363 lines
15 KiB
YAML
363 lines
15 KiB
YAML
---
|
|
- hosts: erlking.silvestris.systems
|
|
|
|
roles:
|
|
- role: jdauphant.nginx
|
|
nginx_user: "www-data"
|
|
nginx_events_params:
|
|
- worker_connections 1024
|
|
nginx_http_params:
|
|
- sendfile "on"
|
|
- server_names_hash_bucket_size 512
|
|
nginx_sites:
|
|
asininetech.com.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name asininetech.com
|
|
- return 301 "https://nullrouted.space$request_uri"
|
|
asininetech.com.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name asininetech.com
|
|
- access_log "/var/log/nginx/asininetech.com.access.log"
|
|
- error_log "/var/log/nginx/asininetech.com.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/asininetech.com.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/asininetech.com.pem"
|
|
- return 301 "https://nullrouted.space$request_uri"
|
|
nullrouted.space.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name nullrouted.space
|
|
- return 301 "https://$host$request_uri"
|
|
nullrouted.space.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name nullrouted.space
|
|
- root "/srv/www/nullrouted.space"
|
|
- index index.php index.html
|
|
- access_log "/var/log/nginx/nullrouted.space.access.log"
|
|
- error_log "/var/log/nginx/nullrouted.space.error.log"
|
|
- client_max_body_size 10M
|
|
- ssl_certificate "/etc/ssl/letsencrypt/nullrouted.space.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/nullrouted.space.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
- include snippets/wp_with_supercache.conf
|
|
entropynet.net.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name entropynet.net
|
|
- return 301 "https://$host$request_uri"
|
|
entropynet.net.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name entropynet.net
|
|
- root "/srv/www/entropynet.net"
|
|
- error_page 404 /404.html
|
|
- index index.html
|
|
- access_log "/var/log/nginx/entropynet.net.access.log"
|
|
- error_log "/var/log/nginx/entropynet.net.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/entropynet.net.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/entropynet.net.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
twoshadesofbrown.com.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name twoshadesofbrown.com
|
|
- return 301 "https://$host$request_uri"
|
|
twoshadesofbrown.com.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name twoshadesofbrown.com
|
|
- root "/srv/www/twoshadesofbrown.com"
|
|
- index index.php index.html
|
|
- access_log "/var/log/nginx/twoshadesofbrown.com.access.log"
|
|
- error_log "/var/log/nginx/twoshadesofbrown.com.error.log"
|
|
- client_max_body_size 10M
|
|
- ssl_certificate "/etc/ssl/letsencrypt/twoshadesofbrown.com.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/twoshadesofbrown.com.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
- include snippets/wp_with_supercache.conf
|
|
wiki.packetcat.ca.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name wiki.packetcat.ca
|
|
- return 301 "https://$host$request_uri"
|
|
wiki.packetcat.ca.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name wiki.packetcat.ca
|
|
- root "/srv/www/wiki.packetcat.ca"
|
|
- index index.php
|
|
- access_log "/var/log/nginx/wiki.packetcat.ca.access.log"
|
|
- error_log "/var/log/nginx/wiki.packetcat.ca.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/wiki.packetcat.ca.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/wiki.packetcat.ca.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
- location ~ /(data|conf|bin|inc)/ {
|
|
deny all;
|
|
}
|
|
- location / {
|
|
try_files $uri $uri/ /index.php?$args;
|
|
}
|
|
- location ~ \.php$ {
|
|
try_files $uri =404;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_pass php;
|
|
fastcgi_index index.php;
|
|
}
|
|
sadiqsaif.com.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name sadiqsaif.com
|
|
- return 301 "https://$host$request_uri"
|
|
sadiqsaif.com.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name sadiqsaif.com
|
|
- root "/srv/www/sadiqsaif.com/public"
|
|
- index index.html
|
|
- error_page 404 /404.html
|
|
