nginx: Update to version 1.25, move to Quadlet

2023-08-12 16:31:31 +01:00 · 2023-08-12 16:31:31 +01:00 · 15b41eee1a
parent 3943c51181
commit 15b41eee1a
9 changed files with 47 additions and 36 deletions
--- a/host/virtual/spec.bu
+++ b/host/virtual/spec.bu
@ -74,11 +74,16 @@ systemd:
        - name: populate-volume.conf
          contents: |
            [Service]
-            ExecStartPre=/bin/podman volume create static.localhost
+            ExecStartPre=/bin/podman volume create --ignore static.localhost
            ExecStartPre=/bin/sh -c "V=$(podman volume mount static.localhost) && echo 'Hello World!' > $V/index.html"
            ExecStartPost=/bin/podman volume unmount static.localhost
    - name: nginx-proxy-http@static.localhost.service
      enabled: true
+      dropins:
+        - name: volume-upstream.conf
+          contents: |
+            [Service]
+            Environment=UPSTREAM_HOST=nginx-serve-volume-static.localhost UPSTREAM_PORT=8080

    - name: nginx-serve-php@php.localhost.service
      enabled: true
--- a/service/nginx/Containerfile
+++ b/service/nginx/Containerfile
@ -1,4 +1,12 @@
-FROM docker.io/nginx:1.23
+FROM docker.io/debian:bookworm-slim
+ARG VERSION=1.25
+
+RUN apt-get update -y && apt-get install -y --no-install-recommends ca-certificates
+ADD --chown=_apt https://nginx.org/keys/nginx_signing.key /etc/apt/trusted.gpg.d/nginx.asc
+
+RUN echo "deb https://nginx.org/packages/mainline/debian bookworm nginx" > /etc/apt/sources.list.d/nginx.list && \
+    apt-get update && apt-get install -y --no-install-recommends nginx="${VERSION}*" && \
+    rm -Rf /etc/nginx

 RUN addgroup --system --gid 10000 nginx-shared
 RUN gpasswd --add nginx nginx-shared
@ -9,4 +17,6 @@ COPY container/run-nginx /run-nginx
 RUN nginx -t

 EXPOSE 80 443
+STOPSIGNAL SIGQUIT
+
 ENTRYPOINT ["/run-nginx"]
--- a/service/nginx/container/config/nginx.conf
+++ b/service/nginx/container/config/nginx.conf
@ -37,7 +37,7 @@ events {
 # This is only used when you don't override it on a `server` level
 # Default: logs/error.log error
 # https://nginx.org/en/docs/ngx_core_module.html#error_log
-error_log /var/log/nginx/error.log warn;
+error_log /dev/stderr warn;

 # The file storing the process ID of the main process
 # Default: logs/nginx.pid
@ -89,7 +89,7 @@ http {
  # This is only used when you don't override it on a `server` level
  # Default: logs/access.log combined
  # https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
-  access_log /var/log/nginx/access.log main;
+  access_log /dev/stdout main;

