roles/maintenance: Add to the nginx maintenance file the option for having multiple domains. Fix the 503.html path.

Switch from apcu caching to memcached with 512 MiB so that we have a
sustained cached instead of a php-fpm worker based cache which has a
shorter lifetime of 2000 requests before the worker get's killed and
respawned.

The latest tag removes the $wgLogo url which reduces one request per
page load.

With apcu caching the wiki get's ~ 40 req/s more and the latency of the
wiki lowers.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Enables TLS 1.3.

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites

Where http does not redirect to https. These are package mirrors and
the web key directory.

Levente Polyak authored 5 years ago and Jelle van der Waa committed 5 years ago

Protect from simple privilege escalation attacks on scripts that are
granted privileged execution for unprivileged users by restricting
the PATH to a static set.
Without doing so, it is a trivial attack to provide a binary used
by a privileged script that executes former without an absolute path
to escalate privileges by gaining code execution through that binary.

Anything run with elevated privileges through sudo shall never ever
have the possibility to pass on the unsanatized PATH from an
unprivileged user.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>