From 5e4bf1268c266e63d0e92e845ad910a2103b86ff Mon Sep 17 00:00:00 2001
From: Roman Ilin <me@romanilin.is>
Date: Mon, 15 Jun 2026 12:59:09 +0300
Subject:

---
 roles/host/templates/nginx.conf.j2 | 67 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 roles/host/templates/nginx.conf.j2

(limited to 'roles/host/templates/nginx.conf.j2')

diff --git a/roles/host/templates/nginx.conf.j2 b/roles/host/templates/nginx.conf.j2
new file mode 100644
index 0000000..7360cae
--- /dev/null
+++ b/roles/host/templates/nginx.conf.j2
@@ -0,0 +1,67 @@
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 8192;
+error_log /var/log/nginx/error.log notice;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 4096;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Modern SSL configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+
+    # Redirect all HTTP traffic to HTTPS
+    server {
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
+    }
+
+{% for name, config in containers.items() %}
+{% if config.web_subdomain is defined %}
+    server {
+        listen 443 ssl;         # TCP for HTTP/1.1 & HTTP/2
+        listen 443 quic;        # UDP for HTTP/3 QUIC
+        http2 on;               # Enable HTTP/2 over TCP
+
+        server_name {{ config.web_subdomain }}.{{ vault_public_domain }};
+
+        # Nginx reads them natively, no combining needed
+        ssl_certificate /etc/letsencrypt/live/{{ vault_public_domain }}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/{{ vault_public_domain }}/privkey.pem;
+
+        # Advertise HTTP/3 availability to browsers
+        add_header Alt-Svc 'h3=":443"; ma=2592000' always;
+
+        location / {
+            proxy_pass http://{{ config.ip }}:80;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+    }
+{% endif %}
+{% endfor %}
+}
-- 
cgit