228 lines
6.6 KiB
Django/Jinja
228 lines
6.6 KiB
Django/Jinja
####
|
|
# {{ ansible_managed }}
|
|
####
|
|
|
|
|
|
{% block extra_upstreams %}
|
|
{% endblock %}
|
|
|
|
{% block server_info %}
|
|
## SERVER INFO
|
|
{% if item.onion is defined and enable_tor == 'true' and onion_address | length > 0 %}
|
|
server {
|
|
listen unix:/var/run/{{ item.name }}.sock;
|
|
server_name {{ onion_address.content | b64decode | trim }};
|
|
{% else %}
|
|
server {
|
|
server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
|
|
{% if item.proto == 'http' %}
|
|
listen {{ item.listen }} {% if nginx_default_vhost == item.name %} default_server{% endif %};
|
|
{% endif %}
|
|
{% if item.proto == 'https' %}
|
|
listen {{ item.listen }} ssl {% if item.http2 is defined %}http2{% endif %};
|
|
|
|
ssl_certificate {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'fullchain.pem' + ';' }}
|
|
ssl_certificate_key {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'privkey.pem;' }}
|
|
|
|
{% endif %}
|
|
server_tokens off;
|
|
{% if item.max_upload is defined %}
|
|
client_max_body_size {{ item.max_upload }};
|
|
{% if item.htpasswd is defined %}
|
|
{{ htpasswd(item.htpasswd, 1) }}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endblock %}
|
|
{% block root %}
|
|
{% endblock %}
|
|
{% block logs %}
|
|
|
|
## LOGS
|
|
{% if item.use_access_log is defined and item.use_access_log == 'true' %}
|
|
access_log {{ nginx_log_dir }}/{{ item.name }}_access.log combined;
|
|
{% else %}
|
|
access_log off;
|
|
{% endif %}
|
|
{% if item.use_error_log is defined and item.use_error_log == 'true' %}
|
|
error_log {{ nginx_log_dir }}/{{ item.name }}_error.log {{ item.nginx_error_log_level }};
|
|
{% else %}
|
|
error_log off;
|
|
{% endif %}
|
|
{% endblock %}
|
|
|
|
{% block headers %}
|
|
{% if item.headers is defined and item.headers == 'none' %}
|
|
{% else %}
|
|
## HEADERS
|
|
{% if item.header_permission_policy is defined and item.header_permission_policy == 'none' %}
|
|
{% else %}
|
|
add_header Permissions-Policy "geolocation=(),interest-cohort=()";
|
|
{% endif %}
|
|
{% if item.secure_site is defined and item.secure_site == 'none' %}
|
|
{% else %}
|
|
add_header X-Download-Options noopen;
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
{% endif %}
|
|
{% if item.header_referrer is defined and item.header_referrer == 'none' %}
|
|
{% else %}
|
|
add_header Referrer-Policy "{{ item.header_referrer | default('no-referrer') }}";
|
|
{% endif %}
|
|
{% if item.header_xframe is defined and item.header_xframe == 'none' %}
|
|
{% else %}
|
|
add_header X-Frame-Options "{{ item.header_xframe | default("SAMEORIGIN") }}";
|
|
{% endif %}
|
|
{% if item.nginx_HSTS_policy is defined and item.nginx_HSTS_policy == 'none' %}
|
|
{% else %}
|
|
add_header Strict-Transport-Security "max-age={{ nginx_hsts_age }}; includeSubDomains; preload;" always;
|
|
{% endif %}
|
|
{% if item.header_csp is defined %}
|
|
add_header Content-Security-Policy "{{ item.header_csp | default("default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';") }}";
|
|
{% endif %}
|
|
{% if item.header_cto is defined and item.header_cto == 'none' %}
|
|
{% else %}
|
|
add_header X-Content-Type-Options "{{ item.header_cto | default('nosniff') }}";
|
|
{% endif %}
|
|
{%if item.header_xss is defined and item.header_xss == 'none' %}
|
|
{% else %}
|
|
add_header X-XSS-Protection "{{ item.header_xss | default('1; mode=block') }}";
|
|
{% endif %}
|
|
{% if item.header_robots is defined and item.header_robots == 'none' %}
|
|
{% else %}
|
|
add_header X-Robots-Tag "{{ item.header_robots | default('none') }}";
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endblock %}
