add ubuntu/mastodon.zombocloud.com.yml

ubuntu/mastodon.zombocloud.com.yml

@@ -0,0 +1,89 @@
+---
+- hosts: webservers
+
+  roles:
+  - role: jdauphant.nginx
+    nginx_user: "www-data"
+    nginx_http_params:
+      - sendfile "on"
+      - server_names_hash_bucket_size 512
+    nginx_sites:
+      mastodon.zombocloud.com.http:
+        - listen *:80
+        - listen [::]:80
+        - server_name mastodon.zombocloud.com
+        - location /.well-known/acme-challenge/ {
+            allow all;
+          }
+        - return 301 "https://$host$request_uri"
+      mastodon.zombocloud.com.https:
+        - listen *:443 ssl http2
+        - listen [::]:443 ssl http2
+        - server_name mastodon.zombocloud.com
+        - root "/home/mastodon/live/public"
+        - access_log "/var/log/nginx/mastodon.zombocloud.com.access.log"
+        - error_log "/var/log/nginx/mastodon.zombocloud.com.error.log"
+        - ssl_certificate "/etc/ssl/letsencrypt/mastodon.zombocloud.com.crt"
+        - ssl_certificate_key "/etc/ssl/letsencrypt/mastodon.zombocloud.com.pem"
+        - add_header Strict-Transport-Security max-age=31536000; includeSubDomains
+        - add_header Referrer-Policy no-referrer, strict-origin-when-cross-origin
+        - location / {
+            try_files $uri @proxy;
+          }
+        - location ~ ^/(emoji|packs|system/media_attachments/files|system/accounts/avatars) {
+            add_header Cache-Control public, max-age=31536000, immutable;
+          }
+        - location @proxy {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header Proxy "";
+            proxy_pass_header Server;
+            proxy_pass http://127.0.0.1:3000;
+            proxy_buffering on;
+            proxy_redirect off;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_cache CACHE;
+            proxy_cache_valid 200 7d;
+            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+            add_header X-Cached $upstream_cache_status;
+            # these are added here because nginx doesn't inherit if there is already a add_header - https://nginx.org/en/docs/http/ngx_http_headers_module.html
+            add_header Strict-Transport-Security max-age=31536000; includeSubDomains;
+            add_header Referrer-Policy no-referrer, strict-origin-when-cross-origin;
+            tcp_nodelay on;
+          }
+        - location /api/v1/streaming {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_pass http://127.0.0.1:4000;
+            proxy_buffering off;
+            proxy_redirect off;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            tcp_nodelay on;
+          }
+        - error_page 500 501 502 503 504 /500.html
+
+    nginx_configs:
+      gzip:
+        - gzip on
+        - gzip_disable msie6
+        - gzip_vary on
+        - gzip_proxied any;
+        - gzip_comp_level 6;
+        - gzip_buffers 16 8k;
+        - gzip_http_version 1.1
+        - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
+      connectionupgrade:
+        - map $http_upgrade $connection_upgrade {
+            default upgrade;
+            ''      close;
+          }
+      proxycache:
+        - proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g