FROM nginx:1.20.0-alpine
ARG TRANSMISSION
# hadolint ignore=DL3018
RUN rm -rf /etc/nginx/conf./* && \
    chmod 777 /run && \
    apk add --no-cache --update libcap openssl && \
    curl https://letsencrypt.org/certs/isrg-root-ocsp-x1.pem.txt > /etc/ssl/ocsp.pem && \
    mkdir /var/ssl &&\
    curl https://ssl-config.mozilla.org/ffdhe2048.txt > /var/ssl/dhparams &&\
    chmod 644 /var/ssl/dhparams && \
    install -d -m 755 -o root -g root /etc/nginx/snippets && \
    install -d -m 755 -o root -g root /var/ssl && \
    install -d -m 700 -o nginx -g nginx /var/cache/nginx && \
    openssl req -x509 \
                -newkey rsa:4096 \
                -keyout /var/ssl/site.key \
                -nodes \
                -out /var/ssl/site.crt \
                -days 2 \
                -subj "/C=US/ST=IL/L=None/O=None/OU=None/CN=localhost/" && \
    cp /var/ssl/site.crt /var/ssl/mail.crt && \
    cp /var/ssl/site.key /var/ssl/mail.key && \
    setcap CAP_NET_BIND_SERVICE=+ep "$(command -v nginx)" && \
    chown nginx /var/ssl/site.* /var/ssl/mail.*
COPY www/ /var/www/
COPY conf.d/ /etc/nginx/conf.d/
COPY snippets/ /etc/nginx/snippets/
# Another option would be to copy the file to the template directory and have
# the environment variable substitution happen in runtime, but that way would
# miss checking the syntax during the build process.
# hadolint ignore=SC2097,SC2098
RUN TRANSMISSION=$TRANSMISSION sed -i "s/TRANSMISSION/$TRANSMISSION/" /etc/nginx/conf.d/www.shore.co.il.conf
USER nginx
RUN nginx -t
HEALTHCHECK CMD curl --fail --verbose --user-agent 'Docker health check' --header "Host: status" http://localhost/ || exit 1