new file mode 100644 index 0000000..8c4d5a2 --- /dev/null +++ b/ubuntu/dresden.silvestris.systems.yml @@ -0,0 +1,89 @@ +--- +- hosts: dresden.silvestris.systems + + roles: + - role: jdauphant.nginx + nginx_user: "www-data" + nginx_events_params: + - worker_connections 1024 + nginx_http_params: + - sendfile "on" + - server_names_hash_bucket_size 512 + nginx_sites: + donate.tenforward.social.http: + - listen *:80 + - listen [::]:80 + - server_name donate.tenforward.social + - root "/srv/www/donate.tenforward.social/" + - location /.well-known/acme-challenge/ { + allow all; + } + - return 301 "https://$host$request_uri" + donate.tenforward.social.https: + - listen *:443 ssl http2 + - listen [::]:443 ssl http2 + - server_name donate.tenforward.social + - root "/srv/www/donate.tenforward.social" + - index index.html + - access_log "/var/log/nginx/donate.tenforward.social.access.log" + - error_log "/var/log/nginx/donate.tenforward.social.error.log" + - ssl_certificate "/etc/ssl/letsencrypt/donate.tenforward.social.crt" + - ssl_certificate_key "/etc/ssl/letsencrypt/donate.tenforward.social.pem" + - include snippets/sslstapling_hsts.conf + nginx_snippets: + sslstapling_hsts: + - ssl_stapling on + - resolver [::1] valid=300s + - add_header Strict-Transport-Security max-age=31536000 + php_standard: + - location / { + try_files $uri $uri/ /index.php?$args; + } + - location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass php; + fastcgi_index index.php; + } + wp_with_supercache: + - set $cache_uri $request_uri + - if ( $request_method = POST ) { set $cache_uri 'null cache'; } + - if ( $query_string != "" ) { set $cache_uri 'null cache'; } + - if ( $request_uri ~* "/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml" ) { set $cache_uri 'null cache'; } + - if ( $http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in" ) { set $cache_uri 'null cache'; } + - location / { + try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args; + } + - location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff2)$ { + expires max; + } + - location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass php; + } + nginx_configs: + gzip: + - gzip on + - gzip_disable msie6 + - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript + upstream: + - upstream php { server unix:/run/php/php8.1-fpm.sock; } + ssl: + - ssl_protocols TLSv1.2 TLSv1.3 + - ssl_prefer_server_ciphers on + - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' + - ssl_session_timeout 1d + - ssl_session_cache shared:SSL:50m + - ssl_session_tickets off + fcgicache: + - fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m + - fastcgi_cache_key "$scheme$request_method$host$request_uri" + - fastcgi_cache_use_stale error timeout invalid_header http_500 + - fastcgi_ignore_headers Cache-Control Expires Set-Cookie + - add_header rt-Fastcgi-Cache $upstream_cache_status