Use new proxy domain for ejabberd cert

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb

@@ -14,6 +14,10 @@ server {
   listen [::]:443 ssl http2;
   server_name <%= @domain %>;
 
+  if ($host != $server_name) {
+    return 301 $scheme://$server_name$request_uri;
+  }
+
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
@@ -39,6 +43,9 @@ server {
 
   location @proxy {
     proxy_set_header Host $http_host;
+    set $x_forwarded_host $http_x_forwarded_host;
+    if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
+    proxy_set_header X-Forwarded-Host $x_forwarded_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -52,7 +52,7 @@ end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
   end

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -10,16 +10,6 @@ upstream _<%= @app_name %> {
 # TODO use cookbook attribute when enabling
 # variables_hash_max_size 2048;
 
-server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
-  listen [::]:80;
-  server_name <%= @server_name %>;
-  # Redirect to https
-  location / {
-    return 301 https://<%= @server_name %>$request_uri;
-  }
-}
-
 server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
   listen [::]:443 ssl http2;

site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb

@@ -14,7 +14,5 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
-  location / {
-    return <%= @http_status || 301 %> <%= @target %>;
-  }
+  return <%= @http_status || 307 %> <%= @target %>;
 }

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -2,7 +2,7 @@
 
 server {
   server_name _;
-  listen 80 default_server;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;
 
   location / {
     return 301 https://<%= @domain %>;
@@ -14,6 +14,10 @@ server {
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;
 
+  if ($host != $server_name) {
+    return 307 $scheme://$server_name;
+  }
+
   root /var/www/<%= @domain %>/public;
 
   access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
@@ -22,14 +26,13 @@ server {
   gzip_static on;
   gzip_comp_level 5;
 
-  add_header 'Access-Control-Allow-Origin' '*';
-
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
 <% if @accounts_url %>
   location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
     proxy_ssl_server_name on;
+    proxy_set_header X-Forwarded-Host $host;
     proxy_pass https://accounts.kosmos.org;
   }
 <% end %>