--- - name: apply common configuration to all nodes hosts: unsetup user: root roles: - common - name: install PHP-FPM to required nodes hosts: php user: root roles: - php #- name: Generate LE certs on required servers # hosts: webservers # user: root # roles: # - letsencrypt - hosts: webservers roles: - role: jdauphant.nginx nginx_user: "www-data" nginx_http_params: - sendfile "on" - server_names_hash_bucket_size 512 nginx_sites: asininetech.com.http: - listen {{ ansible_default_ipv4.address }}:80 - listen [{{ ansible_default_ipv6.address }}]:80 - server_name asininetech.com - return 301 "https://$host$request_uri" asininetech.com.https: - listen {{ ansible_default_ipv4.address }}:443 ssl http2 - listen [{{ ansible_default_ipv6.address }}]:443 ssl http2 - server_name asininetech.com - root "/srv/www/asininetech.com" - index index.php index.html - access_log "/var/log/nginx/asininetech.com.access.log" - error_log "/var/log/nginx/asininetech.com.error.log" - client_max_body_size 10M - ssl_certificate "/etc/ssl/letsencrypt/asininetech.com.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/asininetech.com.pem" - ssl_stapling on - resolver 8.8.8.8 valid=300s - add_header Strict-Transport-Security max-age=31536000 - location / { try_files $uri $uri/ /index.php?$args; } - location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires 24h; } - location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php; } entropynet.net.http: - listen {{ ansible_default_ipv4.address }}:80 - listen [{{ ansible_default_ipv6.address }}]:80 - server_name entropynet.net - return 301 "https://$host$request_uri" entropynet.net.https: - listen {{ ansible_default_ipv4.address }}:443 ssl http2 - listen [{{ ansible_default_ipv6.address }}]:443 ssl http2 - server_name entropynet.net - root "/srv/www/entropynet.net" - error_page 404 /404.html - index index.html - access_log "/var/log/nginx/entropynet.net.access.log" - error_log "/var/log/nginx/entropynet.net.error.log" - ssl_certificate "/etc/ssl/letsencrypt/entropynet.net.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/entropynet.net.pem" - ssl_stapling on - resolver 8.8.8.8 valid=300s - add_header Strict-Transport-Security max-age=31536000 i.asininetech.com.http: - listen {{ ansible_default_ipv4.address }}:80 - listen [{{ ansible_default_ipv6.address }}]:80 - server_name i.asininetech.com - return 301 "https://$host$request_uri" i.asininetech.com.https: - listen {{ ansible_default_ipv4.address }}:443 ssl http2 - listen [{{ ansible_default_ipv6.address }}]:443 ssl http2 - server_name i.asininetech.com - root "/home/tenshi/public_html" - index index.html - access_log "/var/log/nginx/i.asininetech.com.access.log" - error_log "/var/log/nginx/i.asininetech.com.error.log" - ssl_certificate "/etc/ssl/letsencrypt/i.asininetech.com.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/i.asininetech.com.pem" - ssl_stapling on - resolver 8.8.8.8 valid=300s - location / { autoindex off; autoindex_exact_size off; } - add_header Strict-Transport-Security max-age=31536000 sadiqsaif.ca: - listen {{ ansible_default_ipv4.address }}:80 - listen {{ ansible_default_ipv4.address }}:443 ssl - listen [{{ ansible_default_ipv6.address }}]:80 - listen [{{ ansible_default_ipv6.address }}]:443 ssl - server_name sadiqsaif.ca - access_log "/var/log/nginx/sadiqsaif.ca.access.log" - error_log "/var/log/nginx/sadiqsaif.ca.error.log" - ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.ca.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.ca.pem" - ssl_stapling on - resolver 8.8.8.8 valid=300s - add_header Strict-Transport-Security max-age=31536000 - return 301 "https://sadiqsaif.com$request_uri" staticsafe.ca: - listen {{ ansible_default_ipv4.address }}:80 - listen {{ ansible_default_ipv4.address }}:443 ssl - listen [{{ ansible_default_ipv6.address }}]:80 - listen [{{ ansible_default_ipv6.address }}]:443 ssl - server_name staticsafe.ca - access_log "/var/log/nginx/staticsafe.ca.access.log" - error_log "/var/log/nginx/staticsafe.ca.error.log" - ssl_certificate "/etc/ssl/letsencrypt/staticsafe.ca.