nginx: Fix issues, consolidate naming

Naming for services has been consolidated to `nginx-proxy` and
`nginx-serve`, and issues with resolving underlying containers in the
case of restarts have been fixed by way of resolver configuration.

config/service/nginx/Containerfile

@@ -1,7 +1,8 @@
-FROM docker.io/nginx:1.19-alpine
+FROM docker.io/nginx:1.21
 
 COPY container/config /etc/nginx
+COPY container/run-nginx /run-nginx
 RUN nginx -t
 
 EXPOSE 80 443
-ENTRYPOINT ["nginx", "-g", "daemon off;"]
+ENTRYPOINT ["/run-nginx"]

config/service/nginx/container/config/conf.d/default.conf

@@ -0,0 +1,6 @@
+# Default service, when no other service host matches.
+server {
+    listen      80;
+    server_name localhost;
+    return      204;
+}

config/service/nginx/container/config/nginx.conf

@@ -257,7 +257,7 @@ http {
   # Add X-Frame-Options for HTML documents.
   # conf/security/x-frame-options.conf
   map $sent_http_content_type $x_frame_options {
-    ~*text/html DENY;
+    ~*text/html SAMEORIGIN;
   }
 
   # Add Content-Security-Policy for HTML documents.

config/service/nginx/container/run-nginx

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Set NGINX resolver from system-wide configuration.
+awk '/^nameserver/ {printf "resolver %s;\n", $2; exit}' /etc/resolv.conf > /etc/nginx/resolver.conf
+
+# Start NGINX as foreground process.
+nginx -g 'daemon off;'

config/service/nginx/service/nginx-proxy-http.conf.template

@@ -11,11 +11,14 @@ server {
     ssl_certificate     /etc/ssl/private/certificates/${SSL_CERT_NAME}.crt;
     ssl_certificate_key /etc/ssl/private/certificates/${SSL_CERT_NAME}.key;
 
+    include resolver.conf;
+    set $upstream_endpoint http://${UPSTREAM_HOST}:${UPSTREAM_PORT};
+
     location / {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_pass http://${UPSTREAM_HOST}:${UPSTREAM_PORT};
+        proxy_pass $upstream_endpoint;
     }
 }

config/service/nginx/spec.bu

@@ -6,11 +6,11 @@ storage:
       local: service/nginx/systemd/
 systemd:
   units:
-    - name: nginx-ingress.service
+    - name: nginx.service
       enabled: true
-    - name: nginx-ingress-http@.service
+    - name: nginx-proxy-http@.service
       enabled: true
-    - name: nginx-static@.service
+    - name: nginx-serve-static@.service
       enabled: true
-    - name: nginx-php@.service
+    - name: nginx-serve-php@.service
       enabled: true

config/service/nginx/systemd/nginx-ingress-http@.service

@@ -1,18 +0,0 @@
-[Unit]
-Description=Nginx HTTP/S ingress for %I
-Wants=nginx-ingress.service %i.service
-After=nginx-ingress.service %i.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=true
-Environment=SERVER_NAME=%i SSL_CERT_NAME=%i UPSTREAM_HOST=%i UPSTREAM_PORT=8080
-Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
-ExecStart=/bin/sh -c "envsubst '$SERVER_NAME $SERVER_NAME_ALT $SSL_CERT_NAME $UPSTREAM_HOST $UPSTREAM_PORT' \
-                   < ${NGINX_CONF} > /var/lib/container-service/nginx-ingress/conf.d/%i.conf"
-ExecStartPost=/bin/systemctl reload nginx-ingress
-ExecStop=/bin/rm /var/lib/container-service/nginx-ingress/conf.d/%i.conf
-ExecStopPost=/bin/systemctl reload nginx-ingress
-
-[Install]
-WantedBy=multi-user.target

config/service/nginx/systemd/nginx-ingress.service

@@ -1,20 +0,0 @@
-[Unit]
-Description=Nginx ingress controller
-Wants=container-build@nginx.service container-network@%N.service
-After=container-build@nginx.service container-network@%N.service
-
-[Service]
-Restart=always
-ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/letsencrypt/private
-ExecStartPre=/bin/install -d /var/lib/container-service/%N/conf.d
-ExecStart=/bin/podman run --replace --pull never --net %N \
-                          --publish 80:80 --publish 443:443 \
-                          --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \
-                          --volume /var/lib/container-service/%N/conf.d:/etc/nginx/conf.d:z \
-                          --name %N localhost/nginx:latest
-ExecStop=/bin/podman stop --time 10 %N
-ExecStopPost=/bin/podman rm --force %N
-ExecReload=/bin/podman exec %N nginx -s reload
-
-[Install]
-WantedBy=multi-user.target

