From 30d22895d483fbeb954492b28c530dc450e24e03 Mon Sep 17 00:00:00 2001
From: JOLIMAITRE Matthieu <matthieu@imagevo.fr>
Date: Sun, 4 Feb 2024 15:01:51 +0100
Subject: [PATCH] add tls to nginx redirections

---
 instance/src/lib.ts       |  2 +-
 instance/src/lib/nginx.ts | 99 +++++++++++++++++++++++++++++++++++----
 2 files changed, 92 insertions(+), 9 deletions(-)

diff --git a/instance/src/lib.ts b/instance/src/lib.ts
index d677807..b0f6e17 100644
--- a/instance/src/lib.ts
+++ b/instance/src/lib.ts
@@ -114,7 +114,7 @@ export class Runner {
 		const sites = new Set<string>();
 		for (const redir of this.config.redirections) {
 			if (redir.kind !== "http") continue;
-			await this.nginx.add_proxy(redir.domain, redir.port, paths.sites);
+			await this.nginx.add_proxy(redir.domain, redir.port, paths.sites, redir.tls);
 			sites.add(redir.domain);
 		}
 		for await (const domains of this.nginx.read_all_in_dir(paths.sites)) {
diff --git a/instance/src/lib/nginx.ts b/instance/src/lib/nginx.ts
index 52c6892..7a52162 100644
--- a/instance/src/lib/nginx.ts
+++ b/instance/src/lib/nginx.ts
@@ -10,15 +10,52 @@ export class NginxController {
 		this.enabled_conf_dir = enabled_conf_dir;
 	}
 
-	public async add_proxy(domain: string, port: number, conf_dir: string) {
+	/*
+server {
+    server_name barnulf.net;
+    location / {
+        proxy_pass http://barnulf.net:8051;
+    }
+
+    listen [::]:443 ssl ipv6only=on; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/barnulf.net/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/barnulf.net/privkey.pem; # managed by Certbot
+
+}
+	*/
+
+	public async add_proxy(domain: string, port: number, conf_dir: string, tls: boolean) {
+		const conf_file_path = await this.set_http_config(domain, port, conf_dir);
+		await this.reload();
+		if (tls) {
+			await this.gen_cert(domain);
+			await this.set_https_config(domain, port, conf_dir);
+			await this.reload();
+		}
+		return conf_file_path;
+	}
+
+	private async set_https_config(domain: string, port: number, conf_dir: string) {
 		const conf_file_content = `
 server {
-    listen 80;
-    listen [::]:80;
-    server_name ${domain};
-    location / {
-        proxy_pass http://${this.proxy_target_domain}:${port};
-    }
+	listen 80;
+	listen [::]:80;
+	server_name ${domain};
+	return 301 https://$host$request_uri;
+}
+
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	server_name ${domain};
+	ssl_certificate     /etc/letsencrypt/live/${domain}/fullchain.pem; # managed by Certbot
+	ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;   # managed by Certbot
+	include             /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+	ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;       # managed by Certbot
+	location / {
+		proxy_pass http://${this.proxy_target_domain}:${port};
+	}
 }
 `;
 		const conf_file_path = path.join(conf_dir, domain + ".conf");
@@ -26,10 +63,39 @@ server {
 		await Deno.writeTextFile(conf_file_path, conf_file_content);
 		if (await exists(enabled_conf_file_path)) await Deno.remove(enabled_conf_file_path);
 		await run("ln", "-s", await Deno.realPath(conf_file_path), enabled_conf_file_path);
-		await this.reload();
 		return conf_file_path;
 	}
 
+	private async set_http_config(domain: string, port: number, conf_dir: string) {
+		const conf_file_content = `
+server {
+	listen 80;
+	listen [::]:80;
+	server_name ${domain};
+	location / {
+		proxy_pass http://${this.proxy_target_domain}:${port};
+	}
+}
+`;
+		const conf_file_path = path.join(conf_dir, domain + ".conf");
+		const enabled_conf_file_path = path.join(this.enabled_conf_dir, domain + ".conf");
+		await Deno.writeTextFile(conf_file_path, conf_file_content);
+		if (await exists(enabled_conf_file_path)) await Deno.remove(enabled_conf_file_path);
+		await run("ln", "-s", await Deno.realPath(conf_file_path), enabled_conf_file_path);
+		return conf_file_path;
+	}
+
+	private async gen_cert(domain: string) {
+		await run(
+			"certbot",
+			"--nginx",
+			...["-d", domain],
+			"--non-interactive",
+			"--agree-tos",
+			...["--email", "matthieu@imagevo.fr"],
+		);
+	}
+
 	public async remove_proxy(domain: string, conf_dir: string) {
 		const conf_file_path = path.join(conf_dir, domain + ".conf");
 		const enabled_conf_file_path = path.join(this.enabled_conf_dir, domain + ".conf");
@@ -50,3 +116,20 @@ server {
 		await run("systemctl", "restart", "nginx");
 	}
 }
+
+/*
+server {
+    if ($host = barnulf.net) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    listen [::]:80;
+    server_name barnulf.net;
+    return 404; # managed by Certbot
+
+
+}
+
+*/