openpunk-ansible/roles/nginx/tasks/main.yml

---
- name: "Stop Nginx"
  systemd:
    name: nginx
    state: stopped

- name: "Setup Certbot"
  include_role:
    name: geerlingguy.certbot
  vars:
    certbot_admin_email: "{{ contact_email }}"
    certbot_create_if_missing: true
    certbot_create_standalone_stop_services: []
    certbot_certs:
      - domains:
          - "{{ domain }}"
          - "git.{{ domain }}"

- name: "Install Nginx"
  include_role:
    name: geerlingguy.nginx
  vars:
    nginx_listen_ipv6: false
    nginx_vhosts:
      - listen: "443 ssl http2"
        server_name: "{{ domain }}"
        root: "/var/www/{{ domain }}/public"
        index: "index.html index.htm"
        extra_parameters: |
          listen [::]:443 ssl http2;
          location / {
            add_header Permissions-Policy interest-cohort=();
            try_files $uri $uri/ =404;
          }
          ssl_certificate     /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
          ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
          ssl_ciphers         HIGH:!aNULL:!MD5;          
      - listen: "443 ssl http2"
        server_name: "git.{{ domain }}"
        client_max_body_size: "512M"
        extra_parameters: |
          listen [::]:443 ssl http2;
          location / {
            add_header Permissions-Policy interest-cohort=();
            proxy_pass http://localhost:{{ giteaPort }};
            proxy_set_header Connection $http_connection;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
          }
          ssl_certificate     /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
          ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
          ssl_ciphers         HIGH:!aNULL:!MD5;          
      - listen: "127.0.0.1:2171"
        server_name: "{{ onionDomain }}"
        root: "/var/www/{{ domain }}/tor"
        index: "index.html index.htm"
        extra_parameters: |
          location / {
            add_header Permissions-Policy interest-cohort=();
            try_files $uri $uri/ =404;
          }          

- name: "Start Nginx"
  systemd:
    name: nginx
    state: started