From 84b7017504a2074547b6832ddba7b63d4f83bfac Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Mon, 9 Jun 2025 19:46:00 +0200
Subject: [PATCH] wip

---
 bundles/nginx/files/nginx.conf |  2 +-
 bundles/nginx/items.py         | 19 ++++++++++++++++---
 data/yourls/vhost.conf         | 15 +++++++++++++--
 3 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf
index 20fef48..ef45635 100644
--- a/bundles/nginx/files/nginx.conf
+++ b/bundles/nginx/files/nginx.conf
@@ -39,5 +39,5 @@ http {
     }
     % endif
 
-    include /etc/nginx/sites/*;
+    include /etc/nginx/sites-enabled/*;
 }
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index f94feb5..5f80b74 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -9,7 +9,7 @@ directories = {
             'svc_systemd:nginx:restart',
         },
     },
-    '/etc/nginx/sites': {
+    '/etc/nginx/sites-available': {
         'purge': True,
         'triggers': {
             'svc_systemd:nginx:restart',
@@ -25,6 +25,13 @@ directories = {
         'purge': True,
         'owner': 'www-data',
     },
+
+    # temp
+    '/var/www/certbot': {
+        'owner': 'www-data',
+        'group': 'www-data',
+        'mode': '0755',
+    }
 }
 
 files = {
@@ -76,6 +83,12 @@ files = {
     },
 }
 
+symlinks = {
+    '/etc/nginx/sites-enabled': {
+        'target': '/etc/nginx/sites-available',
+    },
+}
+
 actions = {
     'nginx-generate-dhparam': {
         'command': 'openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096',
@@ -94,7 +107,7 @@ svc_systemd = {
 
 
 for name, config in node.metadata.get('nginx/vhosts').items():
-    files[f'/etc/nginx/sites/{name}'] = {
+    files[f'/etc/nginx/sites-available/{name}'] = {
         'content': Template(filename=join(repo.path, 'data', config['content'])).render(
             server_name=name,
             **config.get('context', {}),
@@ -110,6 +123,6 @@ for name, config in node.metadata.get('nginx/vhosts').items():
     }
 
     if name in node.metadata.get('letsencrypt/domains'):
-        files[f'/etc/nginx/sites/{name}']['needs'].append(
+        files[f'/etc/nginx/sites-available/{name}']['needs'].append(
             f'action:letsencrypt_ensure-some-certificate_{name}',
         )
diff --git a/data/yourls/vhost.conf b/data/yourls/vhost.conf
index 0e30aea..d1431df 100644
--- a/data/yourls/vhost.conf
+++ b/data/yourls/vhost.conf
@@ -3,12 +3,13 @@ server {
   listen [::]:443 ssl http2;
   server_name ${server_name};
 
-  ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
-  ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
+  ssl_certificate /etc/letsencrypt/archive/${server_name}/fullchain1.pem;
+  ssl_certificate_key /etc/letsencrypt/archive/${server_name}/privkey1.pem;
 
   root /var/www/yourls/htdocs;
 
   location / {
+    index index.php index.html index.htm;
     try_files $uri $uri/ /yourls-loader.php$is_args$args;
   }
 
@@ -17,4 +18,14 @@ server {
     fastcgi_index index.php;
     fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
   }
+
+  # temp
+  location ^~ /.well-known/acme-challenge/ {
+      alias /var/www/certbot/;
+  }
 }
+
+
+# FIXME: this is a temporary solution to allow the certbot challenge to work:
+# - ssl_certificate
+# - ssl_certificate_key