Services will now have an additional set of security-oriented response
headers attached, and cache times re-jigged.
In addition, the `nginx-serve-static@` service has been removed in
favour of `nginx-serve-volume@`, which is simpler to set up and use.
This commit moves the `nginx-proxy-http` service back to separate
`UPSTREAM_HOST`, `UPSTREAM_PORT`, and `UPSTREAM_PATH` variables, which
allows for more granular configuration, e.g. `proxy_redirect` patterns.
This commit unifies the `UPSTREAM_HOST` and `UPSTREAM_PORT` environment
variables to a new `UPSTREAM_ENDPOINT` variable, making additional
customizations (such as a `proxy_pass` to a sub-path) possible.
Users and groups used within Podman containers are usually assigned UID
and GID 10000. Files for these containers are sometimes served by Nginx,
and may be given permissions that restrict access to those outside the
group, but which are intended to be served nonetheless.
This commit adds the pre-defined `nginx` user to a `nginx-shared` group
with GID 10000, which will then allow access to these files as needed.
We no longer copy service directories into `/etc/coreos-home-server` if
these have not had their respective `spec.bu` files included; these
directories are not needed in these cases, and would be erroneously
considered as eligible in subsequent `coreos-home-server-update`
invocations.
This commit contains a fairly large diff for a fairly small change:
moving the `config/common` directory to `host/base` to better reflect
its intended use, and promoting `config/service` to the root directory.
These changes unlock some improvements in `coreos-home-server-update`
processes, which will (assuming `/etc/coreos-home-server/base` exists)
keep host-wide systemd services in sync in addition to service-specific
ones.
Changes have been make to the `Makefile` and a few other places where
`config/common` was referenced, but most of this work is renames that
are not intended to break compatibility with new or running servers.
