From 1879310d4ae205b6f25b8a8a43dfd4cfee783b8b Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 9 Oct 2023 23:04:16 +0200
Subject: nginx/vhost: make generic template more generic

---
 roles/nginx/vhost/templates/generic.conf.j2        | 56 +++-------------------
 roles/nginx/vhost/templates/no-tls.conf.j2         | 17 +++++++
 roles/nginx/vhost/templates/tls-only.conf.j2       | 27 +++++++++++
 .../vhost/templates/tls-with-redirect.conf.j2      | 53 ++++++++++++++++++++
 roles/nginx/vhost/templates/tlsonly.conf.j2        | 27 -----------
 5 files changed, 103 insertions(+), 77 deletions(-)
 create mode 100644 roles/nginx/vhost/templates/no-tls.conf.j2
 create mode 100644 roles/nginx/vhost/templates/tls-only.conf.j2
 create mode 100644 roles/nginx/vhost/templates/tls-with-redirect.conf.j2
 delete mode 100644 roles/nginx/vhost/templates/tlsonly.conf.j2

(limited to 'roles/nginx/vhost')

diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2
index cdf267ab..21aa69ff 100644
--- a/roles/nginx/vhost/templates/generic.conf.j2
+++ b/roles/nginx/vhost/templates/generic.conf.j2
@@ -1,53 +1,9 @@
-server {
-{% for listen in (nginx_vhost.listen | default(['80', '[::]:80'])) %}
-    listen {{ listen }}{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
-{% endfor %}
-    server_name {{ nginx_vhost.hostnames | default(['_']) | join(' ') }};
-
-{% if 'logs' in nginx_vhost %}
-{%   if 'access' in nginx_vhost.logs %}
-    access_log {{ nginx_vhost.logs.access }};
-{%   endif %}
-{%   if 'error' in nginx_vhost.logs %}
-    error_log {{ nginx_vhost.logs.error }};
-{%   endif %}
-
-{% endif %}
 {% if 'tls' in nginx_vhost %}
-{%   if nginx_vhost.tls.certificate_provider == 'acmetool' or nginx_vhost.tls.certificate_provider == 'uacme' %}
-    include snippets/{{ nginx_vhost.tls.certificate_provider }}.conf;
-
-{%   endif %}
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-server {
-{% for listen in (nginx_vhost.tls.listen | default(['443', '[::]:443'])) %}
-    listen {{ listen }} ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
-{% endfor %}
-    server_name {{ nginx_vhost.hostnames | default(['_']) | join(' ') }};
-
-{%   if 'logs' in nginx_vhost %}
-{%     if 'access' in nginx_vhost.logs %}
-    access_log {{ nginx_vhost.logs.access }};
-{%     endif %}
-{%     if 'error' in nginx_vhost.logs %}
-    error_log {{ nginx_vhost.logs.error }};
-{%     endif %}
-
-{%   endif %}
-{%   if nginx_vhost.tls.certificate_provider == 'acmetool' or nginx_vhost.tls.certificate_provider == 'uacme' %}
-    include snippets/{{ nginx_vhost.tls.certificate_provider }}.conf;
-{%   endif %}
-    include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf;
-    ssl_certificate     {{ x509_certificate_path_fullchain }};
-    ssl_certificate_key {{ x509_certificate_path_key }};
-{%   if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %}
-    include snippets/hsts.conf;
+{%   if (nginx_vhost.tls.http_redirect | default(true)) %}
+{% include 'tls-with-redirect.conf.j2' %}
+{%   else %}
+{% include 'tls-only.conf.j2' %}
 {%   endif %}
-
+{% else %}
+{% include 'no-tls.conf.j2' %}
 {% endif %}
-{% include 'includes/body.j2' %}
-}
diff --git a/roles/nginx/vhost/templates/no-tls.conf.j2 b/roles/nginx/vhost/templates/no-tls.conf.j2
new file mode 100644
index 00000000..317adaec
--- /dev/null
+++ b/roles/nginx/vhost/templates/no-tls.conf.j2
@@ -0,0 +1,17 @@
+server {
+{% for listen in (nginx_vhost.listen | default(['80', '[::]:80'])) %}
+    listen {{ listen }}{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
+{% endfor %}
+    server_name {{ nginx_vhost.hostnames | default(['_']) | join(' ') }};
+
+{% if 'logs' in nginx_vhost %}
+{%   if 'access' in nginx_vhost.logs %}
+    access_log {{ nginx_vhost.logs.access }};
+{%   endif %}
+{%   if 'error' in nginx_vhost.logs %}
+    error_log {{ nginx_vhost.logs.error }};
+{%   endif %}
+
+{% endif %}
+{% include 'includes/body.j2' %}
+}
diff --git a/roles/nginx/vhost/templates/tls-only.conf.j2 b/roles/nginx/vhost/templates/tls-only.conf.j2
new file mode 100644
index 00000000..122e2f4f
--- /dev/null
+++ b/roles/nginx/vhost/templates/tls-only.conf.j2
@@ -0,0 +1,27 @@
+server {
+{% for listen in (nginx_vhost.tls.listen | default(['443', '[::]:443'])) %}
+    listen {{ listen }} ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
