🔨 Restructures nginx configuration

grocy/Dockerfile

@@ -48,6 +48,7 @@ RUN \
     && find /var/www/ -type f -name "*.md" -depth -exec rm -f {} \; \
     && rm -f -r \
         /tmp/* \
+        /etc/nginx \
         /usr/local/share/.cache \
         /usr/lib/node_modules \
         /var/www/grocy/.git \

grocy/config.json

@@ -4,7 +4,7 @@
   "slug": "grocy",
   "description": "ERP beyond your fridge! A groceries & household management solution for your home",
   "url": "https://github.com/hassio-addons/addon-grocy",
-  "webui": "[PROTO:ssl]://[HOST]:[PORT:9192]",
+  "webui": "[PROTO:ssl]://[HOST]:[PORT:80]",
   "startup": "system",
   "arch": [
     "aarch64",
@@ -42,7 +42,6 @@
     "log_level": "match(^(trace|debug|info|notice|warning|error|fatal)$)?",
     "culture": "match(^(da|de|en|es|fr|it|nl|no|pl|ru|ta|tr)$)",
     "currency": "str",
-    "ssl": "bool",
     "features": {
       "batteries": "bool",
       "calendar": "bool",
@@ -52,6 +51,7 @@
       "shoppinglist": "bool",
       "tasks": "bool"
     },
+    "ssl": "bool",
     "certfile": "str",
     "keyfile": "str"
   }

grocy/rootfs/etc/cont-init.d/10-requirements.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/with-contenv bashio
-# ==============================================================================
-# Community Hass.io Add-ons: Grocy
-# This files check if all user configuration requirements are met
-# ==============================================================================
-bashio::config.require.ssl

grocy/rootfs/etc/cont-init.d/nginx.sh

@@ -6,13 +6,15 @@
 declare certfile
 declare keyfile
 
-if bashio::config.true 'ssl'; then
-    rm /etc/nginx/nginx.conf
-    mv /etc/nginx/nginx-ssl.conf /etc/nginx/nginx.conf
+bashio::config.require.ssl
 
+if bashio::config.true 'ssl'; then
     certfile=$(bashio::config 'certfile')
     keyfile=$(bashio::config 'keyfile')
 
-    sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/nginx.conf
-    sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/nginx.conf
+    mv /etc/nginx/servers/direct-ssl.disabled /etc/nginx/servers/direct.conf
+    sed -i "s/%%certfile%%/${certfile}/g" /etc/nginx/servers/direct.conf
+    sed -i "s/%%keyfile%%/${keyfile}/g" /etc/nginx/servers/direct.conf
+else
+    mv /etc/nginx/servers/direct.disabled /etc/nginx/servers/direct.conf
 fi

