From 6d42a70bd411417223c9030ee7c523b577938e1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Wed, 3 Jul 2024 22:10:07 +0200
Subject: [PATCH] [mod] roles:dokuwiki-and-nginx:tls mode

---
 roles/dokuwiki-and-nginx/defaults/main.json |  2 +-
 roles/dokuwiki-and-nginx/templates/conf.j2  | 48 +++++++++++++--------
 roles/dokuwiki-and-nginx/vardef.json        | 19 ++++++++
 3 files changed, 49 insertions(+), 20 deletions(-)
 create mode 100644 roles/dokuwiki-and-nginx/vardef.json

diff --git a/roles/dokuwiki-and-nginx/defaults/main.json b/roles/dokuwiki-and-nginx/defaults/main.json
index 22367fe..05e1d7f 100644
--- a/roles/dokuwiki-and-nginx/defaults/main.json
+++ b/roles/dokuwiki-and-nginx/defaults/main.json
@@ -1,5 +1,5 @@
 {
 	"var_dokuwiki_and_nginx_directory": "/opt/dokuwiki",
 	"var_dokuwiki_and_nginx_domain": "dokuwiki.example.org",
-	"var_dokuwiki_and_nginx_tls_enable": true
+	"var_dokuwiki_and_nginx_tls_mode": "enable"
 }
diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2
index 514ceab..03cbbda 100644
--- a/roles/dokuwiki-and-nginx/templates/conf.j2
+++ b/roles/dokuwiki-and-nginx/templates/conf.j2
@@ -1,22 +1,4 @@
-server {
-	listen 80;
-	listen [::]:80;
-	server_name {{var_dokuwiki_and_nginx_domain}};
-	return 301 https://$server_name$request_uri;
-}
- 
-server {
-	listen [::]:443 ssl;
-	listen 443 ssl;
-	
-	server_name {{var_dokuwiki_and_nginx_domain}};
-	
-{% if var_dokuwiki_and_nginx_tls_enable %}
-	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-{% endif %}
-	
+{% macro dokuwiki_common() %}
 	# Maximum file upload size is 4MB - change accordingly if needed
 	client_max_body_size 4M;
 	client_body_buffer_size 128k;
@@ -58,4 +40,32 @@ server {
 		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
 		# fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version
 	}
+{% endif %}
+
+server {
+	server_name {{var_dokuwki_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_dokuwki_and_nginx_tls_mode == "force") %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+	{{ dokuwki_common() }}
+{% endif %}
 }
+
+{% if (var_element_and_nginx_tls_mode != "disable") %}
+server {
+	server_name {{var_dokuwki_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_dokuwki_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_dokuwki_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+	{{ dokuwki_common() }}
+}
+{% endif %}
diff --git a/roles/dokuwiki-and-nginx/vardef.json b/roles/dokuwiki-and-nginx/vardef.json
new file mode 100644
index 0000000..a3fa777
--- /dev/null
+++ b/roles/dokuwiki-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	}
+}