From 74d81eb7ba12ce187f9726dad05d5d14ae4cf252 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sat, 20 Feb 2021 14:25:27 +0100
Subject: [PATCH] bundles/nginx: support disabling ssl for each vhost
 individually

---
 bundles/nginx/files/site_template         |  4 ++--
 bundles/nginx/items.py                    | 15 +++++++++------
 bundles/nginx/metadata.py                 | 13 ++++++++++---
 nodes/home/octoprint-vielschichtigkeit.py |  2 +-
 nodes/home/router.py                      |  6 +++++-
 5 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index 5853cfb..9bbea3d 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -7,7 +7,7 @@ server {
     root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
     index ${' '.join(index)};
 
-% if node.metadata['nginx']['use_ssl_for_all_connections']:
+% if ssl:
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
 
@@ -52,7 +52,7 @@ server {
         proxy_set_header     Upgrade $http_upgrade;
 % endif
         proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
-% if node.metadata['nginx']['use_ssl_for_all_connections']:
+% if ssl:
         proxy_set_header     X-Forwarded-Proto HTTPS;
 % endif
         proxy_set_header     X-Forwarded-Host ${domain};
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index 558eeb5..64ec620 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -47,12 +47,15 @@ svc_systemd = {
     },
 }
 
-if node.metadata['nginx']['use_ssl_for_all_connections']:
-    # TODO rework this to support specifying a certificate instead of
-    # relying on letsencrypt for the specific domain (for example to
-    # support wildcard certificates
-    assert node.has_bundle('letsencrypt'), 'nginx needs letsencrypt'
+# Always redirect all traffic to HTTPS, except if there is only one
+# vhost and this vhost has ssl disabled.
+install_port80_redirect = True
+if len(node.metadata.get('nginx/vhosts', {})) == 1:
+    vhost_name = list(node.metadata['nginx']['vhosts'].keys())[0]
+    if node.metadata.get('nginx/vhosts/{}/ssl'.format(vhost_name), 'letsencrypt') == False:
+        install_port80_redirect = False
 
+if install_port80_redirect:
     files['/etc/nginx/sites/000-port80.conf'] = {
         'source': 'port80.conf',
         'triggers': {
@@ -88,5 +91,5 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
 
         directories['/var/www/{}'.format(vhost)].update(config.get('webroot_config', {}))
 
-    if node.metadata['nginx']['use_ssl_for_all_connections']:
+    if config.get('ssl', 'letsencrypt') == 'letsencrypt':
         files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py
index 8ec7262..0b7e73b 100644
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@@ -30,7 +30,6 @@ defaults = {
     },
     'nginx': {
         'worker_connections': 768,
-        'use_ssl_for_all_connections': True,
     },
 }
 
@@ -49,16 +48,21 @@ def worker_processes(metadata):
 @metadata_reactor.provides(
     'letsencrypt/domains',
     'letsencrypt/reload_after',
+    'nginx/vhosts',
 )
 def letsencrypt(metadata):
     if not node.has_bundle('letsencrypt'):
         raise DoNotRunAgain
 
     domains = {}
+    vhosts = {}
 
     for vhost, config in metadata.get('nginx/vhosts', {}).items():
         domain = config.get('domain', vhost)
         domains[domain] = config.get('domain_aliases', set())
+        vhosts[vhost] = {
+            'ssl': 'letsencrypt',
+        }
 
     return {
         'letsencrypt': {
@@ -67,6 +71,9 @@ def letsencrypt(metadata):
                 'nginx',
             },
         },
+        'nginx': {
+            'vhosts': vhosts,
+        },
     }
 
 
@@ -105,7 +112,7 @@ def monitoring(metadata):
     for vname, vconfig in metadata.get('nginx/vhosts', {}).items():
         domain = vconfig.get('domain', vname)
 
-        if metadata.get('nginx/use_ssl_for_all_connections'):
+        if vconfig['ssl']:
             scheme = 'https'
         else:
             scheme = 'http'
@@ -118,7 +125,7 @@ def monitoring(metadata):
                 'vars.notification.sms': True,
             }
 
-        if vconfig.get('check_ssl', metadata.get('nginx/use_ssl_for_all_connections')):
+        if vconfig.get('check_ssl', vconfig['ssl']):
             services['NGINX VHOST {} CERTIFICATE'.format(vname)] = {
                 'check_command': 'check_https_cert_at_url',
                 'vars.domain': domain,
diff --git a/nodes/home/octoprint-vielschichtigkeit.py b/nodes/home/octoprint-vielschichtigkeit.py
index feff37c..201d830 100644
--- a/nodes/home/octoprint-vielschichtigkeit.py
+++ b/nodes/home/octoprint-vielschichtigkeit.py
@@ -22,12 +22,12 @@ nodes['home.octoprint-vielschichtigkeit'] = {
             'server': '172.19.138.20:22',
         },
         'nginx': {
-            'use_ssl_for_all_connections': False,
             'vhosts': {
                 'octoprint': {
                     'domain': 'vielschichtigkeit.franzi-home.kunbox.net',
                     'do_not_set_content_security_headers': True,
                     'extras': True,
+                    'ssl': False,
                     'proxy': {
                         '/': {
                             'target': 'http://[::1]:22030/',
diff --git a/nodes/home/router.py b/nodes/home/router.py
index 50c2d26..d48b4aa 100644
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@@ -105,10 +105,14 @@ nodes['home.router'] = {
             },
         },
         'nginx': {
-            'use_ssl_for_all_connections': False,
             'restrict-to': {
                 '172.19.136.0/22',
             },
+            'vhosts': {
+                'vnstat': {
+                    'ssl': False,
+                },
+            },
         },
         'openvpn-client': {
             'configs': {