From 8bc007c7f3a6217fbbb7afb8aeca3abf948ca95b Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@gmail.com>
Date: Wed, 21 Sep 2016 01:24:27 +0200
Subject: [nginx/conf] Update TLS cert locations

The setup now uses my Kubernetes controller for Let's Encrypt.

This changes the nginx certificate locations to match the new secrets.
---
 nginx/conf/http.conf | 21 +++++++++++++++++----
 nginx/conf/main.conf |  8 ++++----
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/nginx/conf/http.conf b/nginx/conf/http.conf
index fc287e5f6bc6..c8b7d3d8de00 100644
--- a/nginx/conf/http.conf
+++ b/nginx/conf/http.conf
@@ -16,10 +16,10 @@ server {
 
 # Redirect for oslo.pub
 server {
-	listen 80;
+    listen 80;
     listen 443 ssl;
-	server_name oslo.pub *.oslo.pub;
-	return 302 https://git.tazj.in/tazjin/pubkartet;
+    server_name oslo.pub *.oslo.pub;
+    return 302 https://git.tazj.in/tazjin/pubkartet;
 }
 
 # Gogs web interface
@@ -31,10 +31,23 @@ server {
     }
 }
 
+# tazj.in -> www.tazj.in
+server {
+    listen 443 ssl http2;
+    server_name tazj.in;
+
+    ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem;
+
+    location / {
+        return 301 https://www.tazj.in$request_uri;
+    }
+}
+
 # TazBlog
 server {
     listen      443 ssl http2 default_server;
-    server_name www.tazj.in tazj.in default;
+    server_name www.tazj.in default;
 
     location / {
         proxy_pass http://tazblog-priv.default.svc.cluster.local/;
diff --git a/nginx/conf/main.conf b/nginx/conf/main.conf
index 3607aaf1bfba..5041d1fcaf77 100644
--- a/nginx/conf/main.conf
+++ b/nginx/conf/main.conf
@@ -38,8 +38,8 @@ http {
     access_log   /var/log/nginx/access.log  logstash;
 
     # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
-    ssl_certificate /etc/nginx/ssl/tazj.in/tls.crt;
-    ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.key;
+    ssl_certificate /etc/nginx/ssl/www.tazj.in/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/www.tazj.in/key.pem;
 
     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     add_header Strict-Transport-Security max-age=15768000;
@@ -57,8 +57,8 @@ stream {
     ssl_session_tickets off;
 
     # Default tazj.in certificate
-    ssl_certificate /etc/nginx/ssl/tazj.in/tls.crt;
-    ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.key;
+    ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem;
 
     include /etc/nginx/conf/stream.conf;
 }
-- 
cgit 1.4.1