- access_log "/var/log/nginx/sadiqsaif.com.access.log"
|
|
- error_log "/var/log/nginx/sadiqsaif.com.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.com.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.com.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
sadiq.ae.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name sadiq.ae
|
|
- return 301 "https://sadiqsaif.com$request_uri"
|
|
sadiq.ae.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name sadiq.ae
|
|
- access_log "/var/log/nginx/sadiq.ae.access.log"
|
|
- error_log "/var/log/nginx/sadiq.ae.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/sadiq.ae.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/sadiq.ae.pem"
|
|
- return 301 "https://sadiqsaif.com$request_uri"
|
|
sadiqsaif.ca.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name sadiqsaif.ca
|
|
- return 301 "https://sadiqsaif.com$request_uri"
|
|
sadiqsaif.ca.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name sadiqsaif.ca
|
|
- access_log "/var/log/nginx/sadiqsaif.ca.access.log"
|
|
- error_log "/var/log/nginx/sadiqsaif.ca.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.ca.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.ca.pem"
|
|
- return 301 "https://sadiqsaif.com$request_uri"
|
|
wiki.tenforward.social.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name wiki.tenforward.social
|
|
- return 301 "https://$host$request_uri"
|
|
wiki.tenforward.social.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name wiki.tenforward.social
|
|
- root "/srv/www/wiki.tenforward.social"
|
|
- index index.php
|
|
- access_log "/var/log/nginx/wiki.tenforward.social.access.log"
|
|
- error_log "/var/log/nginx/wiki.tenforward.social.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/wiki.tenforward.social.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/wiki.tenforward.social.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
- location ~ /(data|conf|bin|inc)/ {
|
|
deny all;
|
|
}
|
|
- location / {
|
|
try_files $uri $uri/ /index.php?$args;
|
|
}
|
|
- location ~ \.php$ {
|
|
try_files $uri =404;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_pass php;
|
|
fastcgi_index index.php;
|
|
}
|
|
ultonomy.com.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name ultonomy.com
|
|
- return 301 "https://$host$request_uri"
|
|
ultonomy.com.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name ultonomy.com
|
|
- root "/srv/www/ultonomy.com"
|
|
- index index.php index.html
|
|
- access_log "/var/log/nginx/ultonomy.com.access.log"
|
|
- error_log "/var/log/nginx/ultonomy.com.error.log"
|
|
- client_max_body_size 10M
|
|
- ssl_certificate "/etc/ssl/letsencrypt/ultonomy.com.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/ultonomy.com.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
- include snippets/wp_with_supercache.conf
|
|
bastetrix.com.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name bastetrix.com
|
|
- root "/srv/www/bastetrix.com/public"
|
|
- location /.well-known/acme-challenge/ {
|
|
allow all;
|
|
}
|
|
- return 301 "https://$host$request_uri"
|
|
bastetrix.com.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name bastetrix.com
|
|
- root "/srv/www/bastetrix.com/public"
|
|
- index index.html
|
|
- access_log "/var/log/nginx/bastetrix.com.access.log"
|
|
- error_log "/var/log/nginx/bastetrix.com.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/bastetrix.com.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/bastetrix.com.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
wiki.bastetrix.org.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name wiki.bastetrix.org
|
|
- root "/srv/www/wiki.bastetrix.org"
|
|
- location /.well-known/acme-challenge/ {
|
|
allow all;
|
|
}
|
|
- return 301 "https://$host$request_uri"
|
|
wiki.bastetrix.org.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name wiki.bastetrix.org
|
|
- root "/srv/www/wiki.bastetrix.org"
|
|
- index index.php
|
|
- access_log "/var/log/nginx/wiki.bastetrix.org.access.log"
|
|
