diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml
index 188f09773a3f6a66008944e3b871c4e46d1d5eca..20c3b76deef59d75c1eb90f289cfb67a0a724fc9 100644
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -18,13 +18,22 @@
- name: set up sudoers.d for special users
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=600
+- stat: path="/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem"
+ register: certfile
+ tags:
+ - nginx
+
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=644
notify:
- restart nginx
+ tags:
+ - nginx
- name: put dbscripts.htpasswd in place
copy: src=dbscripts.htpasswd dest=/etc/nginx/auth/dbscripts.htpasswd owner=root group=http mode=640
+ tags:
+ - nginx
- name: create Arch Linux-specific users
user:
diff --git a/roles/dbscripts/templates/nginx.d.conf.j2 b/roles/dbscripts/templates/nginx.d.conf.j2
index 9b1331bb97a3b4b8597d3e66eea658f4b78cbca8..a2b76c441d64630343ff2ddefb8ca1336d0c1e87 100644
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -2,16 +2,32 @@ server {
listen 80;
listen [::]:80;
server_name {{ repos_domain }};
+
+ include snippets/letsencrypt.conf;
+
+ location / {
+ rewrite ^(.*) https://$server_name$1;
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name {{ repos_domain }};
root /srv/ftp;
+{% if certfile.stat.exists %}
+ ssl_certificate /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
+{% endif %}
+
satisfy any;
location /lastupdate {
allow all;
}
- include snippets/letsencrypt.conf;
-
# Server at velocitynet
allow 66.211.214.130; # dom0.archlinux.org.
allow 66.211.214.131; # gudrun.archlinux.org.