Lenverge/roles/projects/templates/nginx-site.conf.j2

server {
    listen 80;
    server_name {{ project.domain }};

    root "{{ project.document_root }}";
    index index.php;

    access_log /var/log/nginx/{{ project.domain }}-access.log;
    error_log /var/log/nginx/{{ project.domain }}-error.log;

    # General performance
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 30s;
    types_hash_max_size 2048;
    server_tokens off;

    client_max_body_size 100M;
    client_body_buffer_size 128k;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    # Gzip compression
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types
        text/plain
        text/css
        text/xml
        text/javascript
        application/json
        application/javascript
        application/x-javascript
        application/xml
        application/xml+rss
        font/ttf
        font/otf
        image/svg+xml;

    # Laravel-friendly routing
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # PHP-FPM handling
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/run/php/php{{ project.php_version }}-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;

        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
        fastcgi_busy_buffers_size 64k;
        fastcgi_temp_file_write_size 64k;
        fastcgi_intercept_errors on;
    }

    # Block hidden files
    location ~ /\.(?!well-known).* {
        deny all;
    }

    # Static file caching
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff2?|ttf|svg|eot)$ {
        expires 30d;
        access_log off;
        add_header Cache-Control "public";
    }

    # Optional: Nginx status endpoint (local only)
    location /nginx_status {
        stub_status;
        allow 127.0.0.1;
        deny all;
    }
}