WIP: generiek nginx role

roles/nginx/templates/default.j2

@@ -0,0 +1,37 @@
+# {{ ansible_managed }}
+
+server {
+    listen 80 default_server;
+    listen [::]:80
+
+    server_name {{ inventory_hostname }};
+
+    # Accept ACME-Challenges over http
+    location ^~ /.well-known/acme-challenge/ {
+        alias {{ nginx_wk_acme }}/;
+    }
+
+    # Block .ht files
+    location ~ /\.ht {
+        deny all;
+    }
+
+    # Redirect everything to https by default
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    location /server_status {
+        # Enable Nginx stats
+        stub_status on;
+        # Only allow access from localhost
+        allow 127.0.0.1;
+        # Other request should be denied
+        deny all;
+    }
+}
+
+{% for line in nginx_default_extra | default([]) %}
+{{ line }}
+{% endfor %}
+

roles/nginx/templates/etc-nginx.conf.j2

@@ -0,0 +1,35 @@
+# {{ ansible_managed }}
+
+user                {{ nginx_user }};
+worker_processes    auto;
+pid                 /run/nginx.pid;
+worker_rlimit_nofile 16384;
+include             {{ nginx_modules_dir }}/*.conf;
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Default nginx log format with $request time added
+    log_format bitlair '$remote_addr - $remote_user [$time_local] '
+                    '"$request" $status $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent" $request_time';
+    access_log /var/log/nginx/access.log bitlair;
+
+    gzip on;
+    gzip_disable "msie6";
+
+{% for line in nginx_http_extra | default([]) %}
+    {{ line }}
+{% endfor %}
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}

roles/nginx/templates/site.conf.j2

@@ -0,0 +1,36 @@
+# {{ ansible_managed }}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ site.server_name|default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
+
+    include /etc/nginx/tls_params;
+    ssl_certificate        /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
+    ssl_certificate_key    /var/lib/dehydrated/certs/{{ site.server_name }}/fullkey.pem;
+
+    location ~ /\.ht {
+        deny all;
+    }
+
+    access_log  /var/log/nginx/{{ site.server_name }}.access.log bitlair;
+    error_log   /var/log/nginx/{{ site.server_name }}.error.log;
+
+{% if site.localproxy is defined %}
+    location / {
+        proxy_pass http://localhost:{{ site.localproxy }}/;
+        include proxy_params;
+    }
+{% endif %}
+
+    # Include snippets
+{% for file in site.snippets | default([]) %}
+{% include "../../../snippets/" . file %}
+{% endif %}
+
+    # Per site configuration
+{% for line in site.config | default([]) %}
+    {{ line }}
+{% endfor %}
+}

roles/nginx/templates/tls_params.j2

@@ -0,0 +1,22 @@
+# {{ ansible_managed }}
+
+ssl_session_timeout         {{ nginx_tls_session_timeout }};
+ssl_session_tickets         off;
+
+ssl_prefer_server_ciphers   on;
+ssl_session_cache           shared:SSL:{{ nginx_tls_cache_size }};
+
+ssl_protocols               {{ nginx_tls_version }};
+ssl_ciphers                 {{ nginx_tls_cipherlist }};
+ssl_ecdh_curve              {{ nginx_tls_curve }};
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+add_header                  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+add_header                  X-Frame-Options "sameorigin";
+add_header                  X-Content-Type-Options "nosniff";
+add_header                  X-Robots-Tag noindex;
+
+# OCSP stapling
+ssl_stapling                {{ nginx_ssl_stapling }};
+ssl_stapling_verify         {{ nginx_ssl_stapling_verify }};
+