From 09c48d60bbe72f3f33b6d0019b52579476fe3f8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Tue, 9 Jul 2024 09:10:50 +0200
Subject: [PATCH 1/2] [mod] role:system_basics:install package "acl"

---
 roles/system_basics/tasks/main.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/system_basics/tasks/main.json b/roles/system_basics/tasks/main.json
index d19d6fb..cb39ff3 100644
--- a/roles/system_basics/tasks/main.json
+++ b/roles/system_basics/tasks/main.json
@@ -21,6 +21,7 @@
 		"become": true,
 		"ansible.builtin.apt": {
 			"pkg": [
+				"acl",
 				"vim",
 				"htop",
 				"tmux",

From 54fb0d8dc6f92f1903fae1f8cf6d409f8d1c70e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Tue, 30 Jul 2024 13:29:12 +0000
Subject: [PATCH 2/2] TLS-Schalter

---
 roles/authelia-and-nginx/defaults/main.json |   3 +-
 roles/authelia-and-nginx/templates/conf.j2  |  54 +++++----
 roles/authelia-and-nginx/vardef.json        |  15 +++
 roles/dokuwiki-and-nginx/defaults/main.json |   2 +-
 roles/dokuwiki-and-nginx/templates/conf.j2  |  48 +++++---
 roles/dokuwiki-and-nginx/vardef.json        |  19 +++
 roles/element-and-nginx/defaults/main.json  |   3 +-
 roles/element-and-nginx/templates/conf.j2   |  25 +++-
 roles/element-and-nginx/vardef.json         |  19 +++
 roles/gitlab-and-nginx/defaults/main.json   |   3 +-
 roles/gitlab-and-nginx/templates/conf.j2    | 125 +++++++++++---------
 roles/gitlab-and-nginx/vardef.json          |  19 +++
 roles/hedgedoc-and-nginx/defaults/main.json |   3 +-
 roles/hedgedoc-and-nginx/templates/conf.j2  |  38 ++++--
 roles/hedgedoc-and-nginx/vardef.json        |  15 +++
 roles/synapse-and-nginx/defaults/main.json  |   3 +-
 roles/synapse-and-nginx/templates/conf.j2   |  49 +++++---
 roles/synapse-and-nginx/vardef.json         |  15 +++
 roles/vikunja-and-nginx/defaults/main.json  |   3 +-
 roles/vikunja-and-nginx/templates/conf.j2   |  41 +++++--
 roles/vikunja-and-nginx/vardef.json         |  15 +++
 21 files changed, 369 insertions(+), 148 deletions(-)
 create mode 100644 roles/authelia-and-nginx/vardef.json
 create mode 100644 roles/dokuwiki-and-nginx/vardef.json
 create mode 100644 roles/element-and-nginx/vardef.json
 create mode 100644 roles/gitlab-and-nginx/vardef.json
 create mode 100644 roles/hedgedoc-and-nginx/vardef.json
 create mode 100644 roles/synapse-and-nginx/vardef.json
 create mode 100644 roles/vikunja-and-nginx/vardef.json

