bundles/ssl: support using a preexisting ssl certificate

bundles/nginx/files/port80.conf

@@ -6,8 +6,9 @@ server {
     location / {
         return 308 https://$host$request_uri;
     }
-
+% if needs_le:
     location /.well-known/acme-challenge/ {
         alias /var/lib/dehydrated/acme-challenges/;
     }
+% endif
 }

bundles/nginx/files/site_template

@@ -11,9 +11,13 @@ server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
 
-    ssl_trusted_certificate /var/lib/dehydrated/certs/${domain}/chain.pem;
+% if ssl == 'letsencrypt':
     ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
     ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
+% else:
+    ssl_certificate /etc/nginx/ssl/${vhost}.crt;
+    ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
+% endif
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

bundles/nginx/files/ssl_template

@@ -0,0 +1,6 @@
+<%
+    from os.path import isfile, join
+%><%include file="ssl/${domain}.crt.pem"/>
+% if isfile(join(repo.path, 'data', 'ssl', f'{domain}.crt_intermediate.pem')):
+<%include file="ssl/${domain}.crt_intermediate.pem"/>
+% endif