From 9d3683370f1a922e91c4600ad7674812b12b6bea Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Tue, 26 Jul 2016 20:47:22 +0200
Subject: [PATCH] dbscripts: Add HTTPS for the dev mirror

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 roles/dbscripts/tasks/main.yml            |  9 +++++++++
 roles/dbscripts/templates/nginx.d.conf.j2 | 20 ++++++++++++++++++--
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml
index 188f09773..20c3b76de 100644
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -18,13 +18,22 @@
 - name: set up sudoers.d for special users
   copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=600
 
+- stat: path="/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem"
+  register: certfile
+  tags:
+    - nginx
+
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=644
   notify:
     - restart nginx
+  tags:
+    - nginx
 
 - name: put dbscripts.htpasswd in place
   copy: src=dbscripts.htpasswd dest=/etc/nginx/auth/dbscripts.htpasswd owner=root group=http mode=640
+  tags:
+    - nginx
 
 - name: create Arch Linux-specific users
   user:
diff --git a/roles/dbscripts/templates/nginx.d.conf.j2 b/roles/dbscripts/templates/nginx.d.conf.j2
index 9b1331bb9..a2b76c441 100644
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -2,16 +2,32 @@ server {
     listen       80;
     listen       [::]:80;
     server_name  {{ repos_domain }};
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        rewrite ^(.*) https://$server_name$1;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ repos_domain }};
     root         /srv/ftp;
 
+{% if certfile.stat.exists %}
+    ssl_certificate      /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
+{% endif %}
+
     satisfy  any;
 
     location /lastupdate {
         allow all;
     }
 
-    include snippets/letsencrypt.conf;
-
     # Server at velocitynet
     allow  66.211.214.130; # dom0.archlinux.org.
     allow  66.211.214.131; # gudrun.archlinux.org.
-- 
GitLab