--- security_ssh_permit_root_login: 'yes' security_ssh_port: 2849 firewall_allowed_tcp_ports: - 80 - 443 - 2849 php_default_version_debian: '{{ php_version }}' php_enable_php_fpm: true php_version: 7.4 php_webserver_daemon: nginx php_packages: - 'php{{ php_version }}-cli' - 'php{{ php_version }}-common' - 'php{{ php_version }}-fpm' - 'php{{ php_version }}-gd' - 'php{{ php_version }}-mbstring' - 'php{{ php_version }}-mysql' - 'php{{ php_version }}-pdo' - 'php{{ php_version }}-xml' app_mysql_user: '{{ vault_app_mysql_user }}' app_mysql_password: '{{ vault_app_mysql_password }}' mysql_packages: - mariadb-client - mariadb-server - python-mysqldb mysql_databases: - name: oliverdavies_uk nginx_remove_default_vhost: true nginx_server_tokens: 'off' nginx_vhosts: - listen: 80 default_server server_name: oliverdavies.uk www.oliverdavies.uk return: 301 https://www.oliverdavies.uk$request_uri filename: www.oliverdavies.uk.80.conf - listen: 443 ssl server_name: oliverdavies.uk return: 301 https://www.oliverdavies.uk$request_uri filename: oliverdavies.uk.443.conf extra_parameters: | ssl_certificate /etc/letsencrypt/live/oliverdavies.uk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/oliverdavies.uk/privkey.pem; - listen: 443 ssl default_server server_name: www.oliverdavies.uk root: '{{ project_root_path }}/{{ ansistrano_current_dir }}/{{ project_web_dir }}' index: index.php index.html extra_parameters: | ssl_certificate /etc/letsencrypt/live/oliverdavies.uk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/oliverdavies.uk/privkey.pem; location ~ ^/images/(.*) { return 301 /sites/default/files/images/$1; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Very rarely should these ever be accessed outside of your lan location ~* \.(txt|log)$ { allow 192.168.0.0/16; deny all; } location ~ \..*/.*\.php$ { return 403; } location ~ ^/sites/.*/private/ { return 403; } # Block access to scripts in site files directory location ~ ^/sites/[^/]+/files/.*\.php$ { deny all; } # Allow "Well-Known URIs" as per RFC 5785 location ~* ^/.well-known/ { allow all; } # Block access to "hidden" files and directories whose names begin with a # period. This includes directories used by version control systems such # as Subversion or Git to store control files. location ~ (^|/)\. { return 403; } location / { try_files $uri /index.php?$query_string; # For Drupal >= 7 } location @rewrite { rewrite ^/(.*)$ /index.php?q=$1; } # Don't allow direct access to PHP files in the vendor directory. location ~ /vendor/.*\.php$ { deny all; return 404; } location ~ '\.php$|^/update.php' { try_files $uri =404; fastcgi_split_path_info ^(.+?\.php)(|/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param QUERY_STRING $query_string; fastcgi_intercept_errors on; fastcgi_pass localhost:9000; } # Fighting with Styles? This little gem is amazing. # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6 location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 try_files $uri @rewrite; } # Handle private files through Drupal. location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 try_files $uri /index.php?$query_string; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { try_files $uri @rewrite; expires max; log_not_found off; } # Enforce clean URLs if ($request_uri ~* "^(.*/)index\.php(.*)") { return 307 $1$2; } # Talks {% for name in slides_repo_names %} location /slides-{{ name }} { alias /srv/slides-{{ name }}/_static/; } {% endfor %} certbot_create_if_missing: true certbot_create_method: standalone certbot_admin_email: oliver+certbot@oliverdavies.uk certbot_certs: - domains: - oliverdavies.uk - www.oliverdavies.uk slides_repo_names: - working-with-workspace