  # How long to allow each connection to stay idle.
  # Longer values are better for each individual client, particularly for SSL,
--- a/service/nginx/quadlet/nginx.container
+++ b/service/nginx/quadlet/nginx.container
@ -0,0 +1,20 @@
+[Unit]
+Description=NGINX Web Server
+Wants=container-build@%N.service
+After=container-build@%N.service
+
+[Container]
+ContainerName=%N
+Image=localhost/%N:latest
+Network=internal
+PublishPort=80:80
+PublishPort=443:443
+Volume=nginx-conf:/etc/nginx/conf.d:z
+Volume=letsencrypt:/etc/ssl/private:z,rshared,ro
+
+[Service]
+Restart=on-failure
+ExecReload=/bin/podman exec %N nginx -s reload
+
+[Install]
+WantedBy=multi-user.target
--- a/service/nginx/spec.bu
+++ b/service/nginx/spec.bu
@ -6,7 +6,5 @@ storage:
      local: service/nginx/
    - path: /etc/systemd/system
      local: service/nginx/systemd/
-systemd:
-  units:
-    - name: nginx.service
-      enabled: true
+    - path: /etc/containers/systemd
+      local: service/nginx/quadlet/
--- a/service/nginx/systemd/nginx-proxy-http@.service
+++ b/service/nginx/systemd/nginx-proxy-http@.service
@ -9,8 +9,8 @@ RemainAfterExit=true
 SyslogIdentifier=%N
 Environment=SERVER_NAME=%i SSL_CERT_NAME=%i UPSTREAM_HOST=%i UPSTREAM_PORT=8080 UPSTREAM_PATH=
 Environment=NGINX_CONF=%E/coreos-home-server/nginx/service/%p.conf.template
-ExecStart=/bin/sh -c "envsubst '$SERVER_NAME $SERVER_NAME_ALT $SSL_CERT_NAME $UPSTREAM_HOST $UPSTREAM_PORT $UPSTREAM_PATH' < ${NGINX_CONF} > /tmp/%i.conf"
-ExecStartPost=/bin/sh -c 'podman cp /tmp/%i.conf nginx:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
+ExecStart=/bin/sh -c "envsubst '$SERVER_NAME $SERVER_NAME_ALT $SSL_CERT_NAME $UPSTREAM_HOST $UPSTREAM_PORT $UPSTREAM_PATH' < ${NGINX_CONF} > /tmp/%N.conf"
+ExecStartPost=/bin/sh -c 'podman cp /tmp/%N.conf nginx:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%N.conf'
 ExecStartPost=/bin/podman exec nginx nginx -s reload
 ExecStop=/bin/podman exec nginx rm --force /etc/nginx/conf.d/%i.conf
 ExecStopPost=/bin/podman exec nginx nginx -s reload
--- a/service/nginx/systemd/nginx-serve-php@.service
+++ b/service/nginx/systemd/nginx-serve-php@.service
@ -21,8 +21,8 @@ ExecStartPre=/bin/podman init %i-php
 ExecStartPre=/bin/podman create --replace --name %i-nginx --pod %i --sdnotify=conmon \
                                --volumes-from=%i-php:z,ro \
                                localhost/nginx:latest
-ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
-ExecStartPre=/bin/sh -c 'podman cp /tmp/%i.conf %i-nginx:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
+ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%N.conf"
+ExecStartPre=/bin/sh -c 'podman cp /tmp/%N.conf %i-nginx:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%N.conf'
 ExecStart=/bin/sh -c 'podman pod start %i && podman start --attach %i-php'
 ExecStop=/bin/podman pod stop --ignore --time 10 %i
 ExecStopPost=/bin/podman pod rm --ignore --force %i
--- a/service/nginx/systemd/nginx-serve-volume@.service
+++ b/service/nginx/systemd/nginx-serve-volume@.service
@ -14,8 +14,8 @@ Environment=NGINX_CONF=%E/coreos-home-server/nginx/service/%p.conf.template
 ExecStartPre=/bin/podman create --replace --name $SERVER_NAME --net internal --sdnotify=conmon \
                                --volume %i:/srv:z,ro \
                                localhost/nginx:latest
-ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME $SERVER_ROOT' < ${NGINX_CONF} > /tmp/%i.conf"
-ExecStartPre=/bin/sh -c 'podman cp /tmp/%i.conf ${SERVER_NAME}:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
+ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME $SERVER_ROOT' < ${NGINX_CONF} > /tmp/%N.conf"
+ExecStartPre=/bin/sh -c 'podman cp /tmp/%N.conf ${SERVER_NAME}:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%N.conf'
 ExecStart=/bin/podman start --attach $SERVER_NAME
 ExecStop=/bin/podman stop --ignore --time 10 $SERVER_NAME
 ExecStopPost=/bin/podman rm --ignore --force $SERVER_NAME
--- a/service/nginx/systemd/nginx.service
+++ b/service/nginx/systemd/nginx.service
@ -1,22 +0,0 @@
-[Unit]
-Description=NGINX Web Server
-Wants=container-build@%N.service
-After=container-build@%N.service
-
-[Service]
-Type=notify
-NotifyAccess=all
-SyslogIdentifier=%N
-Restart=on-failure
-Environment=PODMAN_SYSTEMD_UNIT=%n
-ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \
-                          --publish 80:80 --publish 443:443 \
-                          --volume nginx-conf:/etc/nginx/conf.d:z \
-                          --volume letsencrypt:/etc/ssl/private:z,rshared,ro \
-                          localhost/%N:latest
-ExecStop=/bin/podman stop --ignore --time 10 %N
-ExecStopPost=/bin/podman rm --ignore --force %N
-ExecReload=/bin/podman exec %N %N -s reload
-
-[Install]
-WantedBy=multi-user.target