From 3d71062d4b5488d52bde27be24a416a692dd36b4 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Sun, 24 Sep 2023 15:12:22 +0200
Subject: [PATCH] feat: improve naming and read secrets from files

---
 Dockerfile.multiarch                   |  6 +-
 overlay/etc/nginx/nginx.conf           |  2 +-
 overlay/etc/templates/vhost.conf.tmpl  | 59 -----------------
 overlay/etc/templates/vhosts.conf.tmpl | 90 ++++++++++++++++++++++++++
 overlay/usr/local/bin/entrypoint       |  9 ++-
 5 files changed, 100 insertions(+), 66 deletions(-)
 delete mode 100644 overlay/etc/templates/vhost.conf.tmpl
 create mode 100644 overlay/etc/templates/vhosts.conf.tmpl

diff --git a/Dockerfile.multiarch b/Dockerfile.multiarch
index 22ae8b0..5914c0f 100644
--- a/Dockerfile.multiarch
+++ b/Dockerfile.multiarch
@@ -34,15 +34,15 @@ RUN addgroup -g 1001 -S nginx && \
 
 ADD overlay/ /
 
-RUN mkdir -p /var/www /etc/proxy-config /etc/nginx/conf.d /var/tmp/nginx /var/cache/nginx && \
+RUN mkdir -p /var/www /etc/nginx-s3 /etc/nginx/conf.d /var/tmp/nginx /var/cache/nginx && \
     touch /run/nginx.pid && \
-    touch /etc/nginx/conf.d/vhost.conf && \
+    touch /etc/nginx/conf.d/vhosts.conf && \
     chown nginx /run/nginx.pid && \
     chown -R nginx /var/log/nginx /var/tmp/nginx /var/cache/nginx && \
     chown -R nginx:nginx /var/www && \
     chown -R root:nginx /etc/nginx /etc/nginx/conf.d && \
     chmod -R 640 /etc/nginx /etc/nginx/conf.d && \
-    chmod 750 /var/www /var/cache/nginx /etc/proxy-config /etc/nginx /etc/nginx/conf.d
+    chmod 750 /var/www /var/cache/nginx /etc/nginx-s3 /etc/nginx /etc/nginx/conf.d
 
 EXPOSE 8080
 
diff --git a/overlay/etc/nginx/nginx.conf b/overlay/etc/nginx/nginx.conf
index a102471..da7e4e5 100644
--- a/overlay/etc/nginx/nginx.conf
+++ b/overlay/etc/nginx/nginx.conf
@@ -25,5 +25,5 @@ http {
         ~/$ ${request_uri}index.html;
     }
 
