From b1c93d608910b1d88e1825009b91489b91062577 Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Wed, 3 Aug 2022 23:06:41 +0200
Subject: [PATCH] add 'well-known/acme-challenge' file

---
 tasks/main.yml           | 5 +++++
 templates/http_server.j2 | 5 +++++
 templates/nginx.conf     | 2 +-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index b9c8f31..a5e9b79 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -17,6 +17,11 @@
   loop:
     - connection_upgrade.conf # fix some nginx bug
 
+- name: Ensure the cert directory exists
+  file:
+    path: /var/www/well-known/acme-challenge/.well-known/acme-challenge
+    state: directory
+
 - name: Ensure the cert directory exists
   file:
     path: /etc/nginx/certs
diff --git a/templates/http_server.j2 b/templates/http_server.j2
index 0621a77..027ead7 100644
--- a/templates/http_server.j2
+++ b/templates/http_server.j2
@@ -9,6 +9,11 @@ server {
         return 302 https://$host$request_uri;
     }
 
+    # ACME directory, to limit interaction with certbot
+    location /.well-known/acme-challenge/ {
+        root /var/www/well-known/acme-challenge/;
+    }
+
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
diff --git a/templates/nginx.conf b/templates/nginx.conf
index c47de9c..96f15f9 100644
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@@ -44,7 +44,7 @@ stream {
         r3.o.lencr.org                  r3;
         {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
         {{ rp.value.sni_server_name }}   {{ rp.key }};
-        {%- endfor %}
+        {% endfor %}
         default                         local;
     }