yellow: Install/configure nginx

We're going to use *nginx* as the reverse proxy in front of Home Assistant, as well as the web consoles for Zigbee2MQTT and ZWaveJS2MQTT. It will provide TLS termination for all of these applications. Since *nginx* will not start without a certificate and private key file for HTTPS, the *gen-nginx-cert.service* systemd unit generates a self-signed certificate if one does not already exist. This ensures that *nginx* can start by default, but still allows the administrator to replace the certificate with a trusted one later. The *nginx* container image has symlinks at `/var/log/nginx/error.log` and `/var/log/nginx/access.log`, pointing to `/dev/stderr` and `/dev/stdout`, respectively. The intent here is to send all log messages to the container runtime. Unfortunately, when the the container is managed by Podman from a systemd unit, the standard output and standard error streams are connected to the systemd journal via a UNIX socket. As a result, the `/dev/stdout` and `/dev/stderr` pseudo-files cannot be "opened" like normal files or pipes. Thus, to forward nginx's logs to the systemd journal correctly, we have to do a bit of trickery. For the error log at least, setting `error_log stderr` works well; nginx simply writes messages to the existing file descriptor. Unfortunately, the access log has no such mechanism. For that, we use nginx's syslog capabilities. The `/dev/log` socket is bind-mounted into the container, and nginx is configured to connect to it.
2023-03-29 11:20:45 -05:00
parent 02c3a12c08
commit 670c1f7561
8 changed files with 214 additions and 0 deletions
--- a/yellow/overlay/usr/libexec/gen-nginx-cert
+++ b/yellow/overlay/usr/libexec/gen-nginx-cert
@@ -0,0 +1,38 @@
+#!/bin/sh
+# vim: set sw=4 ts=4 sts=4 et :
+
+DAYS=90
+SUBJ=/CN=localhost
+ALG=EC
+CURVE=secp384r1
+
+if [ -f /etc/default/gen-nginx-cert ]; then
+    . /etc/default/gen-nginx-cert
+fi
+
+set -- \
+    -out /etc/nginx/ssl/server.key \
+    -algorithm "${ALG}"
+
+case "${ALG}" in
+EC)
+    set -- "$@" \
+        -pkeyopt ec_paramgen_curve:${CURVE} \
+        -pkeyopt ec_param_enc:named_curve
+    ;;
+RSA)
+    set -- "$@" \
+        -pkeyopt rsa_keygen_bits:${BITS:+4096}
+    ;;
+esac
+
+rm -f /etc/nginx/ssl/server.crt /etc/nginx/ssl/server.key
+: > /etc/nginx/ssl/server.key
+openssl genpkey "$@"
+openssl \
+	req -x509 \
+	-subj "${SUBJ}" \
+	-key /etc/nginx/ssl/server.key \
+	-out /etc/nginx/ssl/server.crt \
+	-sha256 \
+	-days "${DAYS}"