Added logging, self-signed certs and KEYWARDEN_DOMAIN env variable

2026-01-19 19:47:31 +00:00
parent 43fe875cde
commit 47b90fee87
6 changed files with 94 additions and 35 deletions
--- a/.env.example
+++ b/.env.example
@@ -2,7 +2,8 @@
 KEYWARDEN_SECRET_KEY=supersecret
 KEYWARDEN_DEBUG=True
 KEYWARDEN_ALLOWED_HOSTS=*
-KEYWARDEN_TRUSTED_ORIGINS=https://localhost,https://127.0.0.1
+KEYWARDEN_TRUSTED_ORIGINS=https://reverse.proxy.domain.xyz,https://127.0.0.1
+KEYWARDEN_DOMAIN=https://example.domain.xyz

 # Database
 KEYWARDEN_POSTGRES_DB=keywarden
--- a/6
+++ b/6
@@ -13,12 +13,16 @@ WORKDIR /app
 # System deps for psycopg2, node (for Tailwind), etc.
 RUN apt-get update && apt-get install -y --no-install-recommends \
    build-essential \
+    ca-certificates \
    libpq-dev \
    curl \
+    openssl \
    nginx \
    nodejs \
    npm \
    supervisor \
+    mkcert \
+    libnss3-tools \
    valkey-server \
    && rm -rf /var/lib/apt/lists/*

@@ -45,7 +49,7 @@ RUN pip install --upgrade pip \
 WORKDIR /app
 COPY ./app .

-COPY nginx/configs/nginx.conf /etc/nginx/nginx.conf
+COPY nginx/configs/nginx.conf.template /etc/nginx/nginx.conf.template
 COPY nginx/configs/options-* /etc/nginx/
 #COPY nginx/configs/sites/ /etc/nginx/conf.d/
 COPY supervisor/supervisord.conf /etc/supervisor/supervisord.conf
--- a/app/entrypoint.sh
+++ b/app/entrypoint.sh
@@ -1,6 +1,31 @@
 #!/bin/sh
 set -eu

+DOMAIN="${KEYWARDEN_DOMAIN:-localhost}"
+CERT_DIR="/etc/nginx/certs"
+NGINX_TEMPLATE="/etc/nginx/nginx.conf.template"
+NGINX_CONF="/etc/nginx/nginx.conf"
+
+# Replaces server_name in nginx.conf with $KEYWARDEN_DOMAIN
+if [ -f "$NGINX_TEMPLATE" ]; then
+    ESCAPED_DOMAIN=$(printf '%s' "$DOMAIN" | sed 's/[&/]/\\&/g')
+    sed "s/__SERVER_NAME__/${ESCAPED_DOMAIN}/g" "$NGINX_TEMPLATE" > "$NGINX_CONF"
+fi
+
+# Creates self-signed certs using mkcert $KEYWARDEN_DOMAIN, and renaming them.
+if [ ! -f "$CERT_DIR/certificate.pem" ] || [ ! -f "$CERT_DIR/key.pem" ]; then
+    mkdir -p "$CERT_DIR"
+    if command -v mkcert >/dev/null 2>&1; then
+        mkcert -install >/dev/null 2>&1 || true
+        mkcert -cert-file "$CERT_DIR/certificate.pem" -key-file "$CERT_DIR/key.pem" "$DOMAIN"
+    else
+        openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
+            -subj "/CN=$DOMAIN" \
+            -keyout "$CERT_DIR/key.pem" \
+            -out "$CERT_DIR/certificate.pem"
+    fi
+fi
+
 # Build Tailwind CSS (best-effort; skip if not configured)
 python manage.py tailwind install || true
 python manage.py tailwind build || true
@@ -12,4 +37,3 @@ python manage.py migrate --noinput
 python manage.py ensure_admin

 exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
-
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,8 +20,8 @@ services:
    container_name: keywarden
    volumes:
      - ./app:/app
-      - ./nginx/certs:/certs:ro
-      - ./nginx/logs:/etc/nginx/logs
+      - ./nginx/certs:/etc/nginx/certs
+      - ./nginx/logs:/var/log/nginx
    ports:
      - "443:443"
    depends_on:
--- a/nginx/configs/.sites/default.conf
+++ b/nginx/configs/.sites/default.conf
@@ -1,30 +0,0 @@
-# Default NGINX Config
-server {
-    listen 8008;
-    listen [::]:8008;
-    server_name _;
-
-    return 301 https://$host$request_uri;
-}
-
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    server_name _;
-
-    ssl_certificate /certs/certificate.pem;
-    ssl_certificate_key /certs/key.pem;
-    include /certs/options-ssl-nginx.conf;
-
-    client_max_body_size 50M;
-
-    location / {
-        proxy_pass  http://127.0.0.1:8000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto  $scheme;
-    }
-}
--- a/nginx/configs/nginx.conf.template
+++ b/nginx/configs/nginx.conf.template
@@ -0,0 +1,60 @@
+# This file should be put under /etc/nginx/conf.d/
+# Or place as /etc/nginx/nginx.conf
+
+user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    real_ip_header X-Forwarded-For;
+    include       /etc/nginx/mime.types;
+    include options-ssl.conf;
+    include options-http-headers.conf;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    server {
+        listen 80;
+        listen [::]:80;
+        server_name __SERVER_NAME__;
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2 on;
+        server_name __SERVER_NAME__;
+
+        error_log /var/log/nginx/error.log warn;
+        access_log  /var/log/nginx/access.log main;
+
+        ssl_certificate /etc/nginx/certs/certificate.pem;
+        ssl_certificate_key /etc/nginx/certs/key.pem;
+        include options-ssl.conf;
+        include options-https-headers.conf;
+
+        client_max_body_size 50M;
+
+        location / {
+            proxy_pass  http://127.0.0.1:8000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto  $scheme;
+            include options-https-headers.conf;
+            }
+    }
+
+    access_log  /var/log/nginx/access.log main;
+    types_hash_bucket_size 128;
+}