From e8aaa8ac3f62d476e96ec912f65d92c8155ddf7c Mon Sep 17 00:00:00 2001
From: Josh Matthews <josh@joshmatthews.net>
Date: Wed, 14 Mar 2018 13:42:37 -0400
Subject: [PATCH 1/3] Use letsencrypt cert for build.servo.org.

---
 nginx/default | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nginx/default b/nginx/default
index 6ea04f95..02bf98e7 100644
--- a/nginx/default
+++ b/nginx/default
@@ -1,7 +1,10 @@
 server {
   listen 80 default_server;
   server_name build.servo.org;
+  ssl_certificate /etc/letsencrypt/live/build.servo.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/build.servo.org/privkey.pem;
 
+  listen 443 ssl;
 
   location / {
     proxy_pass http://localhost:8010/;

From a4890817b01fe8ca54195b7d8986d687c5d4dea8 Mon Sep 17 00:00:00 2001
From: Josh Matthews <josh@joshmatthews.net>
Date: Wed, 14 Mar 2018 13:53:21 -0400
Subject: [PATCH 2/3] Add cron job to renew build.servo.org cert.

---
 nginx/init.sls | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/nginx/init.sls b/nginx/init.sls
index 86990817..bc7fabba 100644
--- a/nginx/init.sls
+++ b/nginx/init.sls
@@ -19,3 +19,20 @@ nginx:
   file.symlink:
     - target: /etc/nginx/sites-available/default
 
+certbot:
+  pkgrepo.managed:
+    - ppa: certbot/certbot
+  pkg.installed:
+    - pkgs:
+      - certbot
+      - python-certbot-nginx
+
+certbot renew:
+  cron.present:
+    - identifier: build-cert-renew
+    - user: root
+    - minute: 0
+    - hour: 0
+    - daymonth: 1
+    - require:
+      - pkg: certbot

From e966579eca414246569457e56fd12c394a0adfd2 Mon Sep 17 00:00:00 2001
From: Josh Matthews <josh@joshmatthews.net>
Date: Wed, 14 Mar 2018 14:36:07 -0400
Subject: [PATCH 3/3] Add HTTPS redirect and STS header.

---
 nginx/default | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/nginx/default b/nginx/default
index 02bf98e7..c16962dc 100644
--- a/nginx/default
+++ b/nginx/default
@@ -1,10 +1,18 @@
 server {
   listen 80 default_server;
   server_name build.servo.org;
+  return 307 https://$host$request_uri;
+}
+
+server {
   ssl_certificate /etc/letsencrypt/live/build.servo.org/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/build.servo.org/privkey.pem;
 
   listen 443 ssl;
+  server_name build.servo.org;
+
+  # add Strict-Transport-Security to prevent man in the middle attacks
+  add_header Strict-Transport-Security "max-age=31536000" always;
 
   location / {
     proxy_pass http://localhost:8010/;