From ed647f9e16baea9ed7fc66b6ba14b987a6d7375a Mon Sep 17 00:00:00 2001
From: Robin Tissot <tissotrobin@gmail.com>
Date: Mon, 3 Aug 2020 14:41:07 +0200
Subject: [PATCH] More ssl conf attempt.

---
 nginx/Dockerfile                    | 7 +------
 nginx/ssl.conf                      | 4 +---
 nginx/ssl_certificates.conf_example | 3 +++
 production.yml_example              | 9 +++++----
 4 files changed, 10 insertions(+), 13 deletions(-)
 create mode 100644 nginx/ssl_certificates.conf_example

diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index f0d810e1..8e1065fb 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -3,11 +3,6 @@ FROM nginx:1.15.0-alpine
 RUN rm /etc/nginx/conf.d/default.conf
 
 ARG NGINX_CONF=nginx.conf
-ARG ACME_FILE
-ARG SSL_CERT
-ARG SSL_KEY
 
 COPY ${NGINX_CONF} /etc/nginx/conf.d/nginx.conf
-COPY ${SSL_CERT} /etc/certs/cert.pem
-COPY ${SSL_KEY} /etc/certs/key.pem
-COPY ${ACME_FILE} /usr/share/nginx/html/
+COPY ssl_certificates.conf* /etc/nginx/conf.d/
diff --git a/nginx/ssl.conf b/nginx/ssl.conf
index 345d3d6d..911efb76 100644
--- a/nginx/ssl.conf
+++ b/nginx/ssl.conf
@@ -15,13 +15,11 @@ server {
     charset     utf-8;
     client_max_body_size 150M;
 
-    ssl_certificate /etc/certs/cert.pem;
-    ssl_certificate_key /etc/certs/key.pem;
+    include conf.d/ssl_certificates.conf;
 
     # Performance + Privacy improvements
     ssl_stapling on;
     ssl_stapling_verify on;
-    ssl_trusted_certificate /etc/certs/cert.pem;
     resolver 8.8.8.8 208.67.222.222 valid=300s;
     resolver_timeout 5s;
 
diff --git a/nginx/ssl_certificates.conf_example b/nginx/ssl_certificates.conf_example
new file mode 100644
index 00000000..c97a76c2
--- /dev/null
+++ b/nginx/ssl_certificates.conf_example
@@ -0,0 +1,3 @@
+ssl_certificate /etc/certs/fullchain.pem;
+ssl_certificate_key /etc/certs/privkey.pem;
+ssl_trusted_certificate /etc/certs/fullchain.pem;
diff --git a/production.yml_example b/production.yml_example
index 8757ca0d..0e5cc313 100644
--- a/production.yml_example
+++ b/production.yml_example
@@ -16,14 +16,15 @@ services:
        - "80:80"
       # - "443:443"
 
-      ### To enable SSL, generate keys with letsencrypt/certbot
+      ### To enable SSL, generate keys (eg with letsencrypt/certbot)
+      ### copy nginx/ssl_certificates.conf_example and edit it
+      ## if need be to correspond to the volume below
       ### and uncomment this block and the port 443
       # build:
       #   args:
       #     - NGINX_CONF=ssl.conf
-      #     - SSL_CERT=/etc/letsencrypt/live/$DOMAIN/fullchain.pem
-      #     - SSL_KEY=/etc/letsencrypt/live/$DOMAIN/privkey.pem
-      #     - ACME_FILE=./<some_hash>
+      # volumes:
+      #   - /etc/letsencrypt/live/<mydomain>:/etc/certs
 
     flower:
       restart: always
-- 
GitLab