Handle nginx configuration in mediawiki role

roles/mediawiki/defaults/main.yml

@@ -1,5 +1,8 @@
 ---
-mediawiki_path: /var/www/wiki.ccchb.de/webroot/w
+mediawiki_domain: wiki.ccchb.de
+
+mediawiki_webroot: /var/www/wiki.ccchb.de/webroot
+mediawiki_path: /w
 
 mediawiki_extensions:
   - CategoryTree
@@ -21,3 +24,23 @@ mediawiki_skins:
 mediawiki_sitename: "CCC Bremen"
 
 mediawiki_email: "webmaster@ccchb.de"
+
+mediawiki_install_nginx: true
+mediawiki_php_socket: "unix:/run/php/php7.3-fpm.sock"
+
+mediawiki_nginx_conf: |
+  listen [::]:443 ssl http2;
+  listen 443 ssl http2;
+
+  server_name {{ mediawiki_domain }};
+
+  root {{ mediawiki_webroot }};
+
+  ssl_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ mediawiki_domain }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ mediawiki_domain }}/chain.pem;
+
+  client_max_body_size 100M;
+
+  include snippets/certbot.conf;
+...

roles/mediawiki/tasks/main.yml

@@ -2,8 +2,20 @@
 - name: Configure Mediawiki
   template:
     src: LocalSettings.php.j2
-    dest: "{{ mediawiki_path }}/LocalSettings.php"
+    dest: "{{ mediawiki_webroot }}/{{ mediawiki_path }}/LocalSettings.php"
     owner: www-data
     group: www-data
     mode: '0600'
 
+- name: Install nginx site
+  template:
+    src: nginx.j2
+    dest: /etc/nginx/sites-available/{{ mediawiki_domain }}
+  when: mediawiki_install_nginx
+
+- name: Activate site {{ mediawiki_install_nginx }}
+  file:
+    src: /etc/nginx/sites-available/{{ mediawiki_domain }}
+    dest: /etc/nginx/sites-enabled/{{ mediawiki_domain }}
+  when: mediawiki_install_nginx
+...

roles/mediawiki/templates/nginx.j2

@@ -0,0 +1,58 @@
+# {{ ansible_managed }}
+
+server {
+	{{ mediawiki_nginx_conf }}
+
+	location ~ ^{{ mediawiki_path }}/(index|load|api|thumb|opensearch_desc|rest|img_auth)\.php$ {
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_pass {{ mediawiki_php_socket }};
+	}
+
+	# Images
+	location {{ mediawiki_path }}/images {
+		# Separate location for images/ so .php execution won't apply
+	}
+	location {{ mediawiki_path }}/images/deleted {
+		# Deny access to deleted images folder
+		deny all;
+	}
+	# MediaWiki assets (usually images)
+	location ~ ^{{ mediawiki_path }}/resources/(assets|lib|src) {
+		try_files $uri 404;
+		add_header Cache-Control "public";
+		expires 7d;
+	}
+	# Assets, scripts and styles from skins and extensions
+	location ~ ^{{ mediawiki_path }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|wasm)$ {
+		try_files $uri 404;
+		add_header Cache-Control "public";
+		expires 7d;
+	}
+	# Favicon
+	location = /favicon.ico {
+		add_header Cache-Control "public";
+		expires 7d;
+	}
+
+	location {{ mediawiki_path }}/rest.php/ {
+		try_files $uri $uri/ {{ mediawiki_path }}/rest.php?$query_string;
+	}
+
+	# Handling for the article path (pretty URLs)
+	location /wiki/ {
+		rewrite ^/wiki/(?<pagename>.*)$ {{ mediawiki_path }}/index.php;
+	}
+
+	# Allow robots.txt in case you have one
+	location = /robots.txt {
+	}
+	# Explicit access to the root website, redirect to main page (adapt as needed)
+	location = / {
+		return 301 /wiki/Hauptseite;
+	}
+
+	location / {
+		return 404;
+	}
+}