- error_log "/var/log/nginx/wiki.bastetrix.org.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/wiki.bastetrix.org.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/wiki.bastetrix.org.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
- location ~ /(data|conf|bin|inc)/ {
|
|
deny all;
|
|
}
|
|
- include snippets/php_standard.conf
|
|
miniflux.packetcat.ca.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name miniflux.packetcat.ca
|
|
- root "/srv/www/miniflux.packetcat.ca"
|
|
- location /.well-known/acme-challenge/ {
|
|
allow all;
|
|
}
|
|
- return 301 "https://$host$request_uri"
|
|
miniflux.packetcat.ca.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name miniflux.packetcat.ca
|
|
- root "/srv/www/miniflux.packetcat.ca"
|
|
- access_log "/var/log/nginx/miniflux.packetcat.ca.access.log"
|
|
- error_log "/var/log/nginx/miniflux.packetcat.ca.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/miniflux.packetcat.ca.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/miniflux.packetcat.ca.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
- location / {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
proxy_redirect off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
wallabag.packetcat.ca.http:
|
|
- listen *:80
|
|
- listen [::]:80
|
|
- server_name wallabag.packetcat.ca
|
|
- return 301 "https://$host$request_uri"
|
|
wallabag.packetcat.ca.https:
|
|
- listen *:443 ssl http2
|
|
- listen [::]:443 ssl http2
|
|
- server_name wallabag.packetcat.ca
|
|
- root "/srv/www/wallabag.packetcat.ca/web"
|
|
- index app.php
|
|
- access_log "/var/log/nginx/wallabag.packetcat.ca.access.log"
|
|
- error_log "/var/log/nginx/wallabag.packetcat.ca.error.log"
|
|
- ssl_certificate "/etc/ssl/letsencrypt/wallabag.packetcat.ca.crt"
|
|
- ssl_certificate_key "/etc/ssl/letsencrypt/wallabag.packetcat.ca.pem"
|
|
- include snippets/sslstapling_hsts.conf
|
|
- location / {
|
|
try_files $uri /app.php$is_args$args;
|
|
}
|
|
- location ~ ^/app\.php(/|$) {
|
|
try_files $uri =404;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_pass php;
|
|
fastcgi_index index.php;
|
|
internal;
|
|
}
|
|
- location ~ \.php$ {
|
|
return 404;
|
|
}
|
|
nginx_snippets:
|
|
sslstapling_hsts:
|
|
- ssl_stapling on
|
|
- resolver [::1] valid=300s
|
|
- add_header Strict-Transport-Security max-age=31536000
|
|
php_standard:
|
|
- location / {
|
|
try_files $uri $uri/ /index.php?$args;
|
|
}
|
|
- location ~ \.php$ {
|
|
try_files $uri =404;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_pass php;
|
|
fastcgi_index index.php;
|
|
}
|
|
wp_with_supercache:
|
|
- set $cache_uri $request_uri
|
|
- if ( $request_method = POST ) { set $cache_uri 'null cache'; }
|
|
- if ( $query_string != "" ) { set $cache_uri 'null cache'; }
|
|
- if ( $request_uri ~* "/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml" ) { set $cache_uri 'null cache'; }
|
|
- if ( $http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in" ) { set $cache_uri 'null cache'; }
|
|
- location / {
|
|
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;
|
|
}
|
|
- location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff2)$ {
|
|
expires max;
|
|
}
|
|
- location ~ \.php$ {
|
|
try_files $uri =404;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
include fastcgi_params;
|
|
fastcgi_index index.php;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_pass php;
|
|
}
|
|
nginx_configs:
|
|
gzip:
|
|
- gzip on
|
|
- gzip_disable msie6
|
|
- gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
|
|
upstream:
|
|
- upstream php { server unix:/run/php/php8.1-fpm.sock; }
|
|
ssl:
|
|
- ssl_protocols TLSv1.2 TLSv1.3
|
|
- ssl_prefer_server_ciphers on
|
|
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
|
|
- ssl_dhparam "/etc/nginx/dhparams.pem"
|
|
- ssl_session_timeout 1d
|
|
- ssl_session_cache shared:SSL:50m
|
|
- ssl_session_tickets off
|
|
fcgicache:
|
|
- fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m
|
|
- fastcgi_cache_key "$scheme$request_method$host$request_uri"
|
|
- fastcgi_cache_use_stale error timeout invalid_header http_500
|
|
- fastcgi_ignore_headers Cache-Control Expires Set-Cookie
|
|
- add_header rt-Fastcgi-Cache $upstream_cache_status
|