--- - hosts: erlking.silvestris.systems roles: - role: jdauphant.nginx nginx_user: "www-data" nginx_events_params: - worker_connections 1024 nginx_http_params: - sendfile "on" - server_names_hash_bucket_size 512 nginx_sites: asininetech.com.http: - listen *:80 - listen [::]:80 - server_name asininetech.com - return 301 "https://nullrouted.space$request_uri" asininetech.com.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name asininetech.com - access_log "/var/log/nginx/asininetech.com.access.log" - error_log "/var/log/nginx/asininetech.com.error.log" - ssl_certificate "/etc/ssl/letsencrypt/asininetech.com.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/asininetech.com.pem" - return 301 "https://nullrouted.space$request_uri" nullrouted.space.http: - listen *:80 - listen [::]:80 - server_name nullrouted.space - return 301 "https://$host$request_uri" nullrouted.space.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name nullrouted.space - root "/srv/www/nullrouted.space" - index index.php index.html - access_log "/var/log/nginx/nullrouted.space.access.log" - error_log "/var/log/nginx/nullrouted.space.error.log" - client_max_body_size 10M - ssl_certificate "/etc/ssl/letsencrypt/nullrouted.space.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/nullrouted.space.pem" - include snippets/sslstapling_hsts.conf - include snippets/wp_with_supercache.conf entropynet.net.http: - listen *:80 - listen [::]:80 - server_name entropynet.net - return 301 "https://$host$request_uri" entropynet.net.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name entropynet.net - root "/srv/www/entropynet.net" - error_page 404 /404.html - index index.html - access_log "/var/log/nginx/entropynet.net.access.log" - error_log "/var/log/nginx/entropynet.net.error.log" - ssl_certificate "/etc/ssl/letsencrypt/entropynet.net.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/entropynet.net.pem" - include snippets/sslstapling_hsts.conf twoshadesofbrown.com.http: - listen *:80 - listen [::]:80 - server_name twoshadesofbrown.com - return 301 "https://$host$request_uri" twoshadesofbrown.com.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name twoshadesofbrown.com - root "/srv/www/twoshadesofbrown.com" - index index.php index.html - access_log "/var/log/nginx/twoshadesofbrown.com.access.log" - error_log "/var/log/nginx/twoshadesofbrown.com.error.log" - client_max_body_size 10M - ssl_certificate "/etc/ssl/letsencrypt/twoshadesofbrown.com.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/twoshadesofbrown.com.pem" - include snippets/sslstapling_hsts.conf - include snippets/wp_with_supercache.conf wiki.packetcat.ca.http: - listen *:80 - listen [::]:80 - server_name wiki.packetcat.ca - return 301 "https://$host$request_uri" wiki.packetcat.ca.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name wiki.packetcat.ca - root "/srv/www/wiki.packetcat.ca" - index index.php - access_log "/var/log/nginx/wiki.packetcat.ca.access.log" - error_log "/var/log/nginx/wiki.packetcat.ca.error.log" - ssl_certificate "/etc/ssl/letsencrypt/wiki.packetcat.ca.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/wiki.packetcat.ca.pem" - include snippets/sslstapling_hsts.conf - location ~ /(data|conf|bin|inc)/ { deny all; } - location / { try_files $uri $uri/ /index.php?$args; } - location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php; fastcgi_index index.php; } sadiqsaif.com.http: - listen *:80 - listen [::]:80 - server_name sadiqsaif.com - return 301 "https://$host$request_uri" sadiqsaif.com.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name sadiqsaif.com - root "/srv/www/sadiqsaif.com/public" - index index.html - error_page 404 /404.html - access_log "/var/log/nginx/sadiqsaif.com.access.log" - error_log "/var/log/nginx/sadiqsaif.com.error.log" - ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.com.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.com.pem" - include snippets/sslstapling_hsts.conf sadiq.ae.http: - listen *:80 - listen [::]:80 - server_name sadiq.ae - return 301 "https://sadiqsaif.com$request_uri" sadiq.ae.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name sadiq.ae - access_log "/var/log/nginx/sadiq.ae.access.log" - error_log "/var/log/nginx/sadiq.ae.error.log" - ssl_certificate "/etc/ssl/letsencrypt/sadiq.ae.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/sadiq.ae.pem" - return 301 "https://sadiqsaif.com$request_uri" sadiqsaif.ca.http: - listen *:80 - listen [::]:80 - server_name sadiqsaif.ca - return 301 "https://sadiqsaif.com$request_uri" sadiqsaif.ca.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name sadiqsaif.ca - access_log "/var/log/nginx/sadiqsaif.ca.access.log" - error_log "/var/log/nginx/sadiqsaif.ca.error.log" - ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.ca.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.ca.pem" - return 301 "https://sadiqsaif.com$request_uri" wiki.tenforward.social.http: - listen *:80 - listen [::]:80 - server_name wiki.tenforward.social - return 301 "https://$host$request_uri" wiki.tenforward.social.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name wiki.tenforward.social - root "/srv/www/wiki.tenforward.social" - index index.php - access_log "/var/log/nginx/wiki.tenforward.social.access.log" - error_log "/var/log/nginx/wiki.tenforward.social.error.log" - ssl_certificate "/etc/ssl/letsencrypt/wiki.tenforward.social.