ansible/roles/www/templates/nginx-site.conf

# Managed by Ansible

server {
    listen 80 default_server;
    listen 443 ssl default_server;
    listen [::]:80 default_server;
    listen [::]:443 ssl default_server;

    server_name bitlair.nl wiki.bitlair.nl www.bitlair.nl;
    root /opt/bitlair-wiki/;

    {% if acme_bootstrap_certs %}
    include "snippets/snakeoil.conf";
    {% else %}
    ssl_certificate     "/var/lib/dehydrated/certs/{{ www_domain }}/fullchain.pem";
    ssl_certificate_key "/var/lib/dehydrated/certs/{{ www_domain }}/privkey.pem";
    {% endif %}

    # SSL settings from https://cipherli.st/ - AK47 15 jan 2017
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    client_max_body_size 32m;
    client_body_timeout 60;

    index index.php;

    # mqtt2web
    location = /mqtt {
        proxy_pass http://localhost:8080/mqtt;
        include proxy_params;
        proxy_buffering off;
        proxy_cache off;
        proxy_http_version 1.1;
        proxy_set_header Connection '';
        chunked_transfer_encoding off;
    }

    # Space API
    location = /statejson {
        proxy_pass http://localhost:8888;
        include proxy_params;
        add_header 'Access-Control-Allow-Origin' '*';
    }

    # Photo gallery
    location = /fotos {
        return 302 $scheme://bitlair.nl/fotos/;
    }

    location ~* ^/fotos/(.*)$ {
        proxy_pass http://192.168.88.22:4567/$1$is_args$args;
    }

    location ~ ^/state/(.+)$ {
        alias /opt/spaceapi/assets/$1;
    }

    location = /events.ics {
        alias /var/lib/bitlair-calendar/events.ics;
    }

    location ~ ^/(cache|maintenance|vendor|extensions)/ {
        deny all;
    }

    location = /api.php {
        deny all;
    }

    # Legacy space API stuff.
    location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ {
        root "/opt/legacy/";
        fastcgi_pass unix:/run/php/php-fpm.sock;
        include fastcgi.conf;
    }

    location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ {
        root "/opt/legacy/";
    }

    location ~ ^/wp-content {
        root "/opt/legacy/";
    }

    location = /statejson.php {
        rewrite ^.+$ /statejson;
    }


    # Mediawiki
    location / {
        try_files $uri $uri/ @rewrite;
    }

    location ~ \.php$ {
        try_files $uri @rewrite;
        fastcgi_pass unix:/run/php/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi.conf;
    }

    location @rewrite {
        rewrite ^/(.*)$ /index.php?title=$1$args;
    }

    location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ {
        try_files $uri @rewrite;
        expires 1M;
    }

    location = /_.gif {
        expires max;
        empty_gif;
    }

    # Legacy: redirect old prefix.
    location /Pages/ {
        rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
    }

    # Matrix realm delegation
    location = /.well-known/matrix/server {
        add_header "Content-Type" "application/json";
        add_header "Access-Control-Allow-Origin" "*";
        alias /opt/matrix-delegation.json;
    }

    include "snippets/acme.conf";
}