jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ba94509bca
ansible-playbooks/roles/static-web/templates/nginx-vhost.conf.j2
Clément Désiles ba94509bca
feat: fix systemd user and add static-web role
2025-12-20 23:14:00 +01:00

80 lines
2.3 KiB
Django/Jinja
Raw Blame History

# Static web vhost for {{ hostname }}
# Managed by Ansible - DO NOT EDIT MANUALLY
server {
listen 80;
listen [::]:80;
server_name {{ hostname }};
{% if site_config.ssl_enabled | default(true) %}
# Certbot webroot for ACME challenges
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Redirect to HTTPS
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ hostname }};
# Let's Encrypt certificates (managed by Certbot)
ssl_certificate /etc/letsencrypt/live/{{ hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ hostname }}/privkey.pem;
# SSL configuration
ssl_protocols {{ nginx_ssl_protocols }};
ssl_prefer_server_ciphers {{ 'on' if nginx_ssl_prefer_server_ciphers else 'off' }};
{% endif %}
# Document root
{% if site_config.root_dir is defined and site_config.root_dir | length > 0 %}
root {{ static_web_base_dir }}/{{ hostname }}/{{ site_config.root_dir }};
{% else %}
root {{ static_web_base_dir }}/{{ hostname }};
{% endif %}
# Index files
index index.html index.htm;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
{% if site_config.ssl_enabled | default(true) %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
{% endif %}
# Logging
{% if nginx_log_backend == 'journald' %}
access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_{{ hostname | replace('.', '_') | replace('-', '_') }};
error_log syslog:server=unix:/dev/log,nohostname,tag=nginx_{{ hostname | replace('.', '_') | replace('-', '_') }};
{% else %}
access_log /var/log/nginx/{{ hostname }}-access.log;
error_log /var/log/nginx/{{ hostname }}-error.log;
{% endif %}
# Main location
location / {
try_files $uri $uri/ =404;
}
# Deny access to hidden files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Static file caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}
Reference in New Issue View Git Blame Copy Permalink