From 70a27ec79c75afe6323145aca331859825526a8e Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 30 Jul 2024 00:14:09 +0200
Subject: [PATCH] light: use new combined cert and make server reachable over
 v6

The server being reachable over v6 is needed for the new method of
getting the cert directly via http challenge over v6.
---
 inventories/z9/host_vars/light.yaml           |  6 +-
 .../z9/configs/light/nginx/http_handler.conf  |  2 +-
 .../nginx/light-werkstatt.ccchh.net.conf      | 25 -------
 .../configs/light/nginx/light.ccchh.net.conf  | 25 -------
 .../files/z9/configs/light/nginx/light.conf   | 65 +++++++++++++++++++
 5 files changed, 68 insertions(+), 55 deletions(-)
 delete mode 100644 playbooks/files/z9/configs/light/nginx/light-werkstatt.ccchh.net.conf
 delete mode 100644 playbooks/files/z9/configs/light/nginx/light.ccchh.net.conf
 create mode 100644 playbooks/files/z9/configs/light/nginx/light.conf

diff --git a/inventories/z9/host_vars/light.yaml b/inventories/z9/host_vars/light.yaml
index 9c7c3c1..d476663 100644
--- a/inventories/z9/host_vars/light.yaml
+++ b/inventories/z9/host_vars/light.yaml
@@ -53,9 +53,7 @@ ola__configs:
 nginx__version_spec: ""
 nginx__deploy_redirect_conf: false
 nginx__configurations:
-  - name: light.ccchh.net
-    content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/light.ccchh.net.conf') }}"
-  - name: light-werkstatt.ccchh.net
-    content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/light-werkstatt.ccchh.net.conf') }}"
+  - name: light
+    content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/light.conf') }}"
   - name: http_handler
     content: "{{ lookup('ansible.builtin.file', 'z9/configs/light/nginx/http_handler.conf') }}"
diff --git a/playbooks/files/z9/configs/light/nginx/http_handler.conf b/playbooks/files/z9/configs/light/nginx/http_handler.conf
index 2dcf7d9..d9b336c 100644
--- a/playbooks/files/z9/configs/light/nginx/http_handler.conf
+++ b/playbooks/files/z9/configs/light/nginx/http_handler.conf
@@ -1,6 +1,6 @@
 server {
     listen 80 default_server;
-    #listen [::]:80 default_server;
+    listen [::]:80 default_server;
     server_name _;
 
     location /.well-known/acme-challenge/ {
diff --git a/playbooks/files/z9/configs/light/nginx/light-werkstatt.ccchh.net.conf b/playbooks/files/z9/configs/light/nginx/light-werkstatt.ccchh.net.conf
deleted file mode 100644
index 2507172..0000000
--- a/playbooks/files/z9/configs/light/nginx/light-werkstatt.ccchh.net.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
-server {
-    listen 443 ssl http2;
-    #listen [::]:443 ssl http2;
-
-    server_name light-werkstatt.ccchh.net;
-
-    ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
-    # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
-
-    # replace with the IP address of your resolver
-    resolver 10.31.208.1;
-
-    location / {
-        proxy_pass http://127.0.0.1:8081;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        # This is https in any case.
-        proxy_set_header X-Forwarded-Proto https;
-    }
-}
diff --git a/playbooks/files/z9/configs/light/nginx/light.ccchh.net.conf b/playbooks/files/z9/configs/light/nginx/light.ccchh.net.conf
deleted file mode 100644
index 31ce288..0000000
--- a/playbooks/files/z9/configs/light/nginx/light.ccchh.net.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
-server {
-    listen 443 ssl http2;
-    #listen [::]:443 ssl http2;
-
-    server_name light.ccchh.net;
-
-    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
-    # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
-
-    # replace with the IP address of your resolver
-    resolver 10.31.208.1;
-
-    location / {
-        proxy_pass http://127.0.0.1:8080;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        # This is https in any case.
-        proxy_set_header X-Forwarded-Proto https;
-    }
-}
diff --git a/playbooks/files/z9/configs/light/nginx/light.conf b/playbooks/files/z9/configs/light/nginx/light.conf
new file mode 100644
index 0000000..9f70cf8
--- /dev/null
+++ b/playbooks/files/z9/configs/light/nginx/light.conf
@@ -0,0 +1,65 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name light-werkstatt.ccchh.net;
+
+    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+
+    # replace with the IP address of your resolver
+    resolver 10.31.208.1;
+
+    location / {
+        proxy_pass http://127.0.0.1:8081;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name light.z9.ccchh.net ;
+
+    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+
+    location / {
+        return 307 https://light.ccchh.net$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name light.ccchh.net;
+
+    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+
+    # replace with the IP address of your resolver
+    resolver 10.31.208.1;
+
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+    }
+}