diff --git a/roles/authelia-and-nginx/defaults/main.json b/roles/authelia-and-nginx/defaults/main.json
index 7559dcb..0aaf1b7 100644
--- a/roles/authelia-and-nginx/defaults/main.json
+++ b/roles/authelia-and-nginx/defaults/main.json
@@ -1,3 +1,4 @@
 {
-	"var_authelia_and_nginx_domain": "authelia.example.org"
+	"var_authelia_and_nginx_domain": "authelia.example.org",
+	"var_authelia_and_nginx_tls_mode": "force"
 }
diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2
index 231a61d..cd3b8d6 100644
--- a/roles/authelia-and-nginx/templates/conf.j2
+++ b/roles/authelia-and-nginx/templates/conf.j2
@@ -1,22 +1,4 @@
-server {
-	server_name {{var_authelia_and_nginx_domain}};
-	
-	listen [::]:80;
-	listen 80;
-	
-	return 301 https://$server_name$request_uri;
-}
-
-server {
-	server_name {{var_authelia_and_nginx_domain}};
-	
-	listen [::]:443 ssl http2;
-	listen 443 ssl http2;
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro authelia_common() %}
 	location / {
 		## Headers
 		proxy_set_header Host $host;
@@ -28,7 +10,7 @@ server {
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header Connection "";
-
+		
 		## Basic Proxy Configuration
 		client_body_buffer_size 128k;
 		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
@@ -37,7 +19,7 @@ server {
 		proxy_cache_bypass $cookie_session;
 		proxy_no_cache $cookie_session;
 		proxy_buffers 64 256k;
-
+		
 		## Trusted Proxies Configuration
 		## Please read the following documentation before configuring this:
 		##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
@@ -47,7 +29,7 @@ server {
 		# set_real_ip_from fc00::/7;
 		real_ip_header X-Forwarded-For;
 		real_ip_recursive on;
-
+		
 		## Advanced Proxy Configuration
 		send_timeout 5m;
 		proxy_read_timeout 360;
@@ -60,4 +42,32 @@ server {
 	location /api/verify {
 		proxy_pass http://localhost:9091;
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_authelia_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ authelia_common() }}
+{% endif %}
 }
+
+{% if (var_authelia_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ authelia_common() }}
+}
+{% endif %}
diff --git a/roles/authelia-and-nginx/vardef.json b/roles/authelia-and-nginx/vardef.json
new file mode 100644
index 0000000..b78ac7a
--- /dev/null
+++ b/roles/authelia-and-nginx/vardef.json
@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	}
+}
diff --git a/roles/dokuwiki-and-nginx/defaults/main.json b/roles/dokuwiki-and-nginx/defaults/main.json
index 22367fe..d500d18 100644
--- a/roles/dokuwiki-and-nginx/defaults/main.json
+++ b/roles/dokuwiki-and-nginx/defaults/main.json
@@ -1,5 +1,5 @@
 {
 	"var_dokuwiki_and_nginx_directory": "/opt/dokuwiki",
 	"var_dokuwiki_and_nginx_domain": "dokuwiki.example.org",
-	"var_dokuwiki_and_nginx_tls_enable": true
+	"var_dokuwiki_and_nginx_tls_mode": "force"
 }
diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2
index 514ceab..e5e5252 100644
--- a/roles/dokuwiki-and-nginx/templates/conf.j2
+++ b/roles/dokuwiki-and-nginx/templates/conf.j2
@@ -1,22 +1,4 @@
-server {
-	listen 80;
-	listen [::]:80;
-	server_name {{var_dokuwiki_and_nginx_domain}};
-	return 301 https://$server_name$request_uri;
-}
- 
-server {
-	listen [::]:443 ssl;
-	listen 443 ssl;
-	
-	server_name {{var_dokuwiki_and_nginx_domain}};
-	
-{% if var_dokuwiki_and_nginx_tls_enable %}
-	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-{% endif %}
-	
+{% macro dokuwiki_common() %}
 	# Maximum file upload size is 4MB - change accordingly if needed
 	client_max_body_size 4M;
 	client_body_buffer_size 128k;
@@ -58,4 +40,32 @@ server {
 		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
 		# fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_dokuwiki_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_dokuwiki_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ dokuwiki_common() }}
+{% endif %}
 }
+
+{% if (var_dokuwiki_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_dokuwiki_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ dokuwiki_common() }}
+}
+{% endif %}
diff --git a/roles/dokuwiki-and-nginx/vardef.json b/roles/dokuwiki-and-nginx/vardef.json
new file mode 100644
index 0000000..8838525
--- /dev/null
+++ b/roles/dokuwiki-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	}
+}
diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json
index c7db00b..d9f8e46 100644
--- a/roles/element-and-nginx/defaults/main.json
+++ b/roles/element-and-nginx/defaults/main.json
@@ -1,4 +1,5 @@
 {
 	"var_element_and_nginx_domain": "element.example.org",
-	"var_element_and_nginx_path": "/opt/element"
+	"var_element_and_nginx_path": "/opt/element",
+	"var_element_and_nginx_tls_mode": "force"
 }
diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2
index 08330a6..2108550 100644
--- a/roles/element-and-nginx/templates/conf.j2
+++ b/roles/element-and-nginx/templates/conf.j2
@@ -1,14 +1,31 @@
+{% macro element_common() %}
+root {{var_element_and_nginx_path}};
+{% endmacro %}
+
 server {
+	server_name {{var_element_and_nginx_domain}};
+	
 	listen 80;
 	listen [::]:80;
+
+{% if (var_element_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ element_common() }}
+{% endif %}
+}
+
+{% if (var_element_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_element_and_nginx_domain}};
+	
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	
-	server_name {{var_element_and_nginx_domain}};
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
-	root {{var_element_and_nginx_path}};
+{{ element_common() }}
 }
+{% endif %}
diff --git a/roles/element-and-nginx/vardef.json b/roles/element-and-nginx/vardef.json
new file mode 100644
index 0000000..eff28cf
--- /dev/null
+++ b/roles/element-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"domain": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"path": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"tls_mode": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		]
+	}
+}
diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json
index 6bffbd7..2fc356f 100644
--- a/roles/gitlab-and-nginx/defaults/main.json
+++ b/roles/gitlab-and-nginx/defaults/main.json
@@ -1,4 +1,5 @@
 {
 	"var_gitlab_and_nginx_domain": "element.example.org",
-	"var_gitlab_and_nginx_path": "/opt/element"
+	"var_gitlab_and_nginx_path": "/opt/element",
+	"var_gitlab_and_nginx_tls_mode": "force"
 }
diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2
index 4208162..fa4e246 100644
--- a/roles/gitlab-and-nginx/templates/conf.j2
+++ b/roles/gitlab-and-nginx/templates/conf.j2
@@ -1,64 +1,7 @@
-upstream gitlab-workhorse {
-	server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
-}
-
-map $http_upgrade $connection_upgrade_gitlab_ssl {
-	default upgrade;
-	'' close;
-}
-
-log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
-
-map $request_uri $gitlab_ssl_temp_request_uri_1 {
-	default $request_uri;
-	~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
-}
-
-map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
-	default $gitlab_ssl_temp_request_uri_1;
-	~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
-}
-
-map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
-	default $gitlab_ssl_temp_request_uri_2;
-	~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
-}
-
-map $http_referer $gitlab_ssl_filtered_http_referer {
-	default $http_referer;
-	~^(?<temp>.*)\? $temp;
-}
-
-server {
-	listen 80 default_server;
-	listen [::]:80 ipv6only=on default_server;
-	
-	server_name {{var_gitlab_and_nginx_domain}};
-	server_tokens off;
-	
-	return 301 https://$http_host$request_uri;
-	
-	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
-	error_log /var/log/nginx/gitlab_error.log;
-}
-
-server {
-	listen 0.0.0.0:443 ssl http2;
-	listen [::]:443 ipv6only=on ssl http2 default_server;
-	
-	server_name {{var_gitlab_and_nginx_domain}};
-	server_tokens off;
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro gitlab_common() %}
 	real_ip_header X-Real-IP;
 	real_ip_recursive off;
 	