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/wiki.tenforward.social.pem" - include snippets/sslstapling_hsts.conf - location ~ /(data|conf|bin|inc)/ { deny all; } - location / { try_files $uri $uri/ /index.php?$args; } - location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php; fastcgi_index index.php; } irreverent.space.http: - listen *:80 - listen [::]:80 - server_name irreverent.space - return 301 "https://$host$request_uri" irreverent.space.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name irreverent.space - root "/srv/www/irreverent.space" - index index.php index.html - access_log "/var/log/nginx/irreverent.space.access.log" - error_log "/var/log/nginx/irreverent.space.error.log" - client_max_body_size 10M - ssl_certificate "/etc/ssl/letsencrypt/irreverent.space.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/irreverent.space.pem" - include snippets/sslstapling_hsts.conf - include snippets/wp_with_supercache.conf ultonomy.com.http: - listen *:80 - listen [::]:80 - server_name ultonomy.com - return 301 "https://$host$request_uri" ultonomy.com.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name ultonomy.com - root "/srv/www/ultonomy.com" - index index.php index.html - access_log "/var/log/nginx/ultonomy.com.access.log" - error_log "/var/log/nginx/ultonomy.com.error.log" - client_max_body_size 10M - ssl_certificate "/etc/ssl/letsencrypt/ultonomy.com.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/ultonomy.com.pem" - include snippets/sslstapling_hsts.conf - include snippets/wp_with_supercache.conf bastetrix.com.http: - listen *:80 - listen [::]:80 - server_name bastetrix.com - root "/srv/www/bastetrix.com/public" - location /.well-known/acme-challenge/ { allow all; } - return 301 "https://$host$request_uri" bastetrix.com.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name bastetrix.com - root "/srv/www/bastetrix.com/public" - index index.html - access_log "/var/log/nginx/bastetrix.com.access.log" - error_log "/var/log/nginx/bastetrix.com.error.log" - ssl_certificate "/etc/ssl/letsencrypt/bastetrix.com.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/bastetrix.com.pem" - include snippets/sslstapling_hsts.conf wiki.bastetrix.org.http: - listen *:80 - listen [::]:80 - server_name wiki.bastetrix.org - root "/srv/www/wiki.bastetrix.org" - location /.well-known/acme-challenge/ { allow all; } - return 301 "https://$host$request_uri" wiki.bastetrix.org.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name wiki.bastetrix.org - root "/srv/www/wiki.bastetrix.org" - index index.php - access_log "/var/log/nginx/wiki.bastetrix.org.access.log" - error_log "/var/log/nginx/wiki.bastetrix.org.error.log" - ssl_certificate "/etc/ssl/letsencrypt/wiki.bastetrix.org.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/wiki.bastetrix.org.pem" - include snippets/sslstapling_hsts.conf - location ~ /(data|conf|bin|inc)/ { deny all; } - include snippets/php_standard.conf miniflux.packetcat.ca.http: - listen *:80 - listen [::]:80 - server_name miniflux.packetcat.ca - root "/srv/www/miniflux.packetcat.ca" - location /.well-known/acme-challenge/ { allow all; } - return 301 "https://$host$request_uri" miniflux.packetcat.ca.https: - listen *:443 ssl http2 - listen [::]:443 ssl http2 - server_name miniflux.packetcat.ca - root "/srv/www/miniflux.packetcat.ca" - access_log "/var/log/nginx/miniflux.packetcat.ca.access.log" - error_log "/var/log/nginx/miniflux.packetcat.ca.error.log" - ssl_certificate "/etc/ssl/letsencrypt/miniflux.packetcat.ca.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/miniflux.packetcat.ca.pem" - include snippets/sslstapling_hsts.conf - location / { proxy_pass http://127.0.0.1:8080; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } nginx_snippets: sslstapling_hsts: - ssl_stapling on - resolver [::1] valid=300s - add_header Strict-Transport-Security max-age=31536000 php_standard: - location / { try_files $uri $uri/ /index.php?$args; } - location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php; fastcgi_index index.php; } wp_with_supercache: - set $cache_uri $request_uri - if ( $request_method = POST ) { set $cache_uri 'null cache'; } - if ( $query_string != "" ) { set $cache_uri 'null cache'; } - if ( $request_uri ~* "/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml" ) { set $cache_uri 'null cache'; } - if ( $http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in" ) { set $cache_uri 'null cache'; } - location / { try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args; } - location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff2)$ { expires max; } - location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php; } nginx_configs: gzip: - gzip on - gzip_disable msie6 - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript upstream: - upstream php { server unix:/run/php/php8.1-fpm.sock; } ssl: - ssl_protocols TLSv1.2 TLSv1.3 - ssl_prefer_server_ciphers on - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' - ssl_dhparam "/etc/nginx/dhparams.pem" - ssl_session_timeout 1d - ssl_session_cache shared:SSL:50m - ssl_session_tickets off fcgicache: - fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m - fastcgi_cache_key "$scheme$request_method$host$request_uri" - fastcgi_cache_use_stale error timeout invalid_header http_500 - fastcgi_ignore_headers Cache-Control Expires Set-Cookie - add_header rt-Fastcgi-Cache $upstream_cache_status