From 4f22466302c968557213e47453865ca7f28097a1 Mon Sep 17 00:00:00 2001
From: benniekiss <63211101+benniekiss@users.noreply.github.com>
Date: Wed, 10 Jul 2024 11:09:36 -0400
Subject: [PATCH 1/7] refactor init_cert.sh to enable custom certs

---
 docker/init_cert.sh | 44 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 33 insertions(+), 11 deletions(-)

diff --git a/docker/init_cert.sh b/docker/init_cert.sh
index 976bdf7f..eb000af5 100644
--- a/docker/init_cert.sh
+++ b/docker/init_cert.sh
@@ -1,22 +1,44 @@
 #!/bin/bash
 set -ex
-LETSENCRYPT_DOMAIN=${LETSENCRYPT_DOMAIN:-"none"}
+
+LETSENCRYPT_DOMAIN=${LETSENCRYPT_DOMAIN:-}
 LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL:-"example@local"}
+NGINX_SSL_CERT=${NGINX_SSL_CERT:-}
+NGINX_SSL_KEY=${NGINX_SSL_KEY:-}
 NGINX_SSL_PORT=${NGINX_SSL_PORT:-443}
+NGINX_CONF="/etc/nginx/http.d/default.conf"
 
-# If no domain is provided, skip certbot execution and configuration
-if [ "${LETSENCRYPT_DOMAIN}-x" == "none-x" ]; then
-    exit 0
-fi
+remove_ssl_config() {
+    sed -i -E "/ssl_certificate /,/^$/d" "${NGINX_CONF}"
+    sed -i -E "/ssl_certificate_key /,/^$/d" "${NGINX_CONF}"
+}
 
 # Request a certificate
 # this also updates the nginx config file with new SSL entries
-certbot -n --nginx --agree-tos --email ${LETSENCRYPT_EMAIL} -d ${LETSENCRYPT_DOMAIN} --https-port ${NGINX_SSL_PORT}
-# Add cron job file
-cat <<EOF >/etc/crontabs/root
+if [[ -n "${LETSENCRYPT_DOMAIN}" ]]; then
+    echo "Generating SSL certificate using certbot for ${LETSENCRYPT_DOMAIN} with automatic renewal."
+    certbot -n --nginx --agree-tos --email "${LETSENCRYPT_EMAIL}" -d "${LETSENCRYPT_DOMAIN}" --https-port "${NGINX_SSL_PORT}"
+    # Add cron job file
+    cat <<EOF >/etc/crontabs/root
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-0 */12 * * * certbot -q renew --nginx --https-port ${NGINX_SSL_PORT}
+0 */12 * * * certbot -q renew --nginx --https-port "${NGINX_SSL_PORT}"
 EOF
-# start cron daemon
-supervisorctl start cron
+    # start cron daemon
+    supervisorctl start cron
+# Update the nginx config file with the provided SSL entries
+elif [[ -n "${NGINX_SSL_CERT}" && -n "${NGINX_SSL_KEY}" ]]; then
+    echo "Configuring the provided SSL certificate at ${NGINX_SSL_CERT}"
+    remove_ssl_config
+    sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl http2);|listen ${NGINX_SSL_PORT} ssl http2;|" "${NGINX_CONF}"
+    sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl http2);|listen \[::\]:${NGINX_SSL_PORT} ssl http2;\n\n   ssl_certificate ${NGINX_SSL_CERT};\n   ssl_certificate_key ${NGINX_SSL_KEY};|" "${NGINX_CONF}"
+# If the nginx port is provided but no other settings are, update the port
+elif [[ "${NGINX_SSL_PORT}" != 443 ]]; then
+    echo "Setting nginx listen port."
+    remove_ssl_config
+    sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl http2);|listen ${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}"
+    sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl http2);|listen \[::\]:${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}"
+else
+    echo "No certificates or Letsencrypt domain was provided. Exiting."
+    exit 0
+fi

From c331279ecd0c3debebcdc20f659ac53eb655d8ce Mon Sep 17 00:00:00 2001
From: benniekiss <63211101+benniekiss@users.noreply.github.com>
Date: Wed, 10 Jul 2024 11:09:53 -0400
Subject: [PATCH 2/7] fix formatting of nginx default.conf

---
 docker/default.conf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker/default.conf b/docker/default.conf
index 1aad77a4..f9cc04b3 100644
--- a/docker/default.conf
+++ b/docker/default.conf
@@ -1,10 +1,10 @@
 server {
-	listen 80 default_server;
-	listen [::]:80 default_server;
+   listen 80 default_server;
+   listen [::]:80 default_server;
 
-    root /usr/share/nginx/html;
+   root /usr/share/nginx/html;
 
-    location / {
+   location / {
       try_files $uri $uri.html $uri/ =404;
       add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
       expires off;

From 1d5dc9eb81a8907930c3e4a906accd5e005aec13 Mon Sep 17 00:00:00 2001
From: benniekiss <63211101+benniekiss@users.noreply.github.com>
Date: Wed, 10 Jul 2024 11:46:35 -0400
Subject: [PATCH 3/7] install GNU sed

---
 docker/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 360da5e0..a1ac8e60 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,6 +1,6 @@
 FROM alpine:3.14
 
-RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext \
+RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext sed \
     nginx curl supervisor certbot-nginx && \
     rm -rf /var/cache/apk/* && mkdir -p /run/nginx
 

From 5622cb7b4aeb2285eabc4b2a42e0669641e8eefa Mon Sep 17 00:00:00 2001
From: benniekiss <63211101+benniekiss@users.noreply.github.com>
Date: Wed, 10 Jul 2024 12:08:45 -0400
Subject: [PATCH 4/7] make sure to reload the nginx config

---
 docker/init_cert.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker/init_cert.sh b/docker/init_cert.sh
index eb000af5..a6b54de6 100644
--- a/docker/init_cert.sh
+++ b/docker/init_cert.sh
@@ -42,3 +42,5 @@ else
     echo "No certificates or Letsencrypt domain was provided. Exiting."
     exit 0
 fi
+
+/usr/sbin/nginx -s reload

From cb86e3e9fbb7b7ea4e82f7163816ffc36adbb17a Mon Sep 17 00:00:00 2001
From: benniekiss <63211101+benniekiss@users.noreply.github.com>
Date: Wed, 10 Jul 2024 15:53:07 -0400
Subject: [PATCH 5/7] update docker readme

---
 docker/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker/README.md b/docker/README.md
index fc280fc2..ff7aa030 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -19,5 +19,7 @@ docker run -d --rm -p 80:80 -p 443:443 \
 > For SSL generation, you need to run this image in a server with proper public IP and a domain name pointing to it.
 ## Environment variables
 * ```NGINX_SSL_PORT``` Changes the port that Nginx listens to. Defaults to ```443```
+* ```NGINX_SSL_CERT``` Provide a pre-generated SSL certificate. Optional
+* ```NGINX_SSL_KEY``` Provide a pre-generated SSL certificate key. Optional
 * ```LETSENCRYPT_DOMAIN``` Enables Certbot`s client execution for the specified domain. Defaults to ```none```
 * ```LETSENCRYPT_EMAIL``` Email used in Certbot`s client execution to register the certificate request. Defaults to ```example@local```
\ No newline at end of file

From 83700ce5ca383bd19c654545775d3399b63e3726 Mon Sep 17 00:00:00 2001
From: benniekiss <63211101+benniekiss@users.noreply.github.com>
Date: Fri, 6 Jun 2025 11:09:01 -0400
Subject: [PATCH 6/7] update http2 syntax

---
 docker/default.conf | 3 ++-
 docker/init_cert.sh | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/docker/default.conf b/docker/default.conf
index f9cc04b3..c044944a 100644
--- a/docker/default.conf
+++ b/docker/default.conf
@@ -1,6 +1,7 @@
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
+   http2 on;
 
    root /usr/share/nginx/html;
 
@@ -16,4 +17,4 @@ server {
       add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
       expires off;
    }
-}
\ No newline at end of file
+}
diff --git a/docker/init_cert.sh b/docker/init_cert.sh
index a6b54de6..808e0747 100644
--- a/docker/init_cert.sh
+++ b/docker/init_cert.sh
@@ -30,14 +30,14 @@ EOF
 elif [[ -n "${NGINX_SSL_CERT}" && -n "${NGINX_SSL_KEY}" ]]; then
     echo "Configuring the provided SSL certificate at ${NGINX_SSL_CERT}"
     remove_ssl_config
-    sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl http2);|listen ${NGINX_SSL_PORT} ssl http2;|" "${NGINX_CONF}"
-    sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl http2);|listen \[::\]:${NGINX_SSL_PORT} ssl http2;\n\n   ssl_certificate ${NGINX_SSL_CERT};\n   ssl_certificate_key ${NGINX_SSL_KEY};|" "${NGINX_CONF}"
+    sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl);|listen ${NGINX_SSL_PORT} ssl;|" "${NGINX_CONF}"
+    sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl);|listen \[::\]:${NGINX_SSL_PORT} ssl;\n\n   ssl_certificate ${NGINX_SSL_CERT};\n   ssl_certificate_key ${NGINX_SSL_KEY};|" "${NGINX_CONF}"
 # If the nginx port is provided but no other settings are, update the port
 elif [[ "${NGINX_SSL_PORT}" != 443 ]]; then
     echo "Setting nginx listen port."
     remove_ssl_config
-    sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl http2);|listen ${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}"
-    sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl http2);|listen \[::\]:${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}"
+    sed -i -E "s|listen [0-9]{1,5} (default_server\|ssl);|listen ${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}"
+    sed -i -E "s|listen \[::\]:[0-9]{1,5} (default_server\|ssl);|listen \[::\]:${NGINX_SSL_PORT} default_server;|" "${NGINX_CONF}"
 else
     echo "No certificates or Letsencrypt domain was provided. Exiting."
     exit 0

From 60dbe247e1a2f63ba9b74305de239efc5ca1abec Mon Sep 17 00:00:00 2001
From: benniekiss <63211101+benniekiss@users.noreply.github.com>
Date: Fri, 6 Jun 2025 11:20:59 -0400
Subject: [PATCH 7/7] update alpine version

---
 docker/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index a1ac8e60..b1ce5d79 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.22
 
 RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext sed \
     nginx curl supervisor certbot-nginx && \