homeserver-ansible/templates/nginx.conf.j2

worker_processes  1;

events {
    worker_connections 1024;
}

http { include mime.types;

	disable_symlinks off;

	default_type application/octet-stream;
	sendfile on;
	keepalive_timeout 65;
	types_hash_max_size 4096;
	root {{ webroot }}/;

	server {
		if ($host = {{ domain }}) {
			return 301 https://$host$request_uri;
		} # managed by Certbot
	}

	server {

		ssl_certificate /etc/letsencrypt/certs/fullchain_{{ domain }}.crt;
		ssl_certificate_key /etc/letsencrypt/keys/{{ domain }}.key;

		ssl_session_cache    shared:SSL:1m;
		ssl_session_timeout  5m;

		ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers  on;

		listen 443 ssl http2;
		listen [::]:443 ssl http2;

		listen 8448 ssl http2 default_server;
		listen [::]:8448 ssl http2 default_server;

		server_name {{ domain }};

		location ~* ^(\/_matrix|\/_synapse\/client) {
			proxy_pass http://localhost:8008;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header Host $host;

			client_max_body_size 50M;
		}

		location = / {
			return 301 https://{{ domain }}/site/index.html;
		}

		location /site {
			index  index.html;
		}

		location /wiki {
			index index.php;
		}

		location /rw {
			index index.php;
		}

		location /git/ {
			proxy_pass http://localhost:3000/ ;
		}

		location ~ \.php$ {
			# 404
			try_files $fastcgi_script_name =404;

			# default fastcgi_params
			include fastcgi_params;

			# fastcgi settings
			fastcgi_pass			unix:/run/php-fpm/php-fpm.sock;
			fastcgi_index			index.php;
			fastcgi_buffers			8 16k;
			fastcgi_buffer_size		32k;

			# fastcgi params
			fastcgi_param DOCUMENT_ROOT	$realpath_root;
			fastcgi_param SCRIPT_FILENAME	$realpath_root$fastcgi_script_name;
			#fastcgi_param PHP_ADMIN_VALUE	"open_basedir=$base/:/usr/lib/php/:/tmp/";
		    }
}
}