dbscripts: Add HTTPS for the dev mirror

Signed-off-by: Florian Pritz <bluewind@xinu.at>

roles/dbscripts/tasks/main.yml

@@ -18,13 +18,22 @@
 - name: set up sudoers.d for special users
   copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=600
 
+- stat: path="/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem"
+  register: certfile
+  tags:
+    - nginx
+
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=644
   notify:
     - restart nginx
+  tags:
+    - nginx
 
 - name: put dbscripts.htpasswd in place
   copy: src=dbscripts.htpasswd dest=/etc/nginx/auth/dbscripts.htpasswd owner=root group=http mode=640
+  tags:
+    - nginx
 
 - name: create Arch Linux-specific users
   user:

roles/dbscripts/templates/nginx.d.conf.j2

@@ -2,16 +2,32 @@ server {
     listen       80;
     listen       [::]:80;
     server_name  {{ repos_domain }};
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        rewrite ^(.*) https://$server_name$1;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ repos_domain }};
     root         /srv/ftp;
 
+{% if certfile.stat.exists %}
+    ssl_certificate      /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
+{% endif %}
+
     satisfy  any;
 
     location /lastupdate {
         allow all;
     }
 
-    include snippets/letsencrypt.conf;
-
     # Server at velocitynet
     allow  66.211.214.130; # dom0.archlinux.org.
     allow  66.211.214.131; # gudrun.archlinux.org.