{{ ansible_managed | comment }} server { listen 80; listen [::]:80; server_name {{ item.key }}; # Redirect to https location / { return 302 https://$host$request_uri; } # ACME directory, to limit interaction with certbot location /.well-known/acme-challenge/ { root /var/www/well-known/acme-challenge/; } include /etc/nginx/mime.types; default_type application/octet-stream; # FLoC you google add_header Permissions-Policy interest-cohort=(); {% if in_memoriam is defined -%} # "A man is not dead while his name is still spoken." -- Going Postal add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}"; {%- endif %} } server { # listen port + ssl {# <- TODO: Allow other ports -> -#} listen 127.0.0.1:8443 ssl http2; # listen [::]:443 ssl http2; ssl_certificate /etc/nginx/certs/{{ item.key }}.crt; ssl_certificate_key /etc/nginx/certs/{{ item.key }}.key; {# <- TODO: Allow other ports -> #} server_name {{ item.key }}; {# <- TODO: move this to defaut root snippets ? -> -#} include /etc/nginx/mime.types; default_type application/octet-stream; # FLoC you google add_header Permissions-Policy interest-cohort=(); {% if in_memoriam is defined -%} # "A man is not dead while his name is still spoken." -- Going Postal add_header X-Clacks-Overhead "GNU {{ ', '.join(in_memoriam) }}"; {% endif -%} {# <- TODO: move this to defaut root snippets ?-> -#} {% filter indent(width=4) -%} {%- for config in (item.value.root_snippets | default([])) -%} {{ config }} {%- endfor -%} # Logs access_log /var/log/nginx/{{ item.key }}.log; error_log /var/log/nginx/{{ item.key }}_error.log; {% for location in (item.value.locations | default({}) | dict2items) -%} location {{ location.key }} { {% filter indent(width=8) -%} {%- for config in (location.value.config | default([])) -%} {{ config }} {%- endfor -%} {%- for template in (location.value.templates | default([])) -%} {% include template %} {%- endfor -%} {%- endfilter %} } {% endfor %} }