1 files changed, 68 insertions, 0 deletions
diff --git a/ansible/roles/nginx/templates/basic-site.conf.j2 b/ansible/roles/nginx/templates/basic-site.conf.j2
new file mode 100644
index 0000000..454b2bd
--- /dev/null
+++ b/ansible/roles/nginx/templates/basic-site.conf.j2
@@ -0,0 +1,68 @@
+server {
+  listen       {{ item.domain }}:443 ssl http2 fastopen=4096 reuseport;
+  server_name  {{ item.domain }};
+  access_log  /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
+  error_log   /var/log/nginx/{{ item.domain }}.error.log error;
+  ssl on;
+  include /etc/nginx/ssl_params;
+{% if nginx.ssl == "modern" %}
+  include /etc/nginx/ssl_ciphers_modern;
+{% elif nginx.ssl == "tls13" %}
+  include /etc/nginx/ssl_ciphers_tls13;
+{% else %}
+  # Default, just use commonly accepted options:
+  include /etc/nginx/ssl_ciphers_intermediate;
+{% endif %}
+  ssl_certificate     /etc/ssl/{{ item.domain }}-cert-combined.rsa2048.pem;
+  ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.rsa2048.pem;
+  # nginx >= 1.11.0 (2016-05-24) allows loading redundant certs and keys so you
+  # can serve modern EC clients and less modern RSA clients at the same time.
+  ssl_certificate     /etc/ssl/{{ item.domain }}-cert-combined.prime256v1.pem;
+  ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.prime256v1.pem;
+  root   /srv/web/{{ item.domain }};
+{% if nginx.google is defined %}
+  location /{{ nginx.google.siteKey }}.html {
+    root {{ nginx.google.siteKeyServeDir }}};
+  }
+{% endif %}
+{% if item.customConfig is defined %}
+{{ item.customConfig }}
+{% endif %}
+{% for location in item.uri %}
+  location {{ location.path }} {
+{% if location.appServer is defined %}
+    proxy_pass {{ location.appServer }}/$request_uri;
+    proxy_set_header Host $host;
+{% else %}
+    root /srv/web/{{ item.domain }};
+{% endif %}
+  }
+{% endfor %}
+}
+server {
+  listen       {{ item.domain }} fastopen=4096 reuseport;
+  server_name  www.{{ item.domain }} {{ item.domain }};
+  access_log  /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
+  error_log   /var/log/nginx/{{ item.domain }}.error.log error;
+  location /.well-known/acme-challenge/ {
+      alias /srv/web/challenges/;
+      try_files $uri =404;
+  }
+  location / {
+    return 301 https://{{ item.domain }}$request_uri;
+  }
+}

diff --git a/ansible/roles/nginx/templates/basic-site.conf.j2 b/ansible/roles/nginx/templates/basic-site.conf.j2 new file mode 100644 index 0000000..454b2bd --- /dev/null +++ b/ansible/roles/nginx/templates/basic-site.conf.j2
@@ -0,0 +1,68 @@
	1	server {
	2	listen {{ item.domain }}:443 ssl http2 fastopen=4096 reuseport;
	3	server_name {{ item.domain }};
	4
	5	access_log /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
	6	error_log /var/log/nginx/{{ item.domain }}.error.log error;
	7
	8	ssl on;
	9
	10	include /etc/nginx/ssl_params;
	11
	12	{% if nginx.ssl == "modern" %}
	13	include /etc/nginx/ssl_ciphers_modern;
	14	{% elif nginx.ssl == "tls13" %}
	15	include /etc/nginx/ssl_ciphers_tls13;
	16	{% else %}
	17	# Default, just use commonly accepted options:
	18	include /etc/nginx/ssl_ciphers_intermediate;
	19	{% endif %}
	20
	21	ssl_certificate /etc/ssl/{{ item.domain }}-cert-combined.rsa2048.pem;
	22	ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.rsa2048.pem;
	23
	24	# nginx >= 1.11.0 (2016-05-24) allows loading redundant certs and keys so you
	25	# can serve modern EC clients and less modern RSA clients at the same time.
	26	ssl_certificate /etc/ssl/{{ item.domain }}-cert-combined.prime256v1.pem;
	27	ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.prime256v1.pem;
	28
	29	root /srv/web/{{ item.domain }};
	30
	31	{% if nginx.google is defined %}
	32	location /{{ nginx.google.siteKey }}.html {
	33	root {{ nginx.google.siteKeyServeDir }}};
	34	}
	35	{% endif %}
	36
	37	{% if item.customConfig is defined %}
	38	{{ item.customConfig }}
	39	{% endif %}
	40
	41	{% for location in item.uri %}
	42	location {{ location.path }} {
	43	{% if location.appServer is defined %}
	44	proxy_pass {{ location.appServer }}/$request_uri;
	45	proxy_set_header Host $host;
	46	{% else %}
	47	root /srv/web/{{ item.domain }};
	48	{% endif %}
	49	}
	50	{% endfor %}
	51	}
	52
	53	server {
	54	listen {{ item.domain }} fastopen=4096 reuseport;
	55	server_name www.{{ item.domain }} {{ item.domain }};
	56
	57	access_log /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
	58	error_log /var/log/nginx/{{ item.domain }}.error.log error;
	59
	60	location /.well-known/acme-challenge/ {
	61	alias /srv/web/challenges/;
	62	try_files $uri =404;
	63	}
	64
	65	location / {
	66	return 301 https://{{ item.domain }}$request_uri;
	67	}
	68	}