From 755d9f052009292783fee094f8bff31f954c3849 Mon Sep 17 00:00:00 2001
From: kaiyou <pierre@jaury.eu>
Date: Sun, 24 Sep 2017 14:01:03 +0200
Subject: [PATCH] Prepare nginx as a unique frontend

---
 nginx/Dockerfile      |  7 +++----
 nginx/conf/nginx.conf | 32 +++++++++++++++++++++++++++-----
 nginx/start.py        | 12 ++++++++++++
 nginx/start.sh        |  5 -----
 4 files changed, 42 insertions(+), 14 deletions(-)
 create mode 100755 nginx/start.py
 delete mode 100755 nginx/start.sh

diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index a3932ab4..64045e2c 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -1,9 +1,8 @@
 FROM alpine:edge
 
-RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
- && apk add --no-cache nginx nginx-mod-mail py-setuptools jinja2-cli@testing
+RUN apk add --no-cache nginx nginx-mod-mail python py-jinja2
 
 COPY conf /conf
-COPY start.sh /start.sh
+COPY start.py /start.py
 
-CMD /start.sh
+CMD /start.py
diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf
index 5e2a0e27..895ae023 100644
--- a/nginx/conf/nginx.conf
+++ b/nginx/conf/nginx.conf
@@ -1,6 +1,6 @@
 #  Basic configuration
 user nginx;
-worker_processes  1;
+worker_processes 4;
 error_log /dev/stderr info;
 pid /var/run/nginx.pid;
 load_module "modules/ngx_mail_module.so";
@@ -21,7 +21,26 @@ http {
     server {
       listen 80;
 
+      {% if TLS_FLAVOR != 'notls' %}
+      listen 443 ssl;
+
+      ssl_protocols TLSv1.1 TLSv1.2;
+      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+      ssl_prefer_server_ciphers on;
+      ssl_session_timeout 5m;
+      ssl_session_cache shared:SSL:50m;
+      ssl_certificate /certs/cert.pem;
+      ssl_certificate_key /certs/key.pem;
+
+      add_header Strict-Transport-Security max-age=15768000;
+
+      if ($scheme = http) {
+        return 301 https://$host$request_uri;
+      }
+      {% endif %}
+
       # Actual logic
+      {% if WEBMAIL != 'none' %}
       location / {
         return 301 $scheme://$host/webmail/;
       }
@@ -29,20 +48,25 @@ http {
       location /webmail {
         proxy_pass http://webmail;
       }
+      {% endif %}
 
+      {% if ADMIN == 'true' %}
       location /admin {
         proxy_pass http://admin;
       }
+      {% endif %}
 
+      {% if WEBDAV != 'none' %}
       location /webdav {
         proxy_pass http://webdav:5232;
       }
+      {% endif %}
     }
 }
 
 mail {
-    server_name test.mailu.io;
-    auth_http http://172.18.0.1:5000/nginx;
+    server_name {{ HOSTNAME }};
+    auth_http http://{{ ADMIN_ADDRESS }}/nginx;
     proxy_pass_error_message on;
 
     server {
@@ -56,6 +80,4 @@ mail {
       protocol imap;
       imap_auth plain;
     }
-
-    
 }
diff --git a/nginx/start.py b/nginx/start.py
new file mode 100755
index 00000000..15e4fee5
--- /dev/null
+++ b/nginx/start.py
@@ -0,0 +1,12 @@
+#!/usr/bin/python
+
+import jinja2
+import os
+import socket
+	
+convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))
+
+# Actual startup script
+os.environ["ADMIN_ADDRESS"] = socket.gethostbyname("admin")
+convert("/conf/nginx.conf", "/etc/nginx/nginx.conf")
+os.execv("/usr/sbin/nginx", ["nginx", "-g", "daemon off;"])
diff --git a/nginx/start.sh b/nginx/start.sh
deleted file mode 100755
index 9f09a488..00000000
--- a/nginx/start.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-jinja2 /conf/nginx.conf > /etc/nginx/nginx.conf
-
-exec nginx -g 'daemon off;'