feat(Docker): allow custom certificates for fastapi/nginx

Now, when a `./cache/production.{cert,key}.pem` pair is found, it is
used in place of any certificates generated by the `ca` service.
This allows users to customize the certificate that the FastAPI
ASGI server uses as well as the front-end nginx certificates.

Optional:

- ./cache/production.cert.pem
- ./cache/production.key.pem

Fallback:

- ./cache/localhost.cert.pem + ./cache/root.ca.pem (chain)
- ./cache/localhost.key.pem

Signed-off-by: Kevin Morris <kevr@0cost.org>

docker/config/nginx.conf

@@ -43,8 +43,8 @@ http {
         listen 8443 ssl http2;
         server_name localhost default_server;
 
-        ssl_certificate /etc/ssl/certs/localhost.cert.pem;
-        ssl_certificate_key /etc/ssl/private/localhost.key.pem;
+        ssl_certificate /etc/ssl/certs/web.cert.pem;
+        ssl_certificate_key /etc/ssl/private/web.key.pem;
 
         root /aurweb/web/html;
         index index.php;
@@ -91,8 +91,8 @@ http {
         listen 8444 ssl http2;
         server_name localhost default_server;
 
-        ssl_certificate /etc/ssl/certs/localhost.cert.pem;
-        ssl_certificate_key /etc/ssl/private/localhost.key.pem;
+        ssl_certificate /etc/ssl/certs/web.cert.pem;
+        ssl_certificate_key /etc/ssl/private/web.key.pem;
 
         root /aurweb/web/html;
 

docker/nginx-entrypoint.sh

@@ -1,6 +1,16 @@
 #!/bin/bash
 set -eou pipefail
 
+# If production.{cert,key}.pem exists, prefer them. This allows
+# user customization of the certificates that FastAPI uses.
+# Otherwise, fallback to localhost.{cert,key}.pem, generated by `ca`.
+
+CERT=/cache/production.cert.pem
+KEY=/cache/production.key.pem
+
+DEST_CERT=/etc/ssl/certs/web.cert.pem
+DEST_KEY=/etc/ssl/private/web.key.pem
+
 # Setup a config for our mysql db.
 cp -vf conf/config.dev conf/config
 sed -i "s;YOUR_AUR_ROOT;$(pwd);g" conf/config
@@ -12,9 +22,13 @@ sed -ri 's/^;?(password) = .+/\1 = aur/' conf/config
 sed -ri "s|^(aur_location) = .+|\1 = https://localhost:8444|" conf/config
 sed -ri 's/^(disable_http_login) = .+/\1 = 1/' conf/config
 
-cat /cache/localhost.cert.pem /cache/ca.root.pem \
-    > /etc/ssl/certs/localhost.cert.pem
-cp -vf /cache/localhost.key.pem /etc/ssl/private/localhost.key.pem
+if [ -f "$CERT" ]; then
+    cp -vf "$CERT" "$DEST_CERT"
+    cp -vf "$KEY" "$DEST_KEY"
+else
+    cat /cache/localhost.cert.pem /cache/ca.root.pem > "$DEST_CERT"
+    cp -vf /cache/localhost.key.pem "$DEST_KEY"
+fi
 
 cp -vf /docker/config/nginx.conf /etc/nginx/nginx.conf
 

docker/scripts/run-fastapi.sh

@@ -1,17 +1,29 @@
 #!/bin/bash
 
+CERT=/cache/localhost.cert.pem
+KEY=/cache/localhost.key.pem
+
+# If production.{cert,key}.pem exists, prefer them. This allows
+# user customization of the certificates that FastAPI uses.
+if [ -f /cache/production.cert.pem ]; then
+    CERT=/cache/production.cert.pem
+fi
+if [ -f /cache/production.key.pem ]; then
+    KEY=/cache/production.key.pem
+fi
+
 if [ "$1" == "uvicorn" ] || [ "$1" == "" ]; then
     exec uvicorn --reload \
-        --ssl-certfile /cache/localhost.cert.pem \
-        --ssl-keyfile /cache/localhost.key.pem \
+        --ssl-certfile "$CERT" \
+        --ssl-keyfile "$KEY" \
         --log-config /docker/logging.conf \
         --host "0.0.0.0" \
         --port 8000 \
         aurweb.asgi:app
 else
     exec hypercorn --reload \
-        --certfile /cache/localhost.cert.pem \
-        --keyfile /cache/localhost.key.pem \
+        --certfile "$CERT" \
+        --keyfile "$KEY" \
         --log-config /docker/logging.conf \
         -b "0.0.0.0:8000" \
         aurweb.asgi:app