|
|
|
|
{% block location %}
|
|
{% endblock %}
|
|
{% block extra_locations %}
|
|
{% endblock %}
|
|
{% block custom_locations %}
|
|
{% if item.custom_locations is defined %}
|
|
|
|
## CUSTOM LOCATIONS
|
|
{% for location in item.custom_locations %}
|
|
location {{ location.name }} {
|
|
{% for item in location.options %}
|
|
{{ item }}
|
|
{% endfor %}
|
|
{% if location.headers is defined %}
|
|
{% for item in location.headers %}
|
|
{% if item.secure_site is defined %}
|
|
add_header X-Download-Options noopen;
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
{% endif %}
|
|
{% if item.referrer is defined %}
|
|
add_header Referrer-Policy {{ item.referrer | default('no-referrer') }};
|
|
{% endif %}
|
|
{% if item.header_sameorigin is defined %}
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
{% endif %}
|
|
|
|
{% if item.nginx_HSTS_policy is defined %}
|
|
add_header Strict-Transport-Security "max-age={{ nginx_hsts_age }}; includeSubDomains; preload;" always;
|
|
{% endif %}
|
|
{% if item.csp is defined %}
|
|
add_header Content-Security-Policy "{{ item.csp }}";
|
|
{% endif %}
|
|
{% if item.cto is defined %}
|
|
{% if item.cto == 'none' %}
|
|
{% else %}
|
|
add_header X-Content-Type-Options {{ item.cto }};
|
|
{% endif %}
|
|
{% else %}
|
|
add_header X-Content-Type-Options nosniff;
|
|
{% endif %}
|
|
{%if item.xss is defined %}
|
|
{% if item.xss == 'none' %}
|
|
{% else %}
|
|
add_header X-XSS-Protection "{{ item.xss }}";
|
|
{% endif %}
|
|
{% else %}
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
{% endif %}
|
|
{% if item.robots is defined %}
|
|
add_header X-Robots-Tag {{ item.robots }};
|
|
{% else %}
|
|
add_header X-Robots-Tag none;
|
|
{% endif %}
|
|
|
|
{% endfor %}
|
|
{% endif %}
|
|
}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endblock %}
|
|
{% block local_content %}
|
|
{% endblock %}
|
|
{% block app_specific %}
|
|
{% endblock %}
|
|
{% if item.letsencrypt == 'true' %}
|
|
location ^~ /.well-known/acme-challenge {
|
|
root {{ letsencrypt_webroot_path }};
|
|
try_files $uri =404;
|
|
}
|
|
{% endif %}
|
|
{% block extras %}
|
|
{% if item.more is defined and item.more is iterable %}
|
|
|
|
{% for line in item.more %}
|
|
{{ line }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endblock %}
|
|
}
|
|
|
|
{% block redirects %}
|
|
{% if item.www is defined %}
|
|
server {
|
|
listen 80;
|
|
server_name www.{{ item.name }};
|
|
return 301 https://{{ item.name }}$request_uri;
|
|
}
|
|
{% endif %}
|
|
|
|
{% if item.redirect_https is defined and item.redirect_https and enable_tor != 'true' %}
|
|
|
|
## REDIRECTS
|
|
|
|
### http to https
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
|
|
return 301 https://{{ item.name }}$request_uri;
|
|
{% if item.letsencrypt == 'true' %}
|
|
|
|
location /.well-known/acme-challenge {
|
|
root {{ letsencrypt_webroot_path }};
|
|
try_files $uri =404;
|
|
}
|
|
{% endif %}
|
|
}
|
|
|
|
|
|
{% if item.www is defined %}
|
|
### www to fwdn
|
|
server {
|
|
|
|
listen 443 ssl;
|
|
ssl_certificate {{ nginx_ssl_dir + '/www.' + item.ssl_name + '/' + 'fullchain.pem' + ';' }}
|
|
ssl_certificate_key {{ nginx_ssl_dir + '/www.' + item.ssl_name + '/' + 'privkey.pem;' }}
|
|
|
|
server_name www.{% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
|
|
return 301 https://{{ item.name }}{% if '443' not in item.listen %}:item.listen[0]{% endif %}$request_uri;
|
|
{% if item.letsencrypt == 'true' %}
|
|
|
|
location /.well-known/acme-challenge {
|
|
root {{ letsencrypt_webroot_path }};
|
|
try_files $uri =404;
|
|
}
|
|
{% endif %}
|
|
}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endblock %}
|