ansible-role-strfry/docs/examples/nginx_conf.yml

---
- name: strfry | Configure nginx
  ansible.builtin.import_role:
    name: nginx_core.nginx_config
  vars:
    # afaict, overriding any numeric values in the main nginx config requires replacing the entire dictionary.
    # See: https://github.com/nginxinc/ansible-role-nginx-config/issues/352
    # The only difference between this and the main nginx config is the worker_rlimit_nofile value and worker_connections.
    nginx_config_main_template_enable: true
    nginx_config_main_template:
      template_file: nginx.conf.j2
      deployment_location: /etc/nginx/nginx.conf
      backup: false
      config: # https://nginx.org/en/docs/ngx_core_module.html
        main:
          user:
            username: nginx
            group: nginx
          worker_processes: auto
          error_log:
            file: /var/log/nginx/error.log
            level: notice
          pid: /var/run/nginx.pid

          # worker_rlimit_nofile changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes.
          # Used to increase the limit without restarting the main process.
          # The recomended value seems to be worker_connections * 2
          worker_rlimit_nofile: 12288

        events:
          worker_connections: 4096

        # include:  # String or a list of strings
        #   - /etc/nginx/modules.conf
        http: # https://nginx.org/en/docs/http/ngx_http_core_module.html
          default_type: application/octet-stream
          sendfile: true
          server_tokens: false
          tcp_nodelay: true
          tcp_nopush: true
          include:
            - /etc/nginx/mime.types
            - /etc/nginx/http.conf    # These are shared http level configs that nginx_conf refuses to directly configure.
            - /etc/nginx/conf.d/*.conf

    nginx_config_http_template_enable: true
    nginx_config_http_template:
      - template_file: http/default.conf.j2
        deployment_location: "/etc/nginx/conf.d/strfry_{{ nginx_strfry_domain }}.conf"
        backup: false
        config:
          upstreams:
            - name: strfry
              servers:
                - address: "127.0.0.1:{{ strfry_relay.port|default(7777) }}"
               #- address: unix:/var/lib/strfry/strfry.sock
          servers:
            - core:
                listen:
                  - address: "{{ default_interface_ipv4_address|default(ansible_default_ipv4.address) }}:{{ nginx_strfry_https_port|default(443) }} ssl"
                include:
                  - "/etc/nginx/acme_{{ nginx_strfry_domain }}.conf"
                client_max_body_size: 0 # Stream request body to backend
              http2:
                enable: true
              locations:
                - location: /
                  proxy:
                    pass: http://strfry
                    http_version: '1.1'
                    set_header:
                      - field: Host
                        value: $http_host
                      - field: Connection
                        value: $connection_upgrade
                      - field: Upgrade
                        value: $http_upgrade
                      - field: X-Forwarded-For
                        value: $proxy_add_x_forwarded_for
                    connect_timeout: 3m
                    send_timeout: 3m
                    read_timeout: 3m

      - template_file: http/default.conf.j2
        deployment_location: /etc/nginx/http.conf
        backup: false
        config:
          core:
            default_type: application/octet-stream
            sendfile: true
            server_tokens: false
            tcp_nodelay: true
            tcp_nopush: true
            resolver: # required for oscp stapling
              address: 
              - '1.1.1.1'
              - '8.8.8.8'
            resolver_timeout: 10s
          log:
            format:
              - name: main
                format: |
                  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"  "$realip_remote_addr"'
          gzip: # https://nginx.org/en/docs/http/ngx_http_gzip_module.html
            enable: true
            comp_level: 3
            disable: "msie6"
            min_length: 1100
            proxied: any
            types:
              - text/plain
              - text/css 
              - application/x-javascript 
              - text/xml 
              - application/xml
            vary: true

      - template_file: http/default.conf.j2
        deployment_location: "/etc/nginx/conf.d/mappings.conf"
        backup: false
        config:
          map:
            mappings: # https://nginx.org/en/docs/http/websocket.html
              - string: $http_upgrade
                variable: $connection_upgrade
                content:
                  - value: default
                    new_value: upgrade
                  - value: "''"
                    new_value: close
Include more details and examples. 2023-07-30 00:33:15 +00:00			`---`
			`- name: strfry \| Configure nginx`
			`ansible.builtin.import_role:`
Remove http2 because it probably provides absolutely no benefit for a nostr client. 2023-07-31 02:57:29 +00:00			`name: nginx_core.nginx_config`
Include more details and examples. 2023-07-30 00:33:15 +00:00			`vars:`
Remove http2 because it probably provides absolutely no benefit for a nostr client. 2023-07-31 02:57:29 +00:00			`# afaict, overriding any numeric values in the main nginx config requires replacing the entire dictionary.`
			`# See: https://github.com/nginxinc/ansible-role-nginx-config/issues/352`
			`# The only difference between this and the main nginx config is the worker_rlimit_nofile value and worker_connections.`
			`nginx_config_main_template_enable: true`
			`nginx_config_main_template:`
			`template_file: nginx.conf.j2`
			`deployment_location: /etc/nginx/nginx.conf`
			`backup: false`
			`config: # https://nginx.org/en/docs/ngx_core_module.html`
			`main:`
			`user:`
			`username: nginx`
			`group: nginx`
			`worker_processes: auto`
			`error_log:`
			`file: /var/log/nginx/error.log`
			`level: notice`
			`pid: /var/run/nginx.pid`

