From 2a25edcc423f78cb0a4c76d9749211dd755412eb Mon Sep 17 00:00:00 2001
From: Asif Bacchus <asif@linuxprogramming.test.bacchus.network>
Date: Thu, 17 Oct 2019 16:30:35 -0600
Subject: [PATCH] isolate SSL config from user configs

---
 build/config/config/note                             |  2 ++
 build/config/nginx.conf                              |  1 +
 .../mozIntermediate_ssl.conf.disabled                |  0
 .../mozModern_ssl.conf.disabled                      |  0
 build/entrypoint.sh                                  | 12 ++++++------
 5 files changed, 9 insertions(+), 6 deletions(-)
 create mode 100644 build/config/config/note
 rename build/config/{config => ssl-config}/mozIntermediate_ssl.conf.disabled (100%)
 rename build/config/{config => ssl-config}/mozModern_ssl.conf.disabled (100%)

diff --git a/build/config/config/note b/build/config/config/note
new file mode 100644
index 0000000..bb0271a
--- /dev/null
+++ b/build/config/config/note
@@ -0,0 +1,2 @@
+This entire directory should be overwritten via bind-mount in a production
+environment
\ No newline at end of file
diff --git a/build/config/nginx.conf b/build/config/nginx.conf
index ea47819..90140fc 100644
--- a/build/config/nginx.conf
+++ b/build/config/nginx.conf
@@ -42,6 +42,7 @@ http {
     server_tokens off;
     real_ip_recursive on;
     resolver 1.1.1.1;
+    include /etc/nginx/ssl-config/*.conf;
     include /etc/nginx/config/*.conf;
 
     # include enabled server blocks from sites/*.conf
diff --git a/build/config/config/mozIntermediate_ssl.conf.disabled b/build/config/ssl-config/mozIntermediate_ssl.conf.disabled
similarity index 100%
rename from build/config/config/mozIntermediate_ssl.conf.disabled
rename to build/config/ssl-config/mozIntermediate_ssl.conf.disabled
diff --git a/build/config/config/mozModern_ssl.conf.disabled b/build/config/ssl-config/mozModern_ssl.conf.disabled
similarity index 100%
rename from build/config/config/mozModern_ssl.conf.disabled
rename to build/config/ssl-config/mozModern_ssl.conf.disabled
diff --git a/build/entrypoint.sh b/build/entrypoint.sh
index 85bbe92..cc3ab26 100755
--- a/build/entrypoint.sh
+++ b/build/entrypoint.sh
@@ -14,9 +14,9 @@ printf "done\n"
 if [ "$HSTS" = TRUE ]; then
     printf "Activating HSTS configuration... "
     sed -i -e "s/^#add_header/add_header/" \
-        /etc/nginx/config/mozIntermediate_ssl.conf.disabled
+        /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled
     sed -i -e "s/^#add_header/add_header/" \
-        /etc/nginx/config/mozModern_ssl.conf.disabled
+        /etc/nginx/ssl-config/mozModern_ssl.conf.disabled
     printf "done\n"
 fi
 
@@ -29,8 +29,8 @@ if [ "$TLS13_ONLY" = FALSE ]; then
             printf "Certificates found. Securing deployment using TLS 1.2\n"
 
             # activate shared SSL configuration file
-            mv /etc/nginx/config/mozIntermediate_ssl.conf.disabled \
-                /etc/nginx/config/mozIntermediate_ssl.conf
+            mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \
+                /etc/nginx/ssl-config/mozIntermediate_ssl.conf
             
             if [ -f "/etc/nginx/sites/note" ]; then
                 # activate SSL test server block & deactivate normal one
@@ -47,8 +47,8 @@ elif [ "$TLS13_ONLY" = TRUE ]; then
             printf "Certificates found. Securing deployment using TLS 1.3\n"
 
             # activate shared SSL configuration file
-            mv /etc/nginx/config/mozModern_ssl.conf.disabled \
-                /etc/nginx/config/mozModern_ssl.conf
+            mv /etc/nginx/ssl-config/mozModern_ssl.conf.disabled \
+                /etc/nginx/ssl-config/mozModern_ssl.conf
             
             if [ -f "/etc/nginx/sites/note" ]; then
                 # activate SSL test server block & deactivate normal one