grocy/rootfs/etc/nginx/includes/fastcgi_params.conf

@@ -0,0 +1,24 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

grocy/rootfs/etc/nginx/includes/mime.types

@@ -0,0 +1,96 @@
+types {
+    text/html                                        html htm shtml;
+    text/css                                         css;
+    text/xml                                         xml;
+    image/gif                                        gif;
+    image/jpeg                                       jpeg jpg;
+    application/javascript                           js;
+    application/atom+xml                             atom;
+    application/rss+xml                              rss;
+
+    text/mathml                                      mml;
+    text/plain                                       txt;
+    text/vnd.sun.j2me.app-descriptor                 jad;
+    text/vnd.wap.wml                                 wml;
+    text/x-component                                 htc;
+
+    image/png                                        png;
+    image/svg+xml                                    svg svgz;
+    image/tiff                                       tif tiff;
+    image/vnd.wap.wbmp                               wbmp;
+    image/webp                                       webp;
+    image/x-icon                                     ico;
+    image/x-jng                                      jng;
+    image/x-ms-bmp                                   bmp;
+
+    font/woff                                        woff;
+    font/woff2                                       woff2;
+
+    application/java-archive                         jar war ear;
+    application/json                                 json;
+    application/mac-binhex40                         hqx;
+    application/msword                               doc;
+    application/pdf                                  pdf;
+    application/postscript                           ps eps ai;
+    application/rtf                                  rtf;
+    application/vnd.apple.mpegurl                    m3u8;
+    application/vnd.google-earth.kml+xml             kml;
+    application/vnd.google-earth.kmz                 kmz;
+    application/vnd.ms-excel                         xls;
+    application/vnd.ms-fontobject                    eot;
+    application/vnd.ms-powerpoint                    ppt;
+    application/vnd.oasis.opendocument.graphics      odg;
+    application/vnd.oasis.opendocument.presentation  odp;
+    application/vnd.oasis.opendocument.spreadsheet   ods;
+    application/vnd.oasis.opendocument.text          odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                     pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                     xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                     docx;
+    application/vnd.wap.wmlc                         wmlc;
+    application/x-7z-compressed                      7z;
+    application/x-cocoa                              cco;
+    application/x-java-archive-diff                  jardiff;
+    application/x-java-jnlp-file                     jnlp;
+    application/x-makeself                           run;
+    application/x-perl                               pl pm;
+    application/x-pilot                              prc pdb;
+    application/x-rar-compressed                     rar;
+    application/x-redhat-package-manager             rpm;
+    application/x-sea                                sea;
+    application/x-shockwave-flash                    swf;
+    application/x-stuffit                            sit;
+    application/x-tcl                                tcl tk;
+    application/x-x509-ca-cert                       der pem crt;
+    application/x-xpinstall                          xpi;
+    application/xhtml+xml                            xhtml;
+    application/xspf+xml                             xspf;
+    application/zip                                  zip;
+
+    application/octet-stream                         bin exe dll;
+    application/octet-stream                         deb;
+    application/octet-stream                         dmg;
+    application/octet-stream                         iso img;
+    application/octet-stream                         msi msp msm;
+
+    audio/midi                                       mid midi kar;
+    audio/mpeg                                       mp3;
+    audio/ogg                                        ogg;
+    audio/x-m4a                                      m4a;
+    audio/x-realaudio                                ra;
+
+    video/3gpp                                       3gpp 3gp;
+    video/mp2t                                       ts;
+    video/mp4                                        mp4;
+    video/mpeg                                       mpeg mpg;
+    video/quicktime                                  mov;
+    video/webm                                       webm;
+    video/x-flv                                      flv;
+    video/x-m4v                                      m4v;
+    video/x-mng                                      mng;
+    video/x-ms-asf                                   asx asf;
+    video/x-ms-wmv                                   wmv;
+    video/x-msvideo                                  avi;
+}

grocy/rootfs/etc/nginx/includes/resolver.conf

@@ -0,0 +1 @@
+resolver 172.30.32.2;

grocy/rootfs/etc/nginx/includes/server_params.conf

@@ -0,0 +1,28 @@
+server_name     $hostname;
+root            /var/www/grocy/public;
+index           index.php;
+
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;
+
+location / {
+    try_files $uri $uri/ /index.php?$query_string;
+}
+
+location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
+    expires 365d;
+}
+
+location ~ .php$ {
+    fastcgi_pass 127.0.0.1:9001;
+    fastcgi_read_timeout 900;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    include /etc/nginx/includes/fastcgi_params.conf;
+}
+
+location ~ /\.ht {
+    deny all;
+}

grocy/rootfs/etc/nginx/includes/ssl_params.conf

@@ -0,0 +1,9 @@
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
+ssl_ecdh_curve secp384r1;
+ssl_session_timeout  10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;

grocy/rootfs/etc/nginx/nginx-ssl.conf

@@ -1,54 +0,0 @@
-worker_processes  1;
-pid /var/run/nginx.pid;
-user nginx nginx;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include            mime.types;
-    default_type       application/octet-stream;
-    sendfile           on;
-    keepalive_timeout  65;
-
-    server {
-        server_name hassio.local;
-        listen 80 default_server ssl;
-        listen [::]:80 default_server ssl;
-        root /var/www/grocy/public;
-        index index.php;
-
-        ssl_certificate /ssl/%%certfile%%;
-        ssl_certificate_key /ssl/%%keyfile%%;
-        ssl_protocols TLSv1.2;
-        ssl_prefer_server_ciphers on;
-        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
-        ssl_ecdh_curve secp384r1;
-        ssl_session_timeout  10m;
-        ssl_session_cache shared:SSL:10m;
-        ssl_session_tickets off;
-        ssl_stapling on;
-        ssl_stapling_verify on;
-
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-
-        location /data/ {
-            deny all;
-        }
-
-        location ~ .php$ {
-            fastcgi_pass 127.0.0.1:9001;
-            fastcgi_read_timeout 900;
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_index index.php;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            include fastcgi_params;
-        }
-
-        location ~ ^(.*)\.(css|js|gif||jpe?g|png|json|cache\.json)$ {
-        }
-    }
-}

grocy/rootfs/etc/nginx/nginx.conf

@@ -1,43 +1,56 @@
-worker_processes  1;
-pid /var/run/nginx.pid;
-user nginx nginx;
+# Run nginx in foreground.
+daemon off;
 
+# This is run inside Docker.
+user root;
+
+# Pid storage location.
+pid /var/run/nginx.pid;
+
+# Set number of worker processes.
+worker_processes 1;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Write error log to Hass.io add-on log.
+error_log /proc/1/fd/1 error;
+
+# Load allowed environment vars
+env HASSIO_TOKEN;
+env DISABLE_HA_AUTHENTICATION;
+
+# Load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Max num of simultaneous connections by a worker process.
 events {
-    worker_connections  1024;
+    worker_connections 512;
 }
 
 http {
-    include            mime.types;
-    default_type       application/octet-stream;
-    sendfile           on;
-    keepalive_timeout  65;
+    include /etc/nginx/includes/mime.types;
 
-    server {
-        server_name hassio.local;
-        listen 80 default_server;
-        listen [::]:80 default_server;
-        root /var/www/grocy/public;
-        index index.php;
+    log_format hassio '[$time_local] $status '
+                        '$http_x_forwarded_for($remote_addr) '
+                        '$request ($http_user_agent)';
 
-        location / {
-            try_files $uri $uri/ /index.php?$query_string;
-        }
+    access_log              /proc/1/fd/1 hassio;
+    client_max_body_size    4G;
+    default_type            application/octet-stream;
+    gzip                    on;
+    keepalive_timeout       65;
+    sendfile                on;
+    server_tokens           off;
+    tcp_nodelay             on;
+    tcp_nopush              on;
 
-        location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
-            expires 365d;
-        }
-
-        location ~ .php$ {
-            fastcgi_pass 127.0.0.1:9001;
-            fastcgi_read_timeout 900;
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_index index.php;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            include fastcgi_params;
-        }
-
-        location ~ /\.ht {
-          deny all;
-        }
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
     }
+
+    include /etc/nginx/includes/resolver.conf;
+
+    include /etc/nginx/servers/*.conf;
 }

grocy/rootfs/etc/nginx/servers/direct-ssl.disabled

@@ -0,0 +1,11 @@
+server {
+    listen 80 default_server ssl http2;
+
+    include /etc/nginx/includes/ssl_params.conf;
+
+    ssl on;
+    ssl_certificate /ssl/%%certfile%%;
+    ssl_certificate_key /ssl/%%keyfile%%;
+
+    include /etc/nginx/includes/server_params.conf;
+}

grocy/rootfs/etc/nginx/servers/direct.disabled

@@ -0,0 +1,5 @@
+server {
+    listen 80 default_server;
+
+    include /etc/nginx/includes/server_params.conf;
+}

grocy/rootfs/etc/services.d/nginx/finish

@@ -3,7 +3,7 @@
 # Community Hass.io Add-ons: Grocy
 # Take down the S6 supervision tree when Nginx fails
 # ==============================================================================
-if -n { s6-test $# -ne 0 }
-if -n { s6-test ${1} -eq 256 }
+if { s6-test ${1} -ne 0 }
+if { s6-test ${1} -ne 256 }
 
 s6-svscanctl -t /var/run/s6/services

grocy/rootfs/etc/services.d/nginx/run

@@ -5,12 +5,8 @@
 # ==============================================================================
 
 # Wait for PHP-FPM to become available
-s6-svwait -u -t 5000 /var/run/s6/services/php-fpm
-timeout -t 15 \
-    bash -c \
-        'until echo > /dev/tcp/localhost/9001 ; do sleep 0.5; done' \
-            > /dev/null 2>&1
+bashio::net.wait_for 9001
 
 bashio::log.info "Starting NGinx...."
 
-exec nginx -g "daemon off;"
+exec nginx

grocy/rootfs/etc/services.d/php-fpm/finish

@@ -3,7 +3,7 @@
 # Community Hass.io Add-ons: Grocy
 # Take down the S6 supervision tree when PHP FPM fails
 # ==============================================================================
-if -n { s6-test $# -ne 0 }
-if -n { s6-test ${1} -eq 256 }
+if { s6-test ${1} -ne 0 }
+if { s6-test ${1} -ne 256 }
 
 s6-svscanctl -t /var/run/s6/services