Create roles for symfony app and ssl certificate

2017-09-09 13:09:09 +03:00
parent 15612ad981
commit 9634d7ab61
15 changed files with 350 additions and 145 deletions
--- a/ansible/templates/notes-acme.vhost.j2
+++ b/ansible/templates/notes-acme.vhost.j2
@ -1,15 +0,0 @@
-server {
-    listen 80;
-    server_name notes.anwinged.ru;
-
-    # For Lets Encrypt verify
-    # include acme;
-    location /.well-known {
-        root /var/www/letsencrypt;
-        try_files $uri $uri/ =404;
-    }
-
-    location / {
-        rewrite ^ https://$host$request_uri? permanent;
-    }
-}
--- a/ansible/templates/notes.vhost.j2
+++ b/ansible/templates/notes.vhost.j2
@ -1,62 +0,0 @@
-server {
-    listen 443 ssl http2 deferred;
-    server_name notes.anwinged.ru;
-
-    ssl on;
-    ssl_certificate         /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem;
-    ssl_certificate_key     /etc/letsencrypt/live/notes.anwinged.ru/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem;
-
-    ssl_session_cache shared:SSL:50m;
-    ssl_session_timeout 5m;
-    ssl_stapling on;
-    ssl_stapling_verify on;
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-
-    ssl_dhparam /etc/nginx/dhparams.pem;
-    ssl_prefer_server_ciphers on;
-
-    root /var/www/notes/current/web;
-
-    location / {
-        # try to serve file directly, fallback to app.php
-        try_files $uri /app.php$is_args$args;
-    }
-
-    # PROD
-    location ~ ^/app\.php(/|$) {
-        fastcgi_pass unix:/var/run/php{{ php_version }}-fpm.sock;
-        fastcgi_split_path_info ^(.+\.php)(/.*)$;
-        include fastcgi_params;
-
-        # When you are using symlinks to link the document root to the
-        # current version of your application, you should pass the real
-        # application path instead of the path to the symlink to PHP
-        # FPM.
-        # Otherwise, PHP's OPcache may not properly detect changes to
-        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
-        # for more information).
-        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
-        fastcgi_param DOCUMENT_ROOT $realpath_root;
-
-        {% for name, value in app_envs.iteritems() %}
-        fastcgi_param {{ name }} "{{ value }}";
-        {% endfor %}
-
-        # Prevents URIs that include the front controller. This will 404:
-        # http://domain.tld/app.php/some-path
-        # Remove the internal directive to allow URIs like this
-        internal;
-    }
-
-    # return 404 for all other php files not matching the front controller
-    # this prevents access to other php files you don't want to be accessible.
-    location ~ \.php$ {
-        return 404;
-    }
-
-    error_log /var/log/nginx/{{ apps.notes.name }}_error.log;
-    access_log /var/log/nginx/{{ apps.notes.name }}_access.log;
-}