Add more configuration files and templates

templates/bad_clients.conf.j2

@@ -0,0 +1,7 @@
+# Managed by Ansible
+
+{% if nginx_bad_client_ip is defined %}
+{% for client in nginx_bad_client_ip %}
+deny {{ client }};
+{% endfor %}
+{% endif %}

templates/local-statistics.j2

@@ -1,9 +1,5 @@
 server {
-{% if inventory_hostname == "sl-nextcloud.kahlo" %}
-    listen 127.0.0.1:81;
-{% else %}
-    listen 127.0.0.1;
-{% endif %}
+    listen 127.0.0.1:{{ nginx_port | default(80) }};
     server_name localhost;
     location /nginx_status {
         stub_status on;

templates/monit.j2

@@ -4,5 +4,5 @@ check process nginx with pidfile /var/run/nginx.pid
   group webserver
   start program = "/usr/sbin/service nginx start"
   stop program = "/usr/sbin/service nginx stop"
-  if failed host 127.0.0.1 port {{ nginx.port |default(80) }} for 3 cycles then restart
+  if failed host 127.0.0.1 port {{ nginx_port | default(80) }} for 3 cycles then restart
   if 5 restarts with 5 cycles then timeout

templates/nginx.conf.j2

@@ -0,0 +1,58 @@
+# Managed by Ansible
+
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    worker_connections 768;
+    multi_accept on;
+}
+
+http {
+
+    ##
+    # Basic Settings
+    ##
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    map_hash_max_size 4096;
+    map_hash_bucket_size 128;
+
+    server_names_hash_bucket_size 128;
+
+    client_max_body_size 0;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # Logging Settings
+    ##
+    log_format noip '0.0.0.0 - $remote_user [$time_local]  '
+        '"$host" "$request" $status $body_bytes_sent '
+        '"$http_referer" "$http_user_agent" "$request_time" seconds';
+
+    #access_log /var/log/nginx/access.log noip if=$log_ip;
+    access_log off;
+
+    error_log /var/log/nginx/error.log;
+
+
+    ##
+    # Gzip Settings
+    ##
+    gzip off;
+
+    ##
+    # Virtual Host Configs
+    ##
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}

templates/revers2_proxy.conf.j2

@@ -0,0 +1,22 @@
+# Managed by Ansible
+
+proxy_http_version      1.1;
+proxy_set_header        Host $host;
+proxy_set_header        X-Real-IP $remote_addr;
+proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header        X-Forwarded-Host $host;
+proxy_set_header        X-Forwarded-Proto $scheme;
+#proxy_set_header       X-HTTPS-Protocol $ssl_protocol;
+#proxy_set_header       Accept ""; # Problems with Redmine, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810144
+proxy_set_header        Connection "";
+#proxy_set_header       Referer "";
+
+#proxy_cache            STATIC;
+proxy_cache_valid       200 301 302 4h;
+proxy_cache_valid       404 10m;
+proxy_cache_use_stale   error timeout invalid_header updating http_500 http_502 http_503 http_504;
+proxy_buffering         off;
+
+proxy_connect_timeout   600;
+proxy_send_timeout      600;
+proxy_read_timeout      600;

templates/ssl.conf.j2

@@ -0,0 +1,22 @@
+# Managed by Ansible
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+ssl_ecdh_curve secp384r1;
+
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_dhparam {{ dhparam_path }};
+
+# Security Headers
+# Add secure header values if not set upstream
+map $upstream_http_referrer_policy $referrerpolicy {'' no-referrer;}
+map $upstream_http_strict_transport_security $sts {'' "max-age=63072000; includeSubDomains; preload"; }
+map $upstream_http_x_content_type_options $xcontentoptions {'' nosniff;}
+map $upstream_http_x_xss_protection $xxssprotection {'' "1; mode=block";}
+map $upstream_http_x_frame_options $xframeoptions {'' SAMEORIGIN;}