bitcoiner.social/ansible/playbooks/host_tasks/garchomp.bitcoiner.social/nginx.yml

---
- name: strfry | Configure nginx
  ansible.builtin.import_role:
    name: nginx_core.nginx_config
  vars:
    # afaict, overriding any numeric values in the main nginx config requires replacing the entire dictionary.
    # See: https://github.com/nginxinc/ansible-role-nginx-config/issues/352
    # The only difference between this and the nginx config used in playbooks/nginx/main.yml is the worker_rlimit_nofile value and worker_connections.
    nginx_config_main_template_enable: true
    nginx_config_main_template:
      template_file: nginx.conf.j2
      deployment_location: /etc/nginx/nginx.conf
      backup: false
      config: # https://nginx.org/en/docs/ngx_core_module.html
        main:
          user:
            username: nginx
            group: nginx
          worker_processes: auto
          error_log:
            file: /var/log/nginx/error.log
            level: notice
          #pid: /var/run/nginx.pid

          # worker_rlimit_nofile changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes.
          # Used to increase the limit without restarting the main process.
          # The recomended value seems to be worker_connections * 2
          worker_rlimit_nofile: 12288

        events:
          worker_connections: 4096

        # include:  # String or a list of strings
        #   - /etc/nginx/modules.conf
        http: # https://nginx.org/en/docs/http/ngx_http_core_module.html
          default_type: application/octet-stream
          sendfile: true
          server_tokens: false
          tcp_nodelay: true
          tcp_nopush: true
          include:
            - /etc/nginx/mime.types
            - /etc/nginx/http.conf    # These are shared http level configs that nginx_conf refuses to directly configure.
            - /etc/nginx/conf.d/*.conf

    nginx_config_http_template_enable: true
    nginx_config_http_template:
      - template_file: http/default.conf.j2
        deployment_location: /etc/nginx/http.conf
        backup: false
        config:
          core:
            default_type: application/octet-stream
            sendfile: true
            server_tokens: false
            tcp_nodelay: true
            tcp_nopush: true
            resolver: # required for oscp stapling
              address: 
              - '1.1.1.1'
              - '8.8.8.8'
            resolver_timeout: 10s
          log:
            format:
              - name: main
                format: |
                  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"  "$realip_remote_addr"'                  
    #         - name: debugposts
    #           format: |
    #             '$remote_addr - $remote_user [$time_local] "$request" '
    #             '$status $body_bytes_sent "$http_referer" '
    #             '"$http_user_agent" "$http_x_forwarded_for"  "$realip_remote_addr"'
    #             '"$request_data"'
          gzip: # https://nginx.org/en/docs/http/ngx_http_gzip_module.html
            enable: true
            comp_level: 3
            disable: "msie6"
            min_length: 1100
            proxied: any
            types:
              - text/plain
              - text/css 
              - application/x-javascript 
              - text/xml 
              - application/xml
            vary: true

      - template_file: http/default.conf.j2
        deployment_location: "/etc/nginx/conf.d/mappings.conf"
        backup: false
        config:
          map:
            mappings: # https://nginx.org/en/docs/http/websocket.html
              - string: $http_upgrade
                variable: $connection_upgrade
                content:
                  - value: default
                    new_value: upgrade
                  - value: "''"
                    new_value: close

      - template_file: http/default.conf.j2
        deployment_location: "/etc/nginx/conf.d/snort_{{ nginx_snort_domain|default(inventory_hostname)  }}.conf"
        backup: false
        config:
          servers:
            - core:
                listen:
                  - address: "{{ default_interface_ipv4_address|default(ansible_default_ipv4.address) }}:{{ nginx_snort_port|default(4451) }} ssl"
                include:
                  - "/etc/nginx/acme_{{ nginx_snort_domain|default(inventory_hostname)  }}.conf"
                index: index.html
               #root: "{{ snort_install_path|default('/var/www/snort') }}"
              log:
                access:
                  - off
              http2:
                enabled: yes
              locations:
                - location: /
                  core:
                    try_files:
                      files: "{{ snort_install_path|default('/var/www/snort') }}/packages/app/public/ {{ snort_install_path|default('/var/www/snort') }}/packages/app/build/ @proxy"
                     #files: $uri $uri/ /index.html
                - location: '@proxy'
                  proxy:
                    pass: http://localhost:8080 # 127.0.0.1 does not work.
                    http_version: '1.1'
                   #set_header:
                   #  - field: Host
                   #    value: $http_host
            - core:
                server_name: "{{ nginx_snort_domain|default(inventory_hostname)  }}"
                listen:
                  - address: "{{ ansible_default_ipv4.address|default(ansible_all_ipv4_addresses[0]) }}:80"
              log:
                access:
                  - off
              locations:
                - location: /
                  rewrite:
                    return:
                      url: https://$server_name$request_uri
                      code: 301