1. Permanent redirect from / to index.php

location = / {
        rewrite ^ $scheme://$host/index.php permanent;
    }

    location / {
        deny all;
        return 404;
    }
    location ~* ^/index\.php$ {
        try_files $uri $uri/ =404;
        fastcgi_index index.php;
        fastcgi_pass php5-fpm-sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
    }

Very strange logic, especially the use of $host and the incorrect use of try_files. Read about try_files here .

$host
in order of precedence: the hostname from the query string, or the hostname from the “Host” field of the request header, or the name of the server matching the request

If you have not defined default_server and server_name site.ru; is the first in the list, then you will receive all requests with any Host field, including an empty one, which is a very dangerous practice.
It is better to use the $server_name variable, but anyway, if you need to process requests for any url only through index.php, then it is done correctly like this:
/NONEXISTENTFILE change to a fake file in advance that cannot exist, for example /d7sdhsdhsdf8sfhgsfd8fh438dfjh

...
        error_page 404 = @cms;

        location / {
            try_files /NONEXISTENTFILE @cms;
        }

        location @cms {
                fastcgi_pass      unix:/var/lib/php5-fpm/xxxxx.sock;
                fastcgi_index    index.php;
                fastcgi_param   SCRIPT_FILENAME $document_root/index.php;
                fastcgi_param   SCRIPT_NAME /index.php;
                include             /etc/nginx/fastcgi_params;
        }
...

2. Disable any static except gif|jpg|png|js|css|ttf|woff|ico

location ~* \.(gif|jpg|png|js|css|ttf|woff|ico)$ {
        try_files $uri =404;
        expires 30d;
    }

It would be more logical and correct to do this:
try_files $uri =404; we won't need it, because we have error_page 404 = @cms; which, if there is no image, will redirect the request to @cms

...
        error_page 404 = @cms;

        location ~* ^.+\.(gif|jpg|png|js|css|ttf|woff|ico)$ {
                expires 30d;
                access_log off;
                log_not_found off;
        }

        location / {
            try_files /NONEXISTENTFILE @cms;
        }
...

Regarding json.php and, in principle, access restrictions, it is more correct to do this through map or geo, for example like this:

http {
....
        geo $my_client_ip $denied {
                default 1;
                127.0.0.1 0;
                XX.XX.XX.XX 0; # <- IP1 с которого можно заходить
                YY.YY.YY.YY 0;    # <- IP2 с которого можно заходить
        }

server {
        listen       443 ssl;
        server_name  site.ru;
        root         /var/www/html/;
...
        set $my_client_ip $remote_addr;
        if ($http_x_forwarded_client_ip ~ "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") {
                set $my_client_ip $http_x_forwarded_client_ip;
        }

        error_page 403 = @deny;

        location @deny {
                root /var/www/deny;
                rewrite ^(.*)$ /index.html break;
        }

        location ~* ^/json\.php$ {
                if ($denied) {
                        return 403;
                }
                try_files /NONEXISTENTFILE @json;
        }

        location @json {
                try_files       $uri = 404;
                fastcgi_pass    unix:/var/lib/php5-fpm/xxxxx.sock;
                fastcgi_index   index.php;
                fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include         /etc/nginx/fastcgi_params;
        }

}
}

Don't do it! Organize a separate subdomain for phpMyAdmin with a separate virtual server and separate php5-fpm processing through a separate socket.
Never store "left" (auxiliary) utilities in the general directory of a web application, this is a bad practice. For example: If a critical vulnerability is found in phpMyAdmin, then even if access to it from a certain IP is restricted, there is a possibility that it can be exploited and then your web application will be broken through it - do you need it?
About location ~* /admin/ the same as for json.php.
Well, I support all the recommendations above from Kirill Nesmeyanov regarding hsts, ssl, ciphers, dh, ocsp stapling.

Like 0 comments

1) There is no hsts header
2) SSL protocols are not specified, it is worth explicitly setting TLS, because the rest are potentially insecure
3) No ciphers enumeration (weak and insecure algorithms are potentially acceptable)
4) No diff key
5) A potentially insecure and outdated version of PHP is used
6) Server headers are enabled (not disabled) (i.e. information about that nginx is used)
7) There are no OCSP Stapling settings (as far as I remember - there may be problems with revoked x.509 certificates)
Regarding the settings of the urls themselves - xs. The best protection and most adequate is to simply store in the web root only what can be accessed outside, as all adequate frames do, for example:https://github.com/laravel/laravel/tree/master/public
This means that in your case there should be only two of them - these are index and json (the second one is simply covered by IP address), the rest of the options do not guarantee anything.
Same thing with phpmyadmin. Why is he? Is it possible that workbench, phpstorm or something else with a connection through an ssh tunnel using a certificate will be less convenient or safer? I do not believe.
I agree with the admin panel, but everything seems to be within the normal range there. It just seems to make sense to reconfigure it in some way (not necessarily right, because I did not check how the example works) in a way:

location ~ /admin/*.\.php$ {
    try_files $uri $uri/ /admin/index.php?$query_string =404;
    // ...
}

why do you need such a monster as phpMyAdmin?
adminer is one file and replaces this whole combine.