			`# worker_rlimit_nofile changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes.`
			`# Used to increase the limit without restarting the main process.`
			`# The recomended value seems to be worker_connections * 2`
			`worker_rlimit_nofile: 12288`

			`events:`
			`worker_connections: 4096`

			`# include: # String or a list of strings`
			`# - /etc/nginx/modules.conf`
			`http: # https://nginx.org/en/docs/http/ngx_http_core_module.html`
			`default_type: application/octet-stream`
			`sendfile: true`
			`server_tokens: false`
			`tcp_nodelay: true`
			`tcp_nopush: true`
			`include:`
			`- /etc/nginx/mime.types`
			`- /etc/nginx/http.conf # These are shared http level configs that nginx_conf refuses to directly configure.`
			`- /etc/nginx/conf.d/*.conf`

Include more details and examples. 2023-07-30 00:33:15 +00:00			`nginx_config_http_template_enable: true`
			`nginx_config_http_template:`
			`- template_file: http/default.conf.j2`
			`deployment_location: "/etc/nginx/conf.d/strfry_{{ nginx_strfry_domain }}.conf"`
			`backup: false`
			`config:`
			`upstreams:`
			`- name: strfry`
			`servers:`
			`- address: "127.0.0.1:{{ strfry_relay.port\|default(7777) }}"`
			`#- address: unix:/var/lib/strfry/strfry.sock`
			`servers:`
			`- core:`
			`listen:`
			`- address: "{{ default_interface_ipv4_address\|default(ansible_default_ipv4.address) }}:{{ nginx_strfry_https_port\|default(443) }} ssl"`
			`include:`
			`- "/etc/nginx/acme_{{ nginx_strfry_domain }}.conf"`
			`client_max_body_size: 0 # Stream request body to backend`
Remove http2 because it probably provides absolutely no benefit for a nostr client. 2023-07-31 02:57:29 +00:00			`http2:`
			`enable: true`
Include more details and examples. 2023-07-30 00:33:15 +00:00			`locations:`
			`- location: /`
			`proxy:`
			`pass: http://strfry`
			`http_version: '1.1'`
			`set_header:`
			`- field: Host`
			`value: $http_host`
			`- field: Connection`
			`value: $connection_upgrade`
			`- field: Upgrade`
			`value: $http_upgrade`
			`- field: X-Forwarded-For`
			`value: $proxy_add_x_forwarded_for`
			`connect_timeout: 3m`
			`send_timeout: 3m`
			`read_timeout: 3m`
Remove http2 because it probably provides absolutely no benefit for a nostr client. 2023-07-31 02:57:29 +00:00
			`- template_file: http/default.conf.j2`
			`deployment_location: /etc/nginx/http.conf`
			`backup: false`
			`config:`
			`core:`
			`default_type: application/octet-stream`
			`sendfile: true`
			`server_tokens: false`
			`tcp_nodelay: true`
			`tcp_nopush: true`
			`resolver: # required for oscp stapling`
			`address:`
			`- '1.1.1.1'`
			`- '8.8.8.8'`
			`resolver_timeout: 10s`
			`log:`
			`format:`
			`- name: main`
			`format: \|`
			`'$remote_addr - $remote_user [$time_local] "$request" '`
			`'$status $body_bytes_sent "$http_referer" '`
			`'"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"'`
			`gzip: # https://nginx.org/en/docs/http/ngx_http_gzip_module.html`
			`enable: true`
			`comp_level: 3`
			`disable: "msie6"`
			`min_length: 1100`
			`proxied: any`
			`types:`
			`- text/plain`
			`- text/css`
			`- application/x-javascript`
			`- text/xml`
			`- application/xml`
			`vary: true`

			`- template_file: http/default.conf.j2`
			`deployment_location: "/etc/nginx/conf.d/mappings.conf"`
			`backup: false`
			`config:`
			`map:`
			`mappings: # https://nginx.org/en/docs/http/websocket.html`
			`- string: $http_upgrade`
			`variable: $connection_upgrade`
			`content:`
			`- value: default`
			`new_value: upgrade`
			`- value: "''"`
			`new_value: close`