Use https by default

apptabulous/reverseproxy/conf.d/reverse_proxy.conf

@@ -6,10 +6,20 @@ map $request_uri $block_uri {
     /etc 1;
 }
 
-# m5p3nc3r webserver
+# Redirect all HTTP to HTTPS
 server {
     listen 80;
     listen [::]:80;
+    server_name m5p3nc3r.co.uk www.m5p3nc3r.co.uk
+                gitea.m5p3nc3r.co.uk
+                apptabulous.co.uk www.apptabulous.co.uk
+                hub.apptabulous.co.uk;
+
+    return 301 https://$host$request_uri;
+}
+
+# m5p3nc3r webserver
+server {
     listen 443 ssl;
     listen [::]:443 ssl;
     server_name m5p3nc3r.co.uk www.m5p3nc3r.co.uk;
@@ -17,6 +27,8 @@ server {
     ssl_certificate /etc/letsencrypt/live/m5p3nc3r.co.uk/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/m5p3nc3r.co.uk/privkey.pem;
 
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
     if ($block_uri = 1) {
         return 403;
     }
@@ -28,8 +40,6 @@ server {
 
 # gitea.m5p3nc3r webserver
 server {
-    listen 80;
-    listen [::]:80;
     listen 443 ssl;
     listen [::]:443 ssl;
     server_name gitea.m5p3nc3r.co.uk;
@@ -37,9 +47,7 @@ server {
     ssl_certificate /etc/letsencrypt/live/m5p3nc3r.co.uk/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/m5p3nc3r.co.uk/privkey.pem;
 
-    # if ($block_uri = 1) {
-    #     return 403;
-    # }
+    add_header Strict-Transport-Security "max-age=31536000" always;
 
     location / {
         proxy_pass http://gitea:3000;
@@ -48,8 +56,6 @@ server {
 
 # apptabulous webserver
 server {
-    listen 80;
-    listen [::]:80;
     listen 443 ssl;
     listen [::]:443 ssl;
     server_name apptabulous.co.uk www.apptabulous.co.uk;
@@ -57,6 +63,8 @@ server {
     ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;
 
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
     if ($block_uri = 1) {
         return 403;
     }
@@ -68,8 +76,6 @@ server {
 
 # Container registry
 # server {
-#     listen 80;
-#     listen [::]:80;
 #     listen 443 ssl;
 #     listen [::]:443 ssl;
 #     server_name hub.apptabulous.co.uk;
@@ -79,7 +85,7 @@ server {
 
 #     # disable any limits to avoid HTTP 413 for large image uploads
 #     client_max_body_size 0;
-    
+
 #     # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
 #     chunked_transfer_encoding on;
 
@@ -88,10 +94,8 @@ server {
 #     }
 # }
 
-# # Watchtower
+# Watchtower
 # server {
-#     listen 80;
-#     listen [::]:80;
 #     listen 443 ssl;
 #     listen [::]:443 ssl;
 #     server_name watchtower.apptabulous.co.uk;

inventory.yaml

@@ -9,7 +9,7 @@ all:
     rpi5-2:
       ansible_host: rpi5-2.local
     ryzen7:
-      ansible_host: ryzen7
+      ansible_host: ryzen7-1.local
   children:
     monitored:
       hosts: