Move shit around

docker/nginx/Dockerfile

@@ -32,11 +32,11 @@ RUN apt update && \
       apt-get clean && \
       rm -rf /var/lib/apt/lists/*
 
-ADD ./crontab /certcrontab
-ADD ./updatecerts.sh /
-ADD ./entrypoint.sh /
+ADD ./config/crontab /certcrontab
+ADD ./scripts/updatecerts.sh /
+ADD ./scripts/entrypoint.sh /
 
-ADD ./nginx.conf.erb /tmp
+ADD ./config/nginx.conf.erb /tmp
 RUN SERVER_NAME=$SERVER_NAME \
     REDIRECT_SERVER_NAMES=$REDIRECT_DOMAINS \
     HTTPS_CERT_NAME=$HTTPS_CERT_NAME \

docker/nginx/nginx.conf.sed → docker/nginx/config/nginx.conf.erb

@@ -1,3 +1,24 @@
+<%# params: -%>
+<%# - fake_hosts            string[] - when set only fake vhosts will be created - used for certbot initial run-%>
+<%# - server_name           string   - main domain/server_name for the wewbie -%>
+<%# - redirect_server_names string[] - all domains that will redirect to server_name and server_name (to redirect http->https) -%>
+<%# - https_cert_name       string   - used in /etc/letsencrypt/NAME, if null - only http will be enabled -%>
+<%
+  fake_hosts             = (fake_hosts            or ENV['FAKE_HOSTS']);
+  server_name            = (server_name           or ENV['SERVER_NAME']);
+  redirect_server_names  = (redirect_server_names or ENV['REDIRECT_SERVER_NAMES']);
+  https_cert_name        = (https_cert_name       or ENV['HTTPS_CERT_NAME']);
+  if fake_hosts then
+    fake_hosts = fake_hosts.split ','
+  end;
+  if redirect_server_names then
+    redirect_server_names = redirect_server_names.split ','
+  end;
+  redirect_server_names = (redirect_server_names or []);
+  redirect_server_names.push(server_name);
+  redirect_server_names = redirect_server_names.uniq;
+-%>
+
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
@@ -32,40 +53,55 @@ http {
   open_file_cache_errors on;
 
   include /etc/nginx/snippets/*.conf;
+<% if (fake_hosts.length > 0) then -%>
+  <% for fake_host in fake_hosts-%>
+    server {
+      server_name <%= fake_host -%>;
+      listen 80;
+      root /var/wwwnossl/;
+      location / {
+        return 200 "Fake NGINX";
+      }
+      location ~ /.well-known {
+        allow all;
+      }
+    }
+  <% end -%>
+<% else -%>
 
   server {
-      set $website_host __ARG_SERVER_NAME;
+      set $website_host <%= server_name -%>;
+      server_name "$website_host";
+      access_log "/var/log/nginx/$website_host.access.log";
+      access_log "/var/log/nginx/$website_host.error.log";
 
-      set $website_root "/var/www/public";
-      set $symfony_root "/var/www/lib/vendor/symfony";
       set $default_controller "index.php";
+      index $default_controller;
 
-      listen 443 ssl http2;
-      server_name "$website_host";
+      set $website_root "/var/www/public";
+      root $website_root;
+      charset utf-8;
 
-      access_log "/var/log/nginx/$website_host.access.log";
-      access_log "/var/log/nginx/$website_host.error.log";
+
+    <% if https_cert_name -%>
+      listen 443 ssl http2;
+      ssl_certificate     "/etc/letsencrypt/live/<%=https_cert_name-%>/fullchain.pem";
+      ssl_certificate_key "/etc/letsencrypt/live/<%=https_cert_name-%>/privkey.pem";
+    <% else -%>
+      listen 80;
+      listen [::]:80;
+    <% end -%>
 
       # Security headers
-      # THE FOLLOWING REFERRER HEADER BREAKS THE APP; THIS IS A TODO
-      #add_header Referrer-Policy: strict-origin-when-cross-origin;
+      #TODO: fix app and enable: add_header Referrer-Policy: strict-origin-when-cross-origin;
       add_header X-Frame-Options DENY;
       add_header X-Content-Type-Options nosniff;
       add_header X-XSS-Protection "1; mode=block" always;
       add_header X-Permitted-Cross-Domain-Policies none;
       add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
-      #### let's encrypt's x509 certificates
-      ssl_certificate "/etc/letsencrypt/live/__ARG_HTTPS_CERT_NAME/fullchain.pem";
-      ssl_certificate_key "/etc/letsencrypt/live/__ARG_HTTPS_CERT_NAME/privkey.pem";
-
-      root $website_root;
-      index $default_controller;
-      charset utf-8;
-
       location /sf {
-          # path to folder where all symfony assets are located
-          alias $symfony_root/data/web/sf;
+          alias /var/www/lib/vendor/symfony/data/web/sf;
           expires max;
       }
 
@@ -101,14 +137,13 @@ http {
       }
   }
 
-  # redirect with 302 (Moved Temporarily) to 
+  # redirect with 302 (Moved Temporarily) to
   # avoid caching URLs that we might change (prod, staging, etc)
   server {
     listen 80;
     listen [::]:80;
-    set $main_website_host __ARG_SERVER_NAME;
-    set $all_website_hosts __ARG_REDIRECT_DOMAINS;
-    server_name "$all_website_hosts";
-    return 302 "https://$main_website_host$request_uri";
+    server_name <%=redirect_server_names.join(' ')-%>;
+    return 302 "https://<%=server_name-%>$request_uri";
   }
+<% end -%>
 }