-	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
-	error_log /var/log/nginx/gitlab_error.log;
-	
 	location / {
 		client_max_body_size 0;
 		gzip off;
@@ -90,5 +33,71 @@ server {
 		root /home/git/gitlab/public;
 		internal;
 	}
+{% endmacro %}
+
+upstream gitlab-workhorse {
+	server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
 }
 
+map $http_upgrade $connection_upgrade_gitlab_ssl {
+	default upgrade;
+	'' close;
+}
+
+log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
+
+map $request_uri $gitlab_ssl_temp_request_uri_1 {
+	default $request_uri;
+	~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
+}
+
+map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
+	default $gitlab_ssl_temp_request_uri_1;
+	~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
+}
+
+map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
+	default $gitlab_ssl_temp_request_uri_2;
+	~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
+}
+
+map $http_referer $gitlab_ssl_filtered_http_referer {
+	default $http_referer;
+	~^(?<temp>.*)\? $temp;
+}
+
+server {
+	server_name {{var_gitlab_and_nginx_domain}};
+	server_tokens off;
+	
+	listen 80;
+	listen [::]:80 ipv6only=on;
+	
+{% if (var_gitlab_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+	access_log /var/log/nginx/gitlab_access.log;
+	error_log /var/log/nginx/gitlab_error.log;
+	
+{{ gitlab_common() }}
+{% endif %}
+}
+
+{% if (var_gitlab_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_gitlab_and_nginx_domain}};
+	server_tokens off;
+	
+	listen 443 ssl http2;
+	listen [::]:443 ipv6only=on ssl http2;
+	
+	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
+	error_log /var/log/nginx/gitlab_error.log;
+	
+{{ gitlab_common() }}
+}
+{% endif %}
diff --git a/roles/gitlab-and-nginx/vardef.json b/roles/gitlab-and-nginx/vardef.json
new file mode 100644
index 0000000..eff28cf
--- /dev/null
+++ b/roles/gitlab-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"domain": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"path": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"tls_mode": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		]
+	}
+}
diff --git a/roles/hedgedoc-and-nginx/defaults/main.json b/roles/hedgedoc-and-nginx/defaults/main.json
index 840159e..aec6aa3 100644
--- a/roles/hedgedoc-and-nginx/defaults/main.json
+++ b/roles/hedgedoc-and-nginx/defaults/main.json
@@ -1,3 +1,4 @@
 {
-	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org"
+	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
+	"var_hedgedoc_and_nginx_tls_mode": "force"
 }
diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2
index 467a014..e8fe34b 100644
--- a/roles/hedgedoc-and-nginx/templates/conf.j2
+++ b/roles/hedgedoc-and-nginx/templates/conf.j2
@@ -3,16 +3,7 @@ map $http_upgrade $connection_upgrade {
 	'' close;
 }
 
