diff options
| author | Joshua Hull <josh@fireflop.com> | 2023-01-15 10:49:21 +0100 |
|---|---|---|
| committer | Emil Renner Berthing <esmil@labitat.dk> | 2023-01-27 00:32:09 +0100 |
| commit | 6bbdee9dc9333e94d13e8653ee3bb5626aa754b5 (patch) | |
| tree | afd3e802bbe3968ef6c526416c8cb27d63231ad4 /roles/nginx/templates/nginx.conf.j2 | |
| parent | 09df394737c4a91a5a44909e29abeff8e1927ecc (diff) | |
| download | labitat-ansible-6bbdee9dc9333e94d13e8653ee3bb5626aa754b5.tar.gz labitat-ansible-6bbdee9dc9333e94d13e8653ee3bb5626aa754b5.tar.xz labitat-ansible-6bbdee9dc9333e94d13e8653ee3bb5626aa754b5.zip | |
nginx: add common role for nginx
esmil:
- disable access log and log errors to syslog (journal really)
use journalctl -u nginx to see the errors
- hoist some configuration values into ansible variables
- add tags and use a handler to reload nginx on configuration changes
- make nginx do its DNS queries against our local resolved
this enables nginx to use DNSSEC and DoT
- don't start nginx before the network is up. if it can't do
dns lookups ssl_stapling will be ignored
Diffstat (limited to 'roles/nginx/templates/nginx.conf.j2')
| -rw-r--r-- | roles/nginx/templates/nginx.conf.j2 | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..1188e53 --- /dev/null +++ b/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,73 @@ +user www-data; +worker_processes auto; +{% if nginx_worker_rlimit_nofile is defined %} +worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }}; +{% endif %} +pid /run/nginx.pid; +error_log /dev/null debug; +error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx notice; + +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections {{ nginx_worker_connections }}; + # multi_accept on; +} + +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Resolver + ## + + resolver 127.0.0.53 valid=30s; # systemd-resolved listens here + + ## + # SSL Settings + ## + + ssl_protocols {{ nginx_ssl_protocols }}; + ssl_ciphers {{ nginx_ssl_ciphers }}; + ssl_prefer_server_ciphers off; + ssl_dhparam /etc/nginx/dhparam; + + ## + # Logging Settings + ## + + access_log off; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} |