From eff416820026c1d763eb613fbe102db93decdf5a Mon Sep 17 00:00:00 2001
From: Bas Zoetekouw <bas.zoetekouw@surf.nl>
Date: Wed, 18 Dec 2024 11:31:52 +0100
Subject: [PATCH] I'm not a teapot!

---
 provision.yml                              |  1 +
 roles/website-host/tasks/main.yml          | 31 ++++++++++++++++++++
 roles/website-host/templates/nginx.conf.j2 | 34 ++++++++++++++++++++++
 3 files changed, 66 insertions(+)
 create mode 100644 roles/website-host/tasks/main.yml
 create mode 100644 roles/website-host/templates/nginx.conf.j2

diff --git a/provision.yml b/provision.yml
index 98349657..f0fa6cf6 100644
--- a/provision.yml
+++ b/provision.yml
@@ -183,6 +183,7 @@
   tasks:
     - { name: "version", import_tasks: "tasks/versions.yml", tags: ["common"] }
   roles:
+    - { role: "website-host",         tags: ["bhr13","website"]        }
     - { role: "demo-sp",              tags: ["bhr13","demo-sp"]        }
     - { role: "test-idp",             tags: ["bhr13","test-idp"]       }
     - { role: "surfstar-idp",         tags: ["bhr13","surfstar-idp"]   }
diff --git a/roles/website-host/tasks/main.yml b/roles/website-host/tasks/main.yml
new file mode 100644
index 00000000..0e00aee4
--- /dev/null
+++ b/roles/website-host/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+#########################################################
+## nginx
+#########################################################
+- include_role:
+    name: "nginx"
+
+- include_role:
+    name: "letsencrypt"
+    public: true
+  vars:
+    letsencrypt_staging: false
+    letsencrypt_hosts:
+      - "{{ ansible_fqdn }}"
+
+- name: Install nginx config
+  template:
+    src: "nginx.conf.j2"
+    dest: "/etc/nginx/sites-enabled/01-sram-{{ ansible_fqdn }}.conf"
+  notify: "restart nginx"
+
+- name: Restart nginx after certificate rollover
+  copy:
+    content: |
+      #!/bin/sh
+      echo "restarting nginx"
+      /usr/bin/systemctl reload nginx.service
+      exit 0
+    dest: "{{ letsencrypt_hooks }}/sram-{{ ansible_fqdn }}-nginx.sh"
+    mode: "0755"
+
diff --git a/roles/website-host/templates/nginx.conf.j2 b/roles/website-host/templates/nginx.conf.j2
new file mode 100644
index 00000000..6098ba35
--- /dev/null
+++ b/roles/website-host/templates/nginx.conf.j2
@@ -0,0 +1,34 @@
+server {
+    listen 80;
+    server_name {{ ansible_fqdn  }};
+
+{% if letsencrypt_challenge_dir is defined %}
+    location /.well-known/acme-challenge {
+        alias {{ letsencrypt_challenge_dir }}/.well-known/acme-challenge;
+    }
+{% endif %}
+
+    location / {
+        rewrite ^(.*) https://{{ ansible_fqdn }}/$1 permanent;
+    }
+}
+
+
+server {
+    listen 443 ssl http2;
+    server_name demo-sp.sram.surf.nl;
+
+    ssl_certificate        {{ letsencrypt_cert_dir }}/{{ ansible_fqdn }}/fullchain.pem;
+    ssl_certificate_key    {{ letsencrypt_cert_dir }}/{{ ansible_fqdn }}/privkey.pem;
+    ssl_protocols          TLSv1.3;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+
+    include security_headers;
+
+    location /  {
+        return 418 "Congratulations, you have found the coffee pot!";
+    }
+
+}