-    include /etc/nginx/conf.d/vhost.conf;
+    include /etc/nginx/conf.d/vhosts.conf;
 }
diff --git a/overlay/etc/templates/vhost.conf.tmpl b/overlay/etc/templates/vhost.conf.tmpl
deleted file mode 100644
index 6164738..0000000
--- a/overlay/etc/templates/vhost.conf.tmpl
+++ /dev/null
@@ -1,59 +0,0 @@
-{{- $vhost := ds "vhost" }}
-{{- $defauls := data.YAML "{hostnames: [localhost], proxy_ssl_protocols: TLSv1.2 TLSv1.3, proxy_hide_header: [X-Amz-*]}" -}}
-
-{{- range $vhost }}
-{{- $this := coll.Merge . $defauls }}
-{{- $upstream_host := index ($this.upstream | strings.Split ":") 0 }}
-{{- $access_key_id := index $this "access_key_id" }}
-{{- $secret_access_key := index $this "secret_access_key" -}}
-
-upstream backend_s3_{{ $this.bucket }} {
-    server {{ $this.upstream }};
-}
-
-server {
-    listen 8080;
-    server_name {{ conv.Join $this.hostnames " " }};
-
-    location / {
-        {{ if and $access_key_id $secret_access_key -}}
-        set_by_lua $now "return ngx.http_time(ngx.time())";
-        set $string_to_sign "GET\n\n\n${now}\n/{{ $this.bucket }}/${repo}$request_path";
-        set_hmac_sha1 $aws_signature "{{ $this.secret_access_key }}" "$string_to_sign";
-        set_encode_base64 $aws_signature "$aws_signature";
-
-        proxy_set_header Date "$now";
-        proxy_set_header Authorization "AWS {{ $this.access_key_id }}:$aws_signature";
-
-        {{ end -}}
-
-        proxy_pass https://backend_s3_{{ $this.bucket }}/{{ $this.bucket }}/${repo}$uri;
-        proxy_ssl_name {{ $upstream_host }};
-        proxy_ssl_server_name on;
-        proxy_ssl_verify on;
-        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
-        proxy_ssl_protocols {{ $this.proxy_ssl_protocols }};
-
-        proxy_http_version 1.1;
-        proxy_buffering off;
-        proxy_connect_timeout 300;
-        proxy_intercept_errors on;
-        port_in_redirect off;
-
-        proxy_set_header Host "{{ $upstream_host }}";
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        {{ range $this.proxy_hide_header }}
-        more_clear_headers {{ . }};
-        {{- end }}
-
-        proxy_ignore_headers Set-Cookie;
-
-        rewrite ^([^.]*[^/])$ $1/ permanent;
-        rewrite ^(.*)/$ $1/index.html break;
-        rewrite ^(.*/[^./]+)$ $1/index.html break;
-    }
-}
-{{- end -}}
diff --git a/overlay/etc/templates/vhosts.conf.tmpl b/overlay/etc/templates/vhosts.conf.tmpl
new file mode 100644
index 0000000..bbff858
--- /dev/null
+++ b/overlay/etc/templates/vhosts.conf.tmpl
@@ -0,0 +1,90 @@
+{{- $config := ds "config" }}
+{{- $defauls := data.YAML "{hostnames: [localhost], upstream_use_tls: false, proxy_ssl_protocols: TLSv1.2 TLSv1.3, proxy_hide_header: [X-Amz-*]}" -}}
+
+{{- range $config }}
+{{- $this := coll.Merge . $defauls }}
+{{- $upstream_host := index ($this.upstream | strings.Split ":") 0 }}
+{{- $upstream_use_tls := $this.upstream_use_tls | conv.ToBool }}
+{{- $access_key_id_file := index $this "access_key_id_file" }}
+{{- $secret_access_key_file := index $this "secret_access_key_file" -}}
+
+upstream backend_s3_{{ $this.bucket }} {
+    server {{ $this.upstream }};
+}
+
+server {
+    listen 8080;
+    server_name {{ conv.Join $this.hostnames " " }};
+
+    location / {
+        {{ if and $access_key_id_file $secret_access_key_file -}}
+        set_by_lua $now "return ngx.http_time(ngx.time())";
+        set_by_lua_block $access_key_id {
+            local f, err = io.open('{{ $access_key_id_file }}', 'r')
+            local content
+            if f == nil then
+                ngx.log(ngx.STDERR, err)
+            else
+                content = string.gsub(f:read("*all"), "%s", "")
+                f:close()
+            end
+            return content
+        }
+        set_by_lua_block $secret_access_key {
+            local f, err = io.open('{{ $secret_access_key_file }}', 'r')
+            local content
+            if f == nil then
+                ngx.log(ngx.STDERR, err)
+            else
+                content = string.gsub(f:read("*all"), "%s", "")
+                f:close()
+            end
+            return content
+        }
+        set $string_to_sign "GET\n\n\n${now}\n/{{ $this.bucket }}/${repo}$request_path";
+        set_hmac_sha1 $aws_signature "$secret_access_key" "$string_to_sign";
+        set_encode_base64 $aws_signature "$aws_signature";
+
+        proxy_set_header Date "$now";
+        proxy_set_header Authorization "AWS $access_key_id:$aws_signature";
+
+        {{ end -}}
+
+        proxy_pass https://backend_s3_{{ $this.bucket }}/{{ $this.bucket }}/${repo}$uri;
+        {{- if $this.upstream_use_tls }}
+        proxy_ssl_name {{ $upstream_host }};
+        proxy_ssl_server_name on;
+        proxy_ssl_verify on;
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+        proxy_ssl_protocols {{ $this.proxy_ssl_protocols }};
+        {{- end }}
+
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_connect_timeout 300;
+        proxy_intercept_errors on;
+        port_in_redirect off;
+
+        {{ if $this.upstream_use_tls -}}
+        proxy_set_header Host "{{ $upstream_host }}";
+        {{- else }}
+        proxy_set_header Host $host;
+        {{- end }}
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        {{- with $this.proxy_hide_header }}
+        {{ range $this.proxy_hide_header }}
+        more_clear_headers {{ . }};
+        {{- end }}
+        {{- end }}
+
+        proxy_ignore_headers Set-Cookie;
+
+        rewrite ^([^.]*[^/])$ $1/ permanent;
+        rewrite ^(.*)/$ $1/index.html break;
+        rewrite ^(.*/[^./]+)$ $1/index.html break;
+    }
+}
+{{- end -}}
diff --git a/overlay/usr/local/bin/entrypoint b/overlay/usr/local/bin/entrypoint
index fbd703b..88946ec 100755
--- a/overlay/usr/local/bin/entrypoint
+++ b/overlay/usr/local/bin/entrypoint
@@ -1,5 +1,8 @@
 #!/usr/bin/env sh
 
+# shellcheck disable=SC3040
+set -eo pipefail
+
 # shellcheck disable=SC1091
 . /usr/local/lib/log.sh
 
@@ -33,11 +36,11 @@ start_server() {
 
 run_config() {
     log_info "Start nginx config service"
-    /usr/local/bin/gomplate -d vhost=/etc/proxy-config/vhost.yml -o /etc/nginx/conf.d/vhost.conf -f /etc/templates/vhost.conf.tmpl --chmod "0640"
+    /usr/local/bin/gomplate -d config=/etc/nginx-s3/config.yaml -o /etc/nginx/conf.d/vhosts.conf -f /etc/templates/vhosts.conf.tmpl --chmod "0640"
 
-    while inotifywait -q --timefmt "%F %T" --format "%T [INFO] [$(basename "$0")] %e %f" -e modify,move,create,delete /etc/proxy-config/vhost.yml; do
+    while inotifywait -q --timefmt "%F %T" --format "%T [INFO] [$(basename "$0")] %e %f" -e modify,move,create,delete /etc/nginx-s3/config.yaml; do
         log_info "Regenerate nginx config"
-        /usr/local/bin/gomplate -d vhost=/etc/proxy-config/vhost.yml -o /etc/nginx/conf.d/vhost.conf -f /etc/templates/vhost.conf.tmpl --chmod "0640"
+        /usr/local/bin/gomplate -d config=/etc/nginx-s3/config.yaml -o /etc/nginx/conf.d/vhosts.conf -f /etc/templates/vhosts.conf.tmpl --chmod "0640"
     done
 }