Add TLS stuff for taiga to ansible

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/taiga/files/taiga-http.nginx

@@ -0,0 +1,10 @@
+server {
+    listen 80 default_server;
+    server_name _;
+
+    large_client_header_buffers 4 32k;
+    client_max_body_size 50M;
+    charset utf-8;
+
+    return 302 https://taiga.fedorainfracloud.org$request_uri;
+}

roles/taiga/files/taiga-ssl.nginx

@@ -0,0 +1,61 @@
+server {
+    listen 443 ssl;
+    server_name taiga.fedorainfracloud.org;
+
+    ssl_certificate /etc/letsencrypt/live/taiga.fedorainfracloud.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/taiga.fedorainfracloud.org/privkey.pem;
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+    # add_header Strict-Transport-Security "max-age=31536000;";
+    ssl_session_cache shared:SSL:20m;
+    ssl_session_timeout 180m;
+    ssl_prefer_server_ciphers on;
+
+    large_client_header_buffers 4 32k;
+    client_max_body_size 50M;
+    charset utf-8;
+    types_hash_max_size 4096;
+
+    # Langdon wanted his project renamed... so we redirect.
+    rewrite ^/project/langdon-modularity/(.*)$ /project/modularity/$1 redirect;
+
+    # Frontend
+    location / {
+        root /home/taiga/taiga-front-dist/dist/;
+        try_files $uri $uri/ /index.html;
+
+        disable_symlinks off;
+    }
+
+    # Backend
+    location /api {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:8001/api;
+        proxy_redirect off;
+    }
+
+    # Django admin access (/admin/)
+    location /admin {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Scheme $scheme;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:8001$request_uri;
+        proxy_redirect off;
+    }
+
+    # Static files
+    location /static {
+        alias /home/taiga/taiga-back/static;
+    }
+
+    # Media files
+    location /media {
+        alias /home/taiga/taiga-back/media;
+    }
+}

roles/taiga/tasks/main.yml

@@ -187,11 +187,11 @@
 ### DONE with taiga-front
 
 ### FINALLY, nginx to serve/proxy it all
-- copy: src=taiga.nginx dest=/etc/nginx/conf.d/taiga.conf
+- copy: src=taiga-http.nginx dest=/etc/nginx/conf.d/taiga-http.conf
         mode=0644 owner=nginx group=nginx
   notify: restart nginx
   tags: taiga
-- copy: src=nginx.conf dest=/etc/nginx/nginx.conf
+- copy: src=nginx-ssl.conf dest=/etc/nginx/nginx-ssl.conf
         mode=0644 owner=nginx group=nginx
   notify: restart nginx
   tags: taiga

roles/taiga/templates/conf.json

@@ -1,6 +1,6 @@
 {
-    "api": "http://{{inventory_hostname}}/api/v1/",
-    "eventsUrl": "ws://{{inventory_hostname}}/events",
+    "api": "https://{{inventory_hostname}}/api/v1/",
+    "eventsUrl": "wss://{{inventory_hostname}}/events",
     "debug": true,
     "publicRegisterEnabled": true,
     "feedbackEnabled": true,

roles/taiga/templates/local.py

@@ -1,9 +1,9 @@
 from .common import *
 
-MEDIA_URL = "http://{{ inventory_hostname }}/media/"
-STATIC_URL = "http://{{ inventory_hostname }}/static/"
-ADMIN_MEDIA_PREFIX = "http://{{ inventory_hostname }}/static/admin/"
-SITES["front"]["scheme"] = "http"
+MEDIA_URL = "https://{{ inventory_hostname }}/media/"
+STATIC_URL = "https://{{ inventory_hostname }}/static/"
+ADMIN_MEDIA_PREFIX = "https://{{ inventory_hostname }}/static/admin/"
+SITES["front"]["scheme"] = "https"
 SITES["front"]["domain"] = "{{ inventory_hostname }}"
 
 SECRET_KEY = "{{ taiga_secret_key }}"