From 271aac3ae69c19f763d16ebce2b185d882a150b4 Mon Sep 17 00:00:00 2001
From: GilbN <GilbN@users.noreply.github.com>
Date: Sun, 5 Mar 2023 13:41:19 +0000
Subject: [PATCH] deploy: 83eeae8d730b01083ff7ded533769f08538adc3e

---
 docker/root/defaults/nginx/nginx.conf         | 81 +++++++++++++++++++
 .../{ => nginx/site-confs}/default.conf       |  0
 docker/root/defaults/nginx/ssl.conf           | 39 +++++++++
 .../etc/s6-overlay/s6-rc.d/init-themepark/run |  9 ++-
 .../s6-overlay/s6-rc.d/init-version-checks/up |  1 +
 5 files changed, 127 insertions(+), 3 deletions(-)
 create mode 100644 docker/root/defaults/nginx/nginx.conf
 rename docker/root/defaults/{ => nginx/site-confs}/default.conf (100%)
 create mode 100644 docker/root/defaults/nginx/ssl.conf
 create mode 100644 docker/root/etc/s6-overlay/s6-rc.d/init-version-checks/up

diff --git a/docker/root/defaults/nginx/nginx.conf b/docker/root/defaults/nginx/nginx.conf
new file mode 100644
index 00000000..fa2bcb98
--- /dev/null
+++ b/docker/root/defaults/nginx/nginx.conf
@@ -0,0 +1,81 @@
+## Version 2022/08/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
+
+### Based on alpine defaults
+# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.15-stable
+
+user abc;
+
+# Set number of worker processes automatically based on number of CPU cores.
+include /config/nginx/worker_processes.conf;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /config/log/nginx/error.log;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
+events {
+    # The maximum number of simultaneous connections that can be opened by
+    # a worker process.
+    worker_connections 1024;
+}
+
+http {
+    # Includes mapping of file name extensions to MIME types of responses
+    # and defines the default type.
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Name servers used to resolve names of upstream servers into addresses.
+    # It's also needed when using tcpsocket and udpsocket in Lua modules.
+    #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
+    include /config/nginx/resolver.conf;
+
+    # Don't tell nginx version to the clients. Default is 'on'.
+    server_tokens off;
+
+    # Specifies the maximum accepted body size of a client request, as
+    # indicated by the request header Content-Length. If the stated content
+    # length is greater than this size, then the client receives the HTTP
+    # error code 413. Set to 0 to disable. Default is '1m'.
+    client_max_body_size 0;
+
+    # Sendfile copies data between one FD and other from within the kernel,
+    # which is more efficient than read() + write(). Default is off.
+    sendfile on;
+
+    # Causes nginx to attempt to send its HTTP response head in one packet,
+    # instead of using partial frames. Default is 'off'.
+    tcp_nopush on;
+
+    # all ssl related config moved to ssl.conf
+    include /config/nginx/ssl.conf;
+
+    # Enable gzipping of responses.
+    #gzip on;
+
+    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+    gzip_vary on;
+
+    # Helper variable for proxying websockets.
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    # Sets the path, format, and configuration for a buffered log write.
+    access_log /config/log/nginx/access.log;
+
+    # Includes virtual hosts configs.
+    include /etc/nginx/http.d/*.conf;
+    include /config/nginx/site-confs/*.conf;
+}
+
+daemon off;
+pid /run/nginx.pid;
\ No newline at end of file
diff --git a/docker/root/defaults/default.conf b/docker/root/defaults/nginx/site-confs/default.conf
similarity index 100%
rename from docker/root/defaults/default.conf
rename to docker/root/defaults/nginx/site-confs/default.conf
diff --git a/docker/root/defaults/nginx/ssl.conf b/docker/root/defaults/nginx/ssl.conf
new file mode 100644
index 00000000..d8d4ffad
--- /dev/null
+++ b/docker/root/defaults/nginx/ssl.conf
@@ -0,0 +1,39 @@
+## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
+
+### Mozilla Recommendations
+# generated 2022-08-05, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets off;
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP stapling
+#ssl_stapling on;
+#ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+#ssl_trusted_certificate /config/keys/cert.crt;
+
+# Optional additional headers
+#add_header Cache-Control "no-transform" always;
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
+#add_header Permissions-Policy "interest-cohort=()";
+#add_header Referrer-Policy "same-origin" always;
+#add_header X-Content-Type-Options "nosniff" always;
+#add_header X-Frame-Options "SAMEORIGIN" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+#add_header X-XSS-Protection "1; mode=block" always;
\ No newline at end of file
diff --git a/docker/root/etc/s6-overlay/s6-rc.d/init-themepark/run b/docker/root/etc/s6-overlay/s6-rc.d/init-themepark/run
index 0f519f02..62e6d0f9 100755
--- a/docker/root/etc/s6-overlay/s6-rc.d/init-themepark/run
+++ b/docker/root/etc/s6-overlay/s6-rc.d/init-themepark/run
@@ -15,16 +15,19 @@ case ${TP_URLBASE} in
     ;;
 esac
 
-DEFAULT='/defaults/default.conf'
+DEFAULT='/defaults/nginx/site-confs/default.conf'
 if [[ ${TP_URLBASE} ]]; then
     if ! grep -q "${TP_URLBASE}" "${DEFAULT}"; then
         sed -i "s/themepark/${TP_URLBASE}/g" ${DEFAULT}
     fi
 fi
-cp /defaults/default.conf /config/nginx/site-confs
+
+echo '[theme.park-init] Copying nginx files'
+cp -TR /defaults /config
 
 # Remove old config
 if [[ -f /config/nginx/site-confs/default ]]; then
+    echo '[theme.park-init] Removing old default file'
     rm /config/nginx/site-confs/default
 fi
 
@@ -41,7 +44,7 @@ cp /app/themepark/index.html /config/www
 cp /app/themepark/themes.py /config/www
 cp /app/themepark/CNAME /config/www
 
-echo '[theme.park-init] Copying mods into /config/docker-mods'
+echo '[theme.park-init] Copying mods'
 # copy mods
   for folder in /app/themepark/docker-mods/*; do \
     cp /app/themepark/docker-mods/"${folder##*/}"/root/etc/cont-init.d/98-themepark /config/docker-mods/98-themepark-"${folder##*/}"; \
diff --git a/docker/root/etc/s6-overlay/s6-rc.d/init-version-checks/up b/docker/root/etc/s6-overlay/s6-rc.d/init-version-checks/up
new file mode 100644
index 00000000..ec58cf20
--- /dev/null
+++ b/docker/root/etc/s6-overlay/s6-rc.d/init-version-checks/up
@@ -0,0 +1 @@
+# No version checks for you!
\ No newline at end of file