bundles/nginx: only redirect to ssl for sites which actually have ssl enabled

bundles/nginx/files/port80.conf

@@ -4,11 +4,6 @@ server {
     server_name  _;
 
     location / {
-        return 308 https://$host$request_uri;
+        return 404;
     }
-% if needs_le:
-    location /.well-known/acme-challenge/ {
-        alias /var/lib/dehydrated/acme-challenges/;
-    }
-% endif
 }

bundles/nginx/files/site_template

@@ -7,7 +7,30 @@ server {
     root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
     index ${' '.join(index)};
 
+    listen       80;
+    listen       [::]:80;
+
 % if ssl:
+    location / {
+        return 308 https://$host$request_uri;
+    }
+
+%   if ssl == 'letsencrypt':
+    location /.well-known/acme-challenge/ {
+        alias /var/lib/dehydrated/acme-challenges/;
+    }
+%   endif
+}
+
+server {
+%   if domain_aliases:
+    server_name ${domain} ${' '.join(sorted(domain_aliases))};
+%   else:
+    server_name ${domain};
+%   endif
+    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
+    index ${' '.join(index)};
+
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
 
@@ -26,9 +49,6 @@ server {
     ssl_session_tickets off;
 
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
-% else:
-    listen 80;
-    listen [::]:80;
 % endif
 
     resolver 8.8.8.8 8.8.4.4 valid=300s;

bundles/nginx/items.py

@@ -32,6 +32,12 @@ files = {
             'svc_systemd:nginx:restart',
         },
     },
+    '/etc/nginx/sites/000-port80.conf': {
+        'source': 'port80.conf',
+        'triggers': {
+            'svc_systemd:nginx:restart',
+        },
+    },
     '/usr/local/share/icinga/plugins/check_nginx_status': {
         'mode': '0755',
     },
@@ -53,8 +59,6 @@ svc_systemd = {
     },
 }
 
-install_port80_redirect = False
-port80_has_letsencrypt = False
 for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
     if not 'domain' in config:
         config['domain'] = vhost
@@ -90,8 +94,6 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
     if config.get('ssl', 'letsencrypt') == 'letsencrypt':
         files[f'/etc/nginx/sites/{vhost}']['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
         files[f'/etc/nginx/sites/{vhost}']['needed_by'].add('action:letsencrypt_update_certificates')
-        port80_has_letsencrypt = True
-        install_port80_redirect = True
 
     elif config.get('ssl', 'letsencrypt'):
         files[f'/etc/nginx/ssl/{vhost}.crt'] = {
@@ -122,16 +124,3 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
 
         files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.crt')
         files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.key')
-        install_port80_redirect = True
-
-if install_port80_redirect:
-    files['/etc/nginx/sites/000-port80.conf'] = {
-        'source': 'port80.conf',
-        'content_type': 'mako',
-        'context': {
-            'needs_le': port80_has_letsencrypt,
-        },
-        'triggers': {
-            'svc_systemd:nginx:restart',
-        },
-    }