config/service/nginx/systemd/nginx-php@.service

@@ -1,28 +0,0 @@
-[Unit]
-Description=Nginx PHP web service for %I
-Wants=container-build@nginx.service container-build@%i.service container-network@nginx-ingress.service container-network@internal.service
-After=container-build@nginx.service container-build@%i.service container-network@nginx-ingress.service container-network@internal.service
-Before=nginx-ingress-http@%i.service
-
-[Service]
-Restart=always
-Environment=SERVER_NAME=%i
-Environment=SERVICE_DATA_DIRECTORY=/data
-Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
-ExecStartPre=/bin/install --owner 33 --group 33 -d /var/lib/container-service/%i
-ExecStartPre=/bin/podman pod create --replace --net internal,nginx-ingress --name %i
-ExecStartPre=/bin/podman create --replace --pull never --pod %i --env-file /etc/container-service/%i/%i.env \
-                                --volume /var/lib/container-service/%i:${SERVICE_DATA_DIRECTORY}:z,shared \
-                                --name %i-php localhost/%i:latest
-ExecStartPre=/bin/podman create --replace --pull never --pod %i \
-                                --volumes-from=%i-php:z,ro \
-                                --name %i-nginx localhost/nginx:latest
-ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
-ExecStartPre=/bin/sh -c "podman cp /tmp/%i.conf %i-nginx:/etc/nginx/conf.d && rm -f /tmp/%i.conf"
-ExecStart=/bin/sh -c 'podman pod start %i && podman start --attach %i-php'
-ExecStop=/bin/podman pod stop --time 10 %i
-ExecStopPost=/bin/podman pod rm --force %i
-
-[Install]
-Alias=%i.service
-WantedBy=multi-user.target

config/service/nginx/systemd/nginx-proxy-http@.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=NGINX HTTP/S proxy for %I
+Wants=nginx.service %i.service
+After=nginx.service %i.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+Environment=SERVER_NAME=%i SSL_CERT_NAME=%i UPSTREAM_HOST=%i UPSTREAM_PORT=8080
+Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
+ExecStart=/bin/sh -c "envsubst '$SERVER_NAME $SERVER_NAME_ALT $SSL_CERT_NAME $UPSTREAM_HOST $UPSTREAM_PORT' \
+                     < ${NGINX_CONF} > /tmp/%i.conf"
+ExecStartPost=/bin/sh -c 'podman cp /tmp/%i.conf nginx:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
+ExecStartPost=/bin/podman exec nginx nginx -s reload
+ExecStop=/bin/podman exec nginx rm --force /etc/nginx/conf.d/%i.conf
+ExecStopPost=/bin/podman exec nginx nginx -s reload
+
+[Install]
+WantedBy=multi-user.target

config/service/nginx/systemd/nginx-serve-php@.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=NGINX PHP web service for %I
+Wants=container-build@%i.service nginx.service nginx-proxy-http@%i.service
+After=container-build@%i.service nginx.service
+Before=nginx-proxy-http@%i.service
+
+[Service]
+Restart=always
+Environment=SERVER_NAME=%i SERVICE_DATA_DIRECTORY=/data
+Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
+ExecStartPre=/bin/podman pod create --replace --name %i --net internal
+ExecStartPre=/bin/podman create --replace --pull never --name %i-php --pod %i \
+                                --env-file /etc/container-service/%i/%i.env \
+                                --volume %i:${SERVICE_DATA_DIRECTORY}:z,rshared \
+                                localhost/%i:latest
+ExecStartPre=/bin/podman init %i-php
+ExecStartPre=/bin/podman create --replace --pull never --name %i-nginx --pod %i \
+                                --volumes-from=%i-php:z,ro \
+                                localhost/nginx:latest
+ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
+ExecStartPre=/bin/sh -c 'podman cp /tmp/%i.conf %i-nginx:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
+ExecStart=/bin/sh -c 'podman pod start %i && podman start --attach %i-php'
+ExecStop=/bin/podman pod stop --time 10 %i
+ExecStopPost=/bin/podman pod rm --force %i
+
+[Install]
+Alias=%i.service
+WantedBy=multi-user.target