-server {
-	server_name {{var_hedgedoc_and_nginx_domain}};
-	
-	listen [::]:443 ssl http2;
-	listen 443 ssl http2;
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro hedgedoc_common() %}
 	location / {
 		proxy_pass http://localhost:3000;
 		proxy_set_header Host $host;
@@ -30,4 +21,31 @@ server {
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection $connection_upgrade;
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_hedgedoc_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_element_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ hedgedoc_common() }}
+{% endif %}
+}
+
+{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_hedgedoc_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ hedgedoc_common() }}
 }
diff --git a/roles/hedgedoc-and-nginx/vardef.json b/roles/hedgedoc-and-nginx/vardef.json
new file mode 100644
index 0000000..b78ac7a
--- /dev/null
+++ b/roles/hedgedoc-and-nginx/vardef.json
@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	}
+}
diff --git a/roles/synapse-and-nginx/defaults/main.json b/roles/synapse-and-nginx/defaults/main.json
index 8a172d0..cd7ab01 100644
--- a/roles/synapse-and-nginx/defaults/main.json
+++ b/roles/synapse-and-nginx/defaults/main.json
@@ -1,3 +1,4 @@
 {
-	"var_synapse_and_nginx_domain": "REPLACE_ME"
+	"var_synapse_and_nginx_domain": "REPLACE_ME",
+	"var_synapse_and_nginx_tls_mode": "force"
 }
diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2
index e59fb99..952b9e4 100644
--- a/roles/synapse-and-nginx/templates/conf.j2
+++ b/roles/synapse-and-nginx/templates/conf.j2
@@ -1,19 +1,4 @@
-server {
-	listen 80;
-	listen [::]:80;
-	listen 443 ssl;
-	listen [::]:443 ssl;
-	
-	## For the federation port
-	listen 8448 ssl http2 default_server;
-	listen [::]:8448 ssl http2 default_server;
-	
-	server_name {{var_synapse_and_nginx_domain}};
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro synapse_common() %}
 	location ~ ^(/_matrix|/_synapse/client) {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
@@ -24,4 +9,36 @@ server {
 		
 		proxy_http_version 1.1;
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_synapse_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_synapse_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ synapse_common() }}
+{% endif %}
 }
+
+{% if (var_synapse_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_synapse_and_nginx_domain}};
+	
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	
+	## For the federation port
+	listen 8448 ssl http2 default_server;
+	listen [::]:8448 ssl http2 default_server;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ synapse_common() }}
+}
+{% endif %}
diff --git a/roles/synapse-and-nginx/vardef.json b/roles/synapse-and-nginx/vardef.json
new file mode 100644
index 0000000..b78ac7a
--- /dev/null
+++ b/roles/synapse-and-nginx/vardef.json
@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	}
+}
diff --git a/roles/vikunja-and-nginx/defaults/main.json b/roles/vikunja-and-nginx/defaults/main.json
index e08064b..63610a2 100644
--- a/roles/vikunja-and-nginx/defaults/main.json
+++ b/roles/vikunja-and-nginx/defaults/main.json
@@ -1,3 +1,4 @@
 {
-	"var_vikunja_and_nginx_domain": "vikunja.example.org"
+	"var_vikunja_and_nginx_domain": "vikunja.example.org",
+	"var_vikunja_and_nginx_tls_mode": "force"
 }
diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2
index a9a8241..211f4ea 100644
--- a/roles/vikunja-and-nginx/templates/conf.j2
+++ b/roles/vikunja-and-nginx/templates/conf.j2
@@ -1,17 +1,34 @@
-server {
-	listen 80;
-	listen [::]:80;
-	listen 443 ssl;
-	listen [::]:443 ssl;
-	
-	server_name {{var_vikunja_and_nginx_domain}};
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro vikunja_common() %}
 	location / {
 		proxy_pass http://localhost:3456;
 		client_max_body_size 20M;
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_vikunja_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_vikunja_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ vikunja_common() }}
+{% endif %}
 }
+
+{% if (var_vikunja_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_vikunja_and_nginx_domain}};
+	
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ vikunja_common() }}
+}
+{% endif %}
diff --git a/roles/vikunja-and-nginx/vardef.json b/roles/vikunja-and-nginx/vardef.json
new file mode 100644
index 0000000..b78ac7a
--- /dev/null
+++ b/roles/vikunja-and-nginx/vardef.json
@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	}
+}