diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml deleted file mode 100644 index ad4e28b..0000000 --- a/roles/nginx/defaults/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -nginx_access_log: "off" -nginx_ciphers: "ECDH+aRSA+CHACHA20:ECDH+aRSA+AESGCM" -nginx_curves: "X25519:secp521r1:secp384r1" -nginx_error_log: "/dev/null error" -nginx_packages: [nginx] -nginx_tls_versions: TLSv1.2 TLSv1.3 -nginx_worker_connections: 512 -nginx_worker_processes: auto diff --git a/roles/nginx/files/error-pages/502.html b/roles/nginx/files/error-pages/502.html deleted file mode 100644 index 16fdca7..0000000 --- a/roles/nginx/files/error-pages/502.html +++ /dev/null @@ -1,10 +0,0 @@ - - - - - 502 Bad Gateway - - - - Bad Gateway Sign - diff --git a/roles/nginx/files/error-pages/bad_gateway.png b/roles/nginx/files/error-pages/bad_gateway.png deleted file mode 100644 index 1bfdffa..0000000 Binary files a/roles/nginx/files/error-pages/bad_gateway.png and /dev/null differ diff --git a/roles/nginx/files/error-pages/style.css b/roles/nginx/files/error-pages/style.css deleted file mode 100644 index 8652fc6..0000000 --- a/roles/nginx/files/error-pages/style.css +++ /dev/null @@ -1,4 +0,0 @@ -img.singleton { - display: block; - margin: 10px auto; -} diff --git a/roles/nginx/files/openssl.cnf b/roles/nginx/files/openssl.cnf deleted file mode 100644 index 38a7328..0000000 --- a/roles/nginx/files/openssl.cnf +++ /dev/null @@ -1,10 +0,0 @@ -openssl_conf = default_conf - -[default_conf] -ssl_conf = ssl_sect - -[ssl_sect] -system_default = system_default_sect - -[system_default_sect] -Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 diff --git a/roles/nginx/files/snippets/autoindex.conf b/roles/nginx/files/snippets/autoindex.conf deleted file mode 100644 index bc6ab74..0000000 --- a/roles/nginx/files/snippets/autoindex.conf +++ /dev/null @@ -1,3 +0,0 @@ -autoindex on; -autoindex_exact_size on; -autoindex_localtime off; diff --git a/roles/nginx/files/snippets/error-pages.conf b/roles/nginx/files/snippets/error-pages.conf deleted file mode 100644 index aecc17c..0000000 --- a/roles/nginx/files/snippets/error-pages.conf +++ /dev/null @@ -1,5 +0,0 @@ -error_page 502 /_error-pages/502.html; - -location ^~ /_error-pages { - root /var/www; -} diff --git a/roles/nginx/files/snippets/header-hsts.conf b/roles/nginx/files/snippets/header-hsts.conf deleted file mode 100644 index a9abbb9..0000000 --- a/roles/nginx/files/snippets/header-hsts.conf +++ /dev/null @@ -1,4 +0,0 @@ -add_header Expect-CT "max-age=86400, enforce" always; -add_header Strict-Transport-Security "max-age=31536000" always; -proxy_hide_header Expect-CT; -proxy_hide_header Strict-Transport-Security; diff --git a/roles/nginx/files/snippets/header-security.conf b/roles/nginx/files/snippets/header-security.conf deleted file mode 100644 index bad6060..0000000 --- a/roles/nginx/files/snippets/header-security.conf +++ /dev/null @@ -1,8 +0,0 @@ -add_header Referrer-Policy same-origin always; -add_header X-Content-Type-Options nosniff always; -add_header X-Frame-Options sameorigin always; -add_header X-XSS-Protection "1; mode=block" always; -proxy_hide_header Referrer-Policy; -proxy_hide_header X-Content-Type-Options; -proxy_hide_header X-Frame-Options; -proxy_hide_header X-XSS-Protection; diff --git a/roles/nginx/files/snippets/location-acme-srv01.conf b/roles/nginx/files/snippets/location-acme-srv01.conf deleted file mode 100644 index fed6e58..0000000 --- a/roles/nginx/files/snippets/location-acme-srv01.conf +++ /dev/null @@ -1,6 +0,0 @@ -location ^~ /.well-known/acme-challenge { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://srv01.hamburg.freifunk.net$request_uri; - access_log off; -} diff --git a/roles/nginx/files/snippets/location-acme.conf b/roles/nginx/files/snippets/location-acme.conf deleted file mode 100644 index fca5835..0000000 --- a/roles/nginx/files/snippets/location-acme.conf +++ /dev/null @@ -1,5 +0,0 @@ -location ^~ /.well-known/acme-challenge { - root /var/www/_acme-challenge; - try_files $uri $uri/ =404; - access_log off; -} diff --git a/roles/nginx/files/snippets/no-unsafe-files.conf b/roles/nginx/files/snippets/no-unsafe-files.conf deleted file mode 100644 index 5a6df31..0000000 --- a/roles/nginx/files/snippets/no-unsafe-files.conf +++ /dev/null @@ -1,8 +0,0 @@ -disable_symlinks if_not_owner from=$document_root; - -# Do not serve dotfiles. -location ~ /\. { - deny all; - access_log off; - log_not_found off; -} diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml deleted file mode 100644 index 15bc297..0000000 --- a/roles/nginx/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: reload nginx - service: - name: nginx - state: reloaded - -- name: restart nginx - service: - name: nginx - state: restarted diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml deleted file mode 100644 index c90aa40..0000000 --- a/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: install nginx - apt: - name: "{{ nginx_packages }}" - cache_valid_time: 86400 - -- name: create directories - file: - path: "{{ item }}" - state: directory - with_items: - - /var/www/_acme-challenge - - /var/www/_error-pages - -- name: copy error-pages - copy: - src: error-pages/ - dest: /var/www/_error-pages/ - -- name: copy snippets - copy: - src: snippets - dest: /etc/nginx/ - -- name: copy openssl.cnf - copy: - src: openssl.cnf - dest: /etc/ssl/ - backup: yes - notify: restart nginx - -- name: template nginx.conf - template: - src: nginx.conf - dest: /etc/nginx/ - backup: yes - notify: reload nginx - -- name: remove default site - file: - path: /etc/nginx/sites-enabled/default - state: absent - notify: reload nginx diff --git a/roles/nginx/templates/nginx.conf b/roles/nginx/templates/nginx.conf deleted file mode 100644 index 12032b6..0000000 --- a/roles/nginx/templates/nginx.conf +++ /dev/null @@ -1,76 +0,0 @@ -user www-data; -worker_processes {{ nginx_worker_processes }}; -pid /run/nginx.pid; -include /etc/nginx/modules-enabled/*.conf; - -events { - worker_connections {{ nginx_worker_connections }}; - # multi_accept on; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - server_tokens off; -{% if nginx_resolver is defined %} - resolver {{ nginx_resolver }}; -{% endif %} - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # SSL Settings - ## - - ssl_protocols {{ nginx_tls_versions }}; - ssl_ciphers {{ nginx_ciphers }}; - ssl_ecdh_curve {{ nginx_curves }}; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10M; - ssl_session_timeout 10m; - ssl_session_tickets off; -{% if nginx_resolver is defined %} - ssl_stapling on; - ssl_stapling_verify on; -{% endif %} - - ## - # Logging Settings - ## - - log_format privacy '$server_name:$server_port 127.0.0.1 - - [$time_local] "$request" $status $body_bytes_sent'; - access_log {{ nginx_access_log }}; - error_log {{ nginx_error_log }}; - - ## - # Gzip Settings - ## - - gzip on; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -}