1 files changed, 15 insertions, 0 deletions

diff --git a/roles/elevate/media/templates/nextcloud-nginx.conf.j2 b/roles/elevate/media/templates/nextcloud-nginx.conf.j2
index 0c39b4a1..50a0cdc5 100644
--- a/roles/elevate/media/templates/nextcloud-nginx.conf.j2
+++ b/roles/elevate/media/templates/nextcloud-nginx.conf.j2
@@ -6,6 +6,19 @@ server {
     listen 80;
     listen [::]:80;
     server_name {{ nextcloud_hostnames | join(' ') }};
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name cloud.example.com;
+
+    include snippets/acmetool.conf;
+    include snippets/ssl.conf;
+    ssl_certificate     /var/lib/acme/live/{{ nextcloud_hostnames[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ nextcloud_hostnames[0] }}/privkey;
+    include snippets/hsts.conf;
 
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection "1; mode=block";
@@ -78,6 +91,8 @@ server {
     location ~ \.(?:css|js|woff2?|svg|gif)$ {
         try_files $uri /index.php$request_uri;
         add_header Cache-Control "public, max-age=15778463";
+        ## It is intended to have hsts duplicated to the one above
+        include snippets/hsts.conf;
         add_header X-Content-Type-Options nosniff;
         add_header X-XSS-Protection "1; mode=block";
         add_header X-Robots-Tag none;