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/staticsafe.ca.pem" - ssl_stapling on - resolver 8.8.8.8 valid=300s - add_header Strict-Transport-Security max-age=31536000 - return 301 "https://sadiqsaif.com$request_uri" twoshadesofbrown.com.http: - listen {{ ansible_default_ipv4.address }}:80 - listen [{{ ansible_default_ipv6.address }}]:80 - server_name twoshadesofbrown.com - return 301 "https://$host$request_uri" twoshadesofbrown.com.https: - listen {{ ansible_default_ipv4.address }}:443 ssl http2 - listen [{{ ansible_default_ipv6.address }}]:443 ssl http2 - server_name twoshadesofbrown.com - root "/srv/www/twoshadesofbrown.com" - index index.php index.html - access_log "/var/log/nginx/twoshadesofbrown.com.access.log" - error_log "/var/log/nginx/twoshadesofbrown.com.error.log" - client_max_body_size 10M - ssl_certificate "/etc/ssl/letsencrypt/twoshadesofbrown.com.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/twoshadesofbrown.com.pem" - ssl_stapling on - resolver 8.8.8.8 valid=300s - add_header Strict-Transport-Security max-age=31536000 - location / { try_files $uri $uri/ /index.php?$args; } - location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires 24h; } - location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php; } wiki.staticsafe.ca.http: - listen {{ ansible_default_ipv4.address }}:80 - listen [{{ ansible_default_ipv6.address }}]:80 - server_name wiki.staticsafe.ca - return 301 "https://$host$request_uri" wiki.staticsafe.ca.https: - listen {{ ansible_default_ipv4.address }}:443 ssl http2 - listen [{{ ansible_default_ipv6.address }}]:443 ssl http2 - server_name wiki.staticsafe.ca - root "/srv/www/wiki.staticsafe.ca" - index index.php - access_log "/var/log/nginx/wiki.staticsafe.ca.access.log" - error_log "/var/log/nginx/wiki.staticsafe.ca.error.log" - ssl_certificate "/etc/ssl/letsencrypt/wiki.staticsafe.ca.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/wiki.staticsafe.ca.pem" - ssl_stapling on - resolver 8.8.8.8 valid=300s - add_header Strict-Transport-Security max-age=31536000 - location ~ /(data|conf|bin|inc)/ { deny all; } - location / { try_files $uri $uri/ /index.php?$args; } - location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php; fastcgi_index index.php; } sadiqsaif.com.http: - listen {{ ansible_default_ipv4.address }}:80 - listen [{{ ansible_default_ipv6.address }}]:80 - server_name sadiqsaif.com - return 301 "https://$host$request_uri" sadiqsaif.com.https: - listen {{ ansible_default_ipv4.address }}:443 ssl http2 - listen [{{ ansible_default_ipv6.address }}]:443 ssl http2 - server_name sadiqsaif.com - root "/srv/www/sadiqsaif.com" - index index.html - access_log "/var/log/nginx/sadiqsaif.com.access.log" - error_log "/var/log/nginx/sadiqsaif.com.error.log" - ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.com.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.com.pem" - ssl_stapling on - resolver 8.8.8.8 valid=300s - add_header Strict-Transport-Security max-age=31536000 - error_page 404 /404.html netdata.asininetech.net.http: - listen {{ ansible_default_ipv4.address }}:80 - listen [{{ ansible_default_ipv6.address }}]:80 - server_name netdata.asininetech.net - return 301 "https://$host$request_uri" netdata.asininetech.net.https: - listen {{ ansible_default_ipv4.address }}:443 ssl http2 - listen [{{ ansible_default_ipv6.address }}]:443 ssl http2 - server_name netdata.asininetech.net - root "/srv/www/netdata.asininetech.net" - access_log off - error_log "/var/log/nginx/netdata.asininetech.net.error.log" - ssl_certificate "/etc/ssl/letsencrypt/netdata.asininetech.net.crt" - ssl_certificate_key "/etc/ssl/letsencrypt/netdata.asininetech.net.pem" - ssl_stapling on - resolver 8.8.8.8 valid=300s - add_header Strict-Transport-Security max-age=31536000 - location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://netdata; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; } nginx_configs: gzip: - gzip on - gzip_disable msie6 - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript upstream: - upstream php { server unix:/run/php/php7.0-fpm.sock; } - upstream netdata { server 127.0.0.1:19999; keepalive 64; } ssl: - ssl_protocols TLSv1.2 - ssl_prefer_server_ciphers on - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' - ssl_dhparam "/etc/nginx/dhparams.pem" - ssl_session_timeout 1d - ssl_session_cache shared:SSL:50m - ssl_session_tickets off fcgicache: - fastcgi_cache_path "/var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m" - fastcgi_cache_key "$scheme$request_method$host$request_uri" - fastcgi_cache_use_stale error timeout invalid_header http_500 - fastcgi_ignore_headers Cache-Control Expires Set-Cookie - add_header rt-Fastcgi-Cache $upstream_cache_status