7 files changed, 123 insertions, 12 deletions

diff --git a/dan/ele-media.yml b/dan/ele-media.yml
index 0082c39f..e40fbfb6 100644
--- a/dan/ele-media.yml
+++ b/dan/ele-media.yml
@@ -11,4 +11,5 @@
   - role: apt-repo/spreadspace
   - role: mysql
   - role: docker
+  - role: nginx/base
   - role: elevate/media
diff --git a/roles/collabora/code/tasks/main.yml b/roles/collabora/code/tasks/main.yml
index 77bd79a7..ce88fe0d 100644
--- a/roles/collabora/code/tasks/main.yml
+++ b/roles/collabora/code/tasks/main.yml
@@ -23,10 +23,6 @@
   vars:
     nginx_vhost:
       name: "collabora-code-{{ item.key }}"
-      template: generic-proxy-no-buffering-with-acme
+      content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}"
       acme: true
       hostnames: "{{ item.value.hostnames }}"
-      proxy_pass: "http://127.0.0.1:{{ item.value.port }}"
-      proxy_redirect:
-        redirect: "http://$host:9980/"
-        replacement: "https://$host/"
diff --git a/roles/collabora/code/templates/nginx-vhost.conf.j2 b/roles/collabora/code/templates/nginx-vhost.conf.j2
new file mode 100644
index 00000000..c0186df2
--- /dev/null
+++ b/roles/collabora/code/templates/nginx-vhost.conf.j2
@@ -0,0 +1,108 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ item.value.hostnames | join(' ') }};
+
+    include snippets/acmetool.conf;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{ item.value.hostnames | join(' ') }};
+
+    include snippets/acmetool.conf;
+    include snippets/ssl.conf;
+    ssl_certificate     /var/lib/acme/live/{{ item.value.hostnames[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ item.value.hostnames[0] }}/privkey;
+    include snippets/hsts.conf;
+
+
+    client_max_body_size 128M;
+
+    # static files
+    location ^~ /loleaflet {
+        include snippets/proxy-nobuff.conf;
+        include snippets/proxy-forward-headers.conf;
+
+        proxy_set_header Host $http_host;
+        proxy_pass http://127.0.0.1:{{ item.value.port }};
+
+        proxy_redirect http://$host/ https://$host/;
+        proxy_redirect http://$host:9980/ https://$host/;
+    }
+
+    # WOPI discovery URL
+    location ^~ /hosting/discovery {
+        include snippets/proxy-nobuff.conf;
+        include snippets/proxy-forward-headers.conf;
+
+        proxy_set_header Host $http_host;
+        proxy_pass http://127.0.0.1:{{ item.value.port }};
+
+        proxy_redirect http://$host/ https://$host/;
+        proxy_redirect http://$host:9980/ https://$host/;
+    }
+
+    # Capabilities
+    location ^~ /hosting/capabilities {
+        include snippets/proxy-nobuff.conf;
+        include snippets/proxy-forward-headers.conf;
+
+        proxy_set_header Host $http_host;
+        proxy_pass http://127.0.0.1:{{ item.value.port }};
+
+        proxy_redirect http://$host/ https://$host/;
+        proxy_redirect http://$host:9980/ https://$host/;
+    }
+
+    # main websocket
+    location ~ ^/lool/(.*)/ws$ {
+        include snippets/proxy-nobuff.conf;
+        include snippets/proxy-forward-headers.conf;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        proxy_read_timeout 36000s;
+
+        proxy_set_header Host $http_host;
+        proxy_pass http://127.0.0.1:{{ item.value.port }};
+
+        proxy_redirect http://$host/ https://$host/;
+        proxy_redirect http://$host:9980/ https://$host/;
+    }
+
+    # download, presentation and image upload
+    location ~ ^/lool {
+        include snippets/proxy-nobuff.conf;
+        include snippets/proxy-forward-headers.conf;
+
+        proxy_set_header Host $http_host;
+        proxy_pass http://127.0.0.1:{{ item.value.port }};
+
+        proxy_redirect http://$host/ https://$host/;
+        proxy_redirect http://$host:9980/ https://$host/;
+    }
+
+    # Admin Console websocket
+    location ^~ /lool/adminws {
+        include snippets/proxy-nobuff.conf;
+        include snippets/proxy-forward-headers.conf;
+
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        proxy_read_timeout 36000s;
+
+        proxy_set_header Host $http_host;
+        proxy_pass http://127.0.0.1:{{ item.value.port }};
+
+        proxy_redirect http://$host/ https://$host/;
+        proxy_redirect http://$host:9980/ https://$host/;
+    }
+}
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index cf710f7a..1b863ec7 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -147,5 +147,7 @@
       client_max_body_size: "512M"
       proxy_pass: "http://127.0.0.1:{{ item.value.port }}"
       proxy_redirect:
-        redirect: "http://$host:8080/"
+      - redirect: "http://$host/"
+        replacement: "https://$host/"
+      - redirect: "http://$host:8080/"
         replacement: "https://$host/"
diff --git a/roles/nginx/base/defaults/main.yml b/roles/nginx/base/defaults/main.yml
index 50920f20..f460fa91 100644
--- a/roles/nginx/base/defaults/main.yml
+++ b/roles/nginx/base/defaults/main.yml
@@ -8,3 +8,4 @@ nginx_snippets:
   - ssl
   - hsts
   - proxy-nobuff
+  - proxy-forward-headers
diff --git a/roles/nginx/base/files/snippets/proxy-forward-headers.conf b/roles/nginx/base/files/snippets/proxy-forward-headers.conf
new file mode 100644
index 00000000..01ec0d7e
--- /dev/null
+++ b/roles/nginx/base/files/snippets/proxy-forward-headers.conf
@@ -0,0 +1,5 @@
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-Port $server_port;
diff --git a/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2
index 0d3e1db2..1003ab88 100644
--- a/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2
+++ b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2
@@ -28,11 +28,7 @@ server {
 {% endif %}
 
         proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Ssl on;
-        proxy_set_header X-Forwarded-Port $server_port;
+        include snippets/proxy-forward-headers.conf;
 
         # for websockets
         proxy_set_header Upgrade $http_upgrade;
@@ -40,7 +36,9 @@ server {
 
         proxy_pass {{ nginx_vhost.proxy_pass }};
 {% if 'proxy_redirect' in nginx_vhost %}
-        proxy_redirect {{ nginx_vhost.proxy_redirect.redirect }} {{ nginx_vhost.proxy_redirect.replacement }};
+{%   for entry in nginx_vhost.proxy_redirect %}
+        proxy_redirect {{ entry.redirect }} {{ entry.replacement }};
+{%   endfor %}
 {% endif %}
     }
 }