From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001
From: clarkzjw <i@jinwei.me>
Date: Wed, 8 Feb 2023 00:40:09 -0800
Subject: fork https://github.com/mattsta/mailweb

---
 ansible/roles/nginx/templates/basic-site.conf.j2 | 68 ++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 ansible/roles/nginx/templates/basic-site.conf.j2

(limited to 'ansible/roles/nginx/templates/basic-site.conf.j2')

diff --git a/ansible/roles/nginx/templates/basic-site.conf.j2 b/ansible/roles/nginx/templates/basic-site.conf.j2
new file mode 100644
index 0000000..454b2bd
--- /dev/null
+++ b/ansible/roles/nginx/templates/basic-site.conf.j2
@@ -0,0 +1,68 @@
+server {
+  listen       {{ item.domain }}:443 ssl http2 fastopen=4096 reuseport;
+  server_name  {{ item.domain }};
+
+  access_log  /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
+  error_log   /var/log/nginx/{{ item.domain }}.error.log error;
+
+  ssl on;
+
+  include /etc/nginx/ssl_params;
+
+{% if nginx.ssl == "modern" %}
+  include /etc/nginx/ssl_ciphers_modern;
+{% elif nginx.ssl == "tls13" %}
+  include /etc/nginx/ssl_ciphers_tls13;
+{% else %}
+  # Default, just use commonly accepted options:
+  include /etc/nginx/ssl_ciphers_intermediate;
+{% endif %}
+
+  ssl_certificate     /etc/ssl/{{ item.domain }}-cert-combined.rsa2048.pem;
+  ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.rsa2048.pem;
+
+  # nginx >= 1.11.0 (2016-05-24) allows loading redundant certs and keys so you
+  # can serve modern EC clients and less modern RSA clients at the same time.
+  ssl_certificate     /etc/ssl/{{ item.domain }}-cert-combined.prime256v1.pem;
+  ssl_certificate_key /etc/ssl/private/{{ item.domain }}-key.prime256v1.pem;
+
+  root   /srv/web/{{ item.domain }};
+
+{% if nginx.google is defined %}
+  location /{{ nginx.google.siteKey }}.html {
+    root {{ nginx.google.siteKeyServeDir }}};
+  }
+{% endif %}
+
+{% if item.customConfig is defined %}
+{{ item.customConfig }}
+{% endif %}
+
+{% for location in item.uri %}
+  location {{ location.path }} {
+{% if location.appServer is defined %}
+    proxy_pass {{ location.appServer }}/$request_uri;
+    proxy_set_header Host $host;
+{% else %}
+    root /srv/web/{{ item.domain }};
+{% endif %}
+  }
+{% endfor %}
+}
+
+server {
+  listen       {{ item.domain }} fastopen=4096 reuseport;
+  server_name  www.{{ item.domain }} {{ item.domain }};
+
+  access_log  /var/log/nginx/{{ item.domain }}.access.log main buffer=32k;
+  error_log   /var/log/nginx/{{ item.domain }}.error.log error;
+
+  location /.well-known/acme-challenge/ {
+      alias /srv/web/challenges/;
+      try_files $uri =404;
+  }
+
+  location / {
+    return 301 https://{{ item.domain }}$request_uri;
+  }
+}
-- 
cgit v1.2.3