From 3523edbcb46b9b7b08338dc2b23f2853dbc4be43 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Mon, 1 Jun 2020 11:16:22 +0200
Subject: [PATCH] bundles/nginx: ensure we're doing letsencrypt, since we're
 enforcing ssl

---
 bundles/nginx/files/site_template | 4 ++++
 bundles/nginx/items.py            | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index 3c3064c..eef9968 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -19,6 +19,10 @@ server {
     add_header Strict-Transport-Security "max-age=31104000; preload";
     add_header X-Frame-Options "DENY";
 
+    location /.well-known/acme-challenge/ {
+        alias /var/lib/dehydrated/acme-challenges/;
+    }
+
 % if extras:
 <%include file="extras/${node.name}/${domain}" />
 % endif
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index 947a651..9408d9f 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -1,3 +1,8 @@
+# TODO rework this to support specifying a certificate instead of
+# relying on letsencrypt for the specific domain (for example to
+# support wildcard certificates
+assert node.has_bundle('letsencrypt'), 'nginx needs letsencrypt'
+
 files = {
     '/etc/nginx/nginx.conf': {
         'content_type': 'mako',