QF-3892 Create custom nginx docker image for QFC

.github/workflows/build_and_push.yml

@@ -98,3 +98,16 @@ jobs:
           tags: |
             opengisch/qfieldcloud-qgis:${{ steps.prepare.outputs.docker_tag }}
             opengisch/qfieldcloud-qgis:${{ steps.prepare.outputs.docker_commit }}
+
+      # Nginx
+      - name: Docker Build and Push nginx
+        id: docker_build_and_push_nginx
+        uses: docker/build-push-action@v2
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          context: ./docker-nginx
+          file: ./docker-nginx/Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: |
+            opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_tag }}
+            opengisch/qfieldcloud-nginx:${{ steps.prepare.outputs.docker_commit }}

.gitignore

@@ -8,7 +8,7 @@ __pycache__/
 .env
 docker-compose.override.yml
 client/projects
-conf/nginx/certs/*
+docker-nginx/certs/*
 conf/certbot/*
 Pipfile*
 **/site-packages

README.md

@@ -207,11 +207,11 @@ Note if you run tests using the `docker-compose.test.yml` configuration, the `ap
 
 ## Add root certificate
 
-QFieldCloud will automatically generate a certificate and it's root certificate in `./config/nginx/certs`. However, you need to trust the root certificate first, so other programs (e.g. curl) can create secure connection to the local QFieldCloud instance.
+QFieldCloud will automatically generate a certificate and it's root certificate in `./docker-nginx/certs`. However, you need to trust the root certificate first, so other programs (e.g. curl) can create secure connection to the local QFieldCloud instance.
 
 On Debian/Ubuntu, copy the root certificate to the directory with trusted certificates. Note the extension has been changed to `.crt`:
 
-    sudo cp ./conf/nginx/certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
+    sudo cp ./docker-nginx/certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
 
 Trust the newly added certificate:
 

docker-compose.yml

@@ -88,14 +88,11 @@ services:
       ofelia.job-exec.runcrons.command: python manage.py runcrons
 
   nginx:
-    image: nginx:stable
+    build:
+      context: ./docker-nginx
     restart: unless-stopped
     volumes:
-      - ./conf/nginx/pages/:/var/www/html/pages/
-      - ./conf/nginx/templates/:/etc/nginx/templates/
-      - ./conf/nginx/certs/:/etc/nginx/certs/:ro
-      - ./conf/nginx/options-ssl-nginx.conf:/etc/nginx/options-ssl-nginx.conf
-      - ./conf/nginx/ssl-dhparams.pem:/etc/nginx/ssl-dhparams.pem
+      - ./docker-nginx/certs/:/etc/nginx/certs/:ro
       - certbot_www:/var/www/certbot
     ports:
       - ${WEB_HTTP_PORT}:80
@@ -119,7 +116,7 @@ services:
     environment:
       domain: ${QFIELDCLOUD_HOST}
     volumes:
-      - ./conf/nginx/certs/:/root/.local/share/mkcert/
+      - ./docker-nginx/certs/:/root/.local/share/mkcert/
     command: /bin/sh -c 'mkcert -install && for i in $$(echo $$domain | sed "s/,/ /g"); do [ ! -f /root/.local/share/mkcert/$$i.pem ] && mkcert $$i; done && tail -f -n0 /etc/hosts'
 
   certbot:

docker-nginx/Dockerfile

@@ -0,0 +1,6 @@
+FROM nginx:stable
+
+COPY pages /var/www/html/pages/
+COPY templates/ /etc/nginx/templates/
+COPY options-ssl-nginx.conf /etc/nginx/options-ssl-nginx.conf
+COPY ssl-dhparams.pem /etc/nginx/ssl-dhparams.pem

scripts/init_letsencrypt.sh

@@ -9,10 +9,10 @@ set +o allexport
 
 CONFIG_PATH="${CONFIG_PATH:-'./conf'}"
 
-if [ ! -e "$CONFIG_PATH/nginx/options-ssl-nginx.conf" ] || [ ! -e "$CONFIG_PATH/nginx/ssl-dhparams.pem" ]; then
+if [ ! -e "docker-nginx/options-ssl-nginx.conf" ] || [ ! -e "docker-nginx/ssl-dhparams.pem" ]; then
   echo "### Downloading recommended TLS parameters ..."
-  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$CONFIG_PATH/nginx/options-ssl-nginx.conf"
-  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$CONFIG_PATH/nginx/ssl-dhparams.pem"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "docker-nginx/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "docker-nginx/ssl-dhparams.pem"
   echo
 fi
 
@@ -34,8 +34,8 @@ docker compose run --rm --entrypoint "\
 echo
 
 echo "### Copy the certificate and key to their final destination ..."
-cp ${CONFIG_PATH}/certbot/conf/live/${QFIELDCLOUD_HOST}/fullchain.pem ${CONFIG_PATH}/nginx/certs/${QFIELDCLOUD_HOST}.pem
-cp ${CONFIG_PATH}/certbot/conf/live/${QFIELDCLOUD_HOST}/privkey.pem ${CONFIG_PATH}/nginx/certs/${QFIELDCLOUD_HOST}-key.pem
+cp ${CONFIG_PATH}/certbot/conf/live/${QFIELDCLOUD_HOST}/fullchain.pem docker-nginx/certs/${QFIELDCLOUD_HOST}.pem
+cp ${CONFIG_PATH}/certbot/conf/live/${QFIELDCLOUD_HOST}/privkey.pem docker-nginx/certs/${QFIELDCLOUD_HOST}-key.pem
 echo
 
 echo "### Reloading nginx ..."