From 4c577dcbe2bd2abe8710b6fef2e12d70ccade47a Mon Sep 17 00:00:00 2001
From: Fenris Wolf <fenris@folksprak.org>
Date: Fri, 25 Oct 2024 00:36:42 +0200
Subject: [PATCH] [fix] role:zeitbild_backend-and-nginx

---
 .../defaults/main.json                        |  2 +-
 .../templates/conf.j2                         | 47 +++++++++++--------
 roles/zeitbild_backend-and-nginx/vardef.json  | 19 ++++++++
 3 files changed, 48 insertions(+), 20 deletions(-)
 create mode 100644 roles/zeitbild_backend-and-nginx/vardef.json

diff --git a/roles/zeitbild_backend-and-nginx/defaults/main.json b/roles/zeitbild_backend-and-nginx/defaults/main.json
index 998d216..20fef90 100644
--- a/roles/zeitbild_backend-and-nginx/defaults/main.json
+++ b/roles/zeitbild_backend-and-nginx/defaults/main.json
@@ -1,5 +1,5 @@
 {
 	"var_zeitbild_backend_and_nginx_domain": "zeitbild.example.org",
 	"var_zeitbild_backend_and_nginx_port": 7845,
-	"var_zeitbild_backend_and_nginx_tls": true
+	"var_zeitbild_backend_and_nginx_tls_mode": "force"
 }
diff --git a/roles/zeitbild_backend-and-nginx/templates/conf.j2 b/roles/zeitbild_backend-and-nginx/templates/conf.j2
index 8ce1357..347ed3f 100644
--- a/roles/zeitbild_backend-and-nginx/templates/conf.j2
+++ b/roles/zeitbild_backend-and-nginx/templates/conf.j2
@@ -1,22 +1,4 @@
-map $http_upgrade $connection_upgrade {
-	default upgrade;
-	'' close;
-}
-
-server {
-	server_name {{var_zeitbild_backend_and_nginx_domain}};
-	
-	listen 80;
-	listen [::]:80;
-{% if var_zeitbild_backend_and_nginx_tls %}
-	listen [::]:443 ssl http2;
-	listen 443 ssl http2;
-	
-	ssl_certificate /etc/ssl/certs/{{var_zeitbild_backend_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_zeitbild_backend_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-{% endif %}
-	
+{% macro zeitbild_backend_common() %}
 	location / {
 		proxy_pass http://localhost:{{var_zeitbild_backend_and_nginx_port | string}};
 		proxy_set_header Host $host;
@@ -24,4 +6,31 @@ server {
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
+{% endmacro %}
+
+server {
+	listen 80;
+	listen [::]:80;
+	
+	server_name {{var_zeitbild_backend_and_nginx_domain}};
+	
+{% if var_zeitbild_backend_and_nginx_tls_mode == 'force' %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ zeitbild_backend_common() }}
+{% endif %}
+}
+
+{% if var_zeitbild_backend_and_nginx_tls_mode != 'disable' %}
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	
+	server_name {{var_zeitbild_backend_and_nginx_domain}};
+	
+	ssl_certificate_key /etc/ssl/private/{{var_zeitbild_backend_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_zeitbild_backend_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ zeitbild_backend_common() }}
 }
diff --git a/roles/zeitbild_backend-and-nginx/vardef.json b/roles/zeitbild_backend-and-nginx/vardef.json
new file mode 100644
index 0000000..882b53b
--- /dev/null
+++ b/roles/zeitbild_backend-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"domain": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"port": {
+		"mandatory": false,
+		"type": "integer"
+	},
+	"tls_mode": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		]
+	}
+}