---
- hosts: webservers

  roles:
  - role: jdauphant.nginx
    nginx_user: "www-data"
    nginx_http_params:
      - sendfile "on"
      - server_names_hash_bucket_size 512
    nginx_sites:
      tenforward.social.http:
        - listen *:80
        - listen [::]:80
        - server_name tenforward.social
        - location /.well-known/acme-challenge/ {
            allow all;
          }
        - return 301 "https://$host$request_uri"
      tenforward.social.https:
        - listen *:443 ssl http2
        - listen [::]:443 ssl http2
        - server_name tenforward.social
        - root "/home/mastodon/live/public"
        - access_log "/var/log/nginx/tenforward.social.access.log"
        - error_log "/var/log/nginx/tenforward.social.error.log"
        - ssl_certificate "/etc/ssl/letsencrypt/tenforward.social.crt"
        - ssl_certificate_key "/etc/ssl/letsencrypt/tenforward.social.pem"
        - add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin"
        - add_header Strict-Transport-Security max-age=31536000
        - client_max_body_size 0
        - location / {
            try_files $uri @proxy;
          }
        - location ~ ^/(emoji|packs|system/media_attachments/files|system/accounts/avatars) {
            add_header Cache-Control "public, max-age=31536000, immutable";
          }
        - location @proxy {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header Proxy "";
            proxy_pass_header Server;
            proxy_pass http://127.0.0.1:3000;
            proxy_buffering on;
            proxy_redirect off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_cache CACHE;
            proxy_cache_valid 200 7d;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
            add_header X-Cached $upstream_cache_status;
            add_header Strict-Transport-Security max-age=31536000;
            add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
            tcp_nodelay on;
          }
        - location /api/v1/streaming {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_pass http://127.0.0.1:4000;
            proxy_buffering off;
            proxy_redirect off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            tcp_nodelay on;
          }
        - error_page 500 501 502 503 504 /500.html

    nginx_configs:
      gzip:
        - gzip on
        - gzip_disable msie6
        - gzip_vary on
        - gzip_proxied any
        - gzip_comp_level 6
        - gzip_buffers 16 8k
        - gzip_http_version 1.1
        - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
      connectionupgrade:
        - map $http_upgrade $connection_upgrade {
            default upgrade;
            ''      close;
          }
      proxycache:
        - proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g
      ssl:
        - ssl_protocols TLSv1.2 TLSv1.3
        - ssl_dhparam "/etc/nginx/dhparams.pem"
        - ssl_session_timeout 1d
        - ssl_session_cache shared:SSL:50m
        - ssl_session_tickets off