+{% endfor %}
+    server_name {{ nginx_vhost.hostnames | default(['_']) | join(' ') }};
+
+{% if 'logs' in nginx_vhost %}
+{%   if 'access' in nginx_vhost.logs %}
+    access_log {{ nginx_vhost.logs.access }};
+{%   endif %}
+{%   if 'error' in nginx_vhost.logs %}
+    error_log {{ nginx_vhost.logs.error }};
+{%   endif %}
+
+{% endif %}
+{% if nginx_vhost.tls.certificate_provider == 'acmetool' or nginx_vhost.tls.certificate_provider == 'uacme' %}
+    include snippets/{{ nginx_vhost.tls.certificate_provider }}.conf;
+{% endif %}
+    include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf;
+    ssl_certificate     {{ x509_certificate_path_fullchain }};
+    ssl_certificate_key {{ x509_certificate_path_key }};
+{% if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %}
+    include snippets/hsts.conf;
+{% endif %}
+
+{% include 'includes/body.j2' %}
+}
diff --git a/roles/nginx/vhost/templates/tls-with-redirect.conf.j2 b/roles/nginx/vhost/templates/tls-with-redirect.conf.j2
new file mode 100644
index 00000000..cdf267ab
--- /dev/null
+++ b/roles/nginx/vhost/templates/tls-with-redirect.conf.j2
@@ -0,0 +1,53 @@
+server {
+{% for listen in (nginx_vhost.listen | default(['80', '[::]:80'])) %}
+    listen {{ listen }}{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
+{% endfor %}
+    server_name {{ nginx_vhost.hostnames | default(['_']) | join(' ') }};
+
+{% if 'logs' in nginx_vhost %}
+{%   if 'access' in nginx_vhost.logs %}
+    access_log {{ nginx_vhost.logs.access }};
+{%   endif %}
+{%   if 'error' in nginx_vhost.logs %}
+    error_log {{ nginx_vhost.logs.error }};
+{%   endif %}
+
+{% endif %}
+{% if 'tls' in nginx_vhost %}
+{%   if nginx_vhost.tls.certificate_provider == 'acmetool' or nginx_vhost.tls.certificate_provider == 'uacme' %}
+    include snippets/{{ nginx_vhost.tls.certificate_provider }}.conf;
+
+{%   endif %}
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+{% for listen in (nginx_vhost.tls.listen | default(['443', '[::]:443'])) %}
+    listen {{ listen }} ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
+{% endfor %}
+    server_name {{ nginx_vhost.hostnames | default(['_']) | join(' ') }};
+
+{%   if 'logs' in nginx_vhost %}
+{%     if 'access' in nginx_vhost.logs %}
+    access_log {{ nginx_vhost.logs.access }};
+{%     endif %}
+{%     if 'error' in nginx_vhost.logs %}
+    error_log {{ nginx_vhost.logs.error }};
+{%     endif %}
+
+{%   endif %}
+{%   if nginx_vhost.tls.certificate_provider == 'acmetool' or nginx_vhost.tls.certificate_provider == 'uacme' %}
+    include snippets/{{ nginx_vhost.tls.certificate_provider }}.conf;
+{%   endif %}
+    include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf;
+    ssl_certificate     {{ x509_certificate_path_fullchain }};
+    ssl_certificate_key {{ x509_certificate_path_key }};
+{%   if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %}
+    include snippets/hsts.conf;
+{%   endif %}
+
+{% endif %}
+{% include 'includes/body.j2' %}
+}
diff --git a/roles/nginx/vhost/templates/tlsonly.conf.j2 b/roles/nginx/vhost/templates/tlsonly.conf.j2
deleted file mode 100644
index 122e2f4f..00000000
--- a/roles/nginx/vhost/templates/tlsonly.conf.j2
+++ /dev/null
@@ -1,27 +0,0 @@
-server {
-{% for listen in (nginx_vhost.tls.listen | default(['443', '[::]:443'])) %}
-    listen {{ listen }} ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
-{% endfor %}
-    server_name {{ nginx_vhost.hostnames | default(['_']) | join(' ') }};
-
-{% if 'logs' in nginx_vhost %}
-{%   if 'access' in nginx_vhost.logs %}
-    access_log {{ nginx_vhost.logs.access }};
-{%   endif %}
-{%   if 'error' in nginx_vhost.logs %}
-    error_log {{ nginx_vhost.logs.error }};
-{%   endif %}
-
-{% endif %}
-{% if nginx_vhost.tls.certificate_provider == 'acmetool' or nginx_vhost.tls.certificate_provider == 'uacme' %}
-    include snippets/{{ nginx_vhost.tls.certificate_provider }}.conf;
-{% endif %}
-    include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf;
-    ssl_certificate     {{ x509_certificate_path_fullchain }};
-    ssl_certificate_key {{ x509_certificate_path_key }};
-{% if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %}
-    include snippets/hsts.conf;
-{% endif %}
-
-{% include 'includes/body.j2' %}
-}
-- 
cgit v1.2.3