config/service/nginx/systemd/nginx-serve-static@.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=NGINX static web service for %I
+Wants=container-build@%i.service nginx.service nginx-proxy-http@%i.service
+After=container-build@%i.service nginx.service
+Before=nginx-proxy-http@%i.service
+
+[Service]
+Restart=always
+Environment=SERVER_NAME=%i SERVICE_DATA_DIRECTORY=/data
+Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
+ExecStartPre=/bin/podman create --replace --pull never --name %i --net internal \
+                                --volume %i:${SERVICE_DATA_DIRECTORY}:z,ro \
+                                localhost/%i:latest
+ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
+ExecStartPre=/bin/sh -c 'podman cp /tmp/%i.conf %i:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
+ExecStart=/bin/podman start --attach %i
+ExecStop=/bin/podman stop --time 10 %i
+ExecStopPost=/bin/podman rm --force %i
+
+[Install]
+Alias=%i.service
+WantedBy=multi-user.target

config/service/nginx/systemd/nginx-static@.service

@@ -1,24 +0,0 @@
-[Unit]
-Description=Nginx static web service for %I
-Wants=container-build@%i.service container-network@nginx-ingress.service
-After=container-build@%i.service container-network@nginx-ingress.service
-Before=nginx-ingress-http@%i.service
-
-[Service]
-Restart=always
-Environment=SERVER_NAME=%i
-Environment=SERVICE_DATA_DIRECTORY=/data
-Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
-ExecStartPre=/bin/install -d /var/lib/container-service/%i
-ExecStartPre=/bin/podman create --replace --pull never --net nginx-ingress \
-                                --volume /var/lib/container-service/%i:${SERVICE_DATA_DIRECTORY}:z,shared \
-                                --name %i localhost/%i:latest
-ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
-ExecStartPre=/bin/sh -c "podman cp /tmp/%i.conf %i:/etc/nginx/conf.d && rm -f /tmp/%i.conf"
-ExecStart=/bin/podman start --attach %i
-ExecStop=/bin/podman stop --time 10 %i
-ExecStopPost=/bin/podman rm --force %i
-
-[Install]
-Alias=%i.service
-WantedBy=multi-user.target

config/service/nginx/systemd/nginx.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=NGINX web server
+Wants=container-build@%N.service
+After=container-build@%N.service
+
+[Service]
+Restart=always
+ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
+                          --publish 80:80 --publish 443:443 \
+                          --volume nginx-conf:/etc/nginx/conf.d:z \
+                          --volume letsencrypt:/etc/ssl/private:z,rshared,ro \
+                          localhost/%N:latest
+ExecStop=/bin/podman stop --time 10 %N
+ExecStopPost=/bin/podman rm --force %N
+ExecReload=/bin/podman exec %N %N -s reload
+
+[Install]
+WantedBy=multi-user.target

host/virtual/spec.bu

@@ -44,29 +44,22 @@ systemd:
           contents: |
             [Unit]
             After=container-build@nginx.service
-    - name: nginx-static@static.localhost.service
+
+    - name: nginx-serve-static@static.localhost.service
       enabled: true
-    - name: nginx-ingress-http@static.localhost.service
+    - name: nginx-proxy-http@static.localhost.service
       enabled: true
       dropins:
-        - name: wait-for-service.conf
-          contents: |
-            [Unit]
-            After=nginx-static@static.localhost.service
         - name: use-localhost-cert.conf
           contents: |
             [Service]
             Environment=SSL_CERT_NAME=localhost
 
-    - name: nginx-php@php.localhost.service
+    - name: nginx-serve-php@php.localhost.service
       enabled: true
-    - name: nginx-ingress-http@php.localhost.service
+    - name: nginx-proxy-http@php.localhost.service
       enabled: true
       dropins:
-        - name: wait-for-service.conf
-          contents: |
-            [Service]
-            After=nginx-php@php.localhost.service
         - name: use-localhost-cert.conf
           contents: |
             [Service]
@@ -79,7 +72,7 @@ systemd:
           contents: |
             [Service]
             ExecStart=
-            ExecStart=/bin/podman create --replace --name letsencrypt-register-%i \
+            ExecStart=/bin/podman create --replace --pull never --name letsencrypt-register-%i \
                                          --volume letsencrypt:/var/lib/letsencrypt:z \
                                          --entrypoint true localhost/letsencrypt:latest
             ExecStartPost=/bin/podman init letsencrypt-register-%i