From 0475c7aec6760d6c3e142dba3d1e7dff9b7f0af1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arne=20J=C3=B8rgensen?= <arne@arnested.dk>
Date: Wed, 26 Jun 2024 23:41:13 +0200
Subject: [PATCH 1/2] Base nextjs on proxy

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 59b5070..a5188af 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,6 +39,6 @@ COPY /proxy /
 ##
 #  NextJS
 ##
-FROM base AS nextjs
+FROM proxy AS nextjs
 
 COPY /nextjs /

From cb1bf64e3da215582a7f71b81472230f50a0b1b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arne=20J=C3=B8rgensen?= <arne@arnested.dk>
Date: Wed, 26 Jun 2024 23:41:29 +0200
Subject: [PATCH 2/2] Support self-signed certificates (if no rootCA is
 provided)

---
 context/base/etc/entrypoint.d/10-certs.sh | 33 ++++++++++++++---------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/context/base/etc/entrypoint.d/10-certs.sh b/context/base/etc/entrypoint.d/10-certs.sh
index cfd9136..13f2801 100755
--- a/context/base/etc/entrypoint.d/10-certs.sh
+++ b/context/base/etc/entrypoint.d/10-certs.sh
@@ -2,37 +2,46 @@
 
 set -euo pipefail
 
-FIRST_VIRTUAL_HOST=$(awk '{print $1;}' <<<"${VIRTUAL_HOST:-default}")
+FIRST_VIRTUAL_HOST=$(awk '{print $1;}' <<<"${VIRTUAL_HOST:-localhost}")
 export FIRST_VIRTUAL_HOST
 
 echo "export FIRST_VIRTUAL_HOST=${FIRST_VIRTUAL_HOST}" >>/docker-entrypoint.d/10-first_virtual_host.envsh
 chmod +x /docker-entrypoint.d/10-first_virtual_host.envsh
 
-CERT="/cert/${FIRST_VIRTUAL_HOST:-default}.crt"
-CERT_KEY="/cert/${FIRST_VIRTUAL_HOST:-default}.key"
+mkdir -p /cert
+
+CERT="/cert/${FIRST_VIRTUAL_HOST:-localhost}.crt"
+CERT_KEY="/cert/${FIRST_VIRTUAL_HOST:-localhost}.key"
 CA_CERT="/rootCA/rootCA.pem"
 CA_KEY="/rootCA/rootCA-key.pem"
 
-if [ ! -r "${CA_CERT}" ] || [ ! -r "${CA_KEY}" ]; then
-	echo "No root certificate, skipping certificate generation"
-	exit 0
-fi
+# if [ ! -r "${CA_CERT}" ] || [ ! -r "${CA_KEY}" ]; then
+# 	echo "No root certificate, skipping certificate generation"
+# 	exit 0
+# fi
 
 IP_ADDRESS=$(hostname -i)
 export IP_ADDRESS
 
 envsubst </etc/cert.cfg.template >/tmp/cert.cfg
 
-for host in $VIRTUAL_HOST; do
+for host in ${VIRTUAL_HOST:-localhost}; do
 	echo "dns_name = $host" >>/tmp/cert.cfg
 done
 
 certtool --generate-privkey --outfile "${CERT_KEY}"
-certtool --generate-request --load-privkey "${CERT_KEY}" --template /tmp/cert.cfg --outfile /tmp/request.pem
-certtool --generate-certificate --load-request /tmp/request.pem --load-ca-certificate "${CA_CERT}" --load-ca-privkey "${CA_KEY}" --template /tmp/cert.cfg --outfile "${CERT}"
 
-cp "${CA_CERT}" /usr/local/share/ca-certificates/
-/usr/sbin/update-ca-certificates
+if [ ! -r "${CA_CERT}" ] || [ ! -r "${CA_KEY}" ]; then
+	certtool --generate-certificate --generate-self-signed --load-privkey "${CERT_KEY}" --template /tmp/cert.cfg --outfile "${CERT}"
+else
+	certtool --generate-request --load-privkey "${CERT_KEY}" --template /tmp/cert.cfg --outfile /tmp/request.pem
+	certtool --generate-certificate --load-request /tmp/request.pem --load-ca-certificate "${CA_CERT}" --load-ca-privkey "${CA_KEY}" --template /tmp/cert.cfg --outfile "${CERT}"
+fi
+
+if [ -r "${CA_CERT}" ]; then
+	cp "${CA_CERT}" /usr/local/share/ca-certificates/
+	/usr/sbin/update-ca-certificates
+fi
 
 mkdir -p /etc/nginx/include.d
 envsubst </etc/ssl.conf.template >/etc/nginx/include.d/ssl.conf