From 47b90fee87f2237f395d3508422ac5e0f3649bba Mon Sep 17 00:00:00 2001 From: boris Date: Mon, 19 Jan 2026 19:47:31 +0000 Subject: [PATCH] Added logging, self-signed certs and KEYWARDEN_DOMAIN env variable --- .env.example | 3 +- Dockerfile | 6 +++- app/entrypoint.sh | 26 +++++++++++++- docker-compose.yml | 4 +-- nginx/configs/.sites/default.conf | 30 ---------------- nginx/configs/nginx.conf.template | 60 +++++++++++++++++++++++++++++++ 6 files changed, 94 insertions(+), 35 deletions(-) delete mode 100644 nginx/configs/.sites/default.conf create mode 100644 nginx/configs/nginx.conf.template diff --git a/.env.example b/.env.example index eb9b985..b9b14a6 100644 --- a/.env.example +++ b/.env.example @@ -2,7 +2,8 @@ KEYWARDEN_SECRET_KEY=supersecret KEYWARDEN_DEBUG=True KEYWARDEN_ALLOWED_HOSTS=* -KEYWARDEN_TRUSTED_ORIGINS=https://localhost,https://127.0.0.1 +KEYWARDEN_TRUSTED_ORIGINS=https://reverse.proxy.domain.xyz,https://127.0.0.1 +KEYWARDEN_DOMAIN=https://example.domain.xyz # Database KEYWARDEN_POSTGRES_DB=keywarden diff --git a/Dockerfile b/Dockerfile index 0322b9c..38f4f35 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,12 +13,16 @@ WORKDIR /app # System deps for psycopg2, node (for Tailwind), etc. RUN apt-get update && apt-get install -y --no-install-recommends \ build-essential \ + ca-certificates \ libpq-dev \ curl \ + openssl \ nginx \ nodejs \ npm \ supervisor \ + mkcert \ + libnss3-tools \ valkey-server \ && rm -rf /var/lib/apt/lists/* @@ -45,7 +49,7 @@ RUN pip install --upgrade pip \ WORKDIR /app COPY ./app . -COPY nginx/configs/nginx.conf /etc/nginx/nginx.conf +COPY nginx/configs/nginx.conf.template /etc/nginx/nginx.conf.template COPY nginx/configs/options-* /etc/nginx/ #COPY nginx/configs/sites/ /etc/nginx/conf.d/ COPY supervisor/supervisord.conf /etc/supervisor/supervisord.conf diff --git a/app/entrypoint.sh b/app/entrypoint.sh index a76540b..a5f344f 100755 --- a/app/entrypoint.sh +++ b/app/entrypoint.sh @@ -1,6 +1,31 @@ #!/bin/sh set -eu +DOMAIN="${KEYWARDEN_DOMAIN:-localhost}" +CERT_DIR="/etc/nginx/certs" +NGINX_TEMPLATE="/etc/nginx/nginx.conf.template" +NGINX_CONF="/etc/nginx/nginx.conf" + +# Replaces server_name in nginx.conf with $KEYWARDEN_DOMAIN +if [ -f "$NGINX_TEMPLATE" ]; then + ESCAPED_DOMAIN=$(printf '%s' "$DOMAIN" | sed 's/[&/]/\\&/g') + sed "s/__SERVER_NAME__/${ESCAPED_DOMAIN}/g" "$NGINX_TEMPLATE" > "$NGINX_CONF" +fi + +# Creates self-signed certs using mkcert $KEYWARDEN_DOMAIN, and renaming them. +if [ ! -f "$CERT_DIR/certificate.pem" ] || [ ! -f "$CERT_DIR/key.pem" ]; then + mkdir -p "$CERT_DIR" + if command -v mkcert >/dev/null 2>&1; then + mkcert -install >/dev/null 2>&1 || true + mkcert -cert-file "$CERT_DIR/certificate.pem" -key-file "$CERT_DIR/key.pem" "$DOMAIN" + else + openssl req -x509 -nodes -newkey rsa:2048 -days 365 \ + -subj "/CN=$DOMAIN" \ + -keyout "$CERT_DIR/key.pem" \ + -out "$CERT_DIR/certificate.pem" + fi +fi + # Build Tailwind CSS (best-effort; skip if not configured) python manage.py tailwind install || true python manage.py tailwind build || true @@ -12,4 +37,3 @@ python manage.py migrate --noinput python manage.py ensure_admin exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf - diff --git a/docker-compose.yml b/docker-compose.yml index 81aa2e8..7c94fea 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,8 +20,8 @@ services: container_name: keywarden volumes: - ./app:/app - - ./nginx/certs:/certs:ro - - ./nginx/logs:/etc/nginx/logs + - ./nginx/certs:/etc/nginx/certs + - ./nginx/logs:/var/log/nginx ports: - "443:443" depends_on: diff --git a/nginx/configs/.sites/default.conf b/nginx/configs/.sites/default.conf deleted file mode 100644 index 50b8364..0000000 --- a/nginx/configs/.sites/default.conf +++ /dev/null @@ -1,30 +0,0 @@ -# Default NGINX Config -server { - listen 8008; - listen [::]:8008; - server_name _; - - return 301 https://$host$request_uri; -} - - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name _; - - ssl_certificate /certs/certificate.pem; - ssl_certificate_key /certs/key.pem; - include /certs/options-ssl-nginx.conf; - - client_max_body_size 50M; - - location / { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} diff --git a/nginx/configs/nginx.conf.template b/nginx/configs/nginx.conf.template new file mode 100644 index 0000000..e1e66e8 --- /dev/null +++ b/nginx/configs/nginx.conf.template @@ -0,0 +1,60 @@ +# This file should be put under /etc/nginx/conf.d/ +# Or place as /etc/nginx/nginx.conf + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + real_ip_header X-Forwarded-For; + include /etc/nginx/mime.types; + include options-ssl.conf; + include options-http-headers.conf; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + server { + listen 80; + listen [::]:80; + server_name __SERVER_NAME__; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name __SERVER_NAME__; + + error_log /var/log/nginx/error.log warn; + access_log /var/log/nginx/access.log main; + + ssl_certificate /etc/nginx/certs/certificate.pem; + ssl_certificate_key /etc/nginx/certs/key.pem; + include options-ssl.conf; + include options-https-headers.conf; + + client_max_body_size 50M; + + location / { + proxy_pass http://127.0.0.1:8000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + include options-https-headers.conf; + } + } + + access_log /var/log/nginx/access.log main; + types_hash_bucket_size 128; +}