From ba3a7bc94421f93818f9196bd8a2c32eb7d9d940 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 3 Jun 2026 17:12:58 +0200
Subject: feat: better initialization script
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Rename `tools/build` → `net_services`

`net_services` can be run from anywhere (previously it was not creating
the fs archives in the right place). It also creates the directories
specified in `.env`, generate a self-signed certificate if no
certificate is available, initialize the first Radicale user if missing,
and copy example configuration files if missing for cgit.

`generate_self_signed_cert` has been removed (its code is in
`net_services`)
---
 .../etc/nginx/templates/default.conf.template      | 46 ----------------------
 .../nginx/templates/services/cgit.conf.template    | 17 --------
 .../templates/services/radicale.conf.template      | 19 ---------
 .../templates/services/syncthing.conf.template     | 20 ----------
 .../fs/etc/nginx/templates/default.conf.template   | 46 ++++++++++++++++++++++
 .../nginx/templates/services/cgit.conf.template    | 17 ++++++++
 .../templates/services/radicale.conf.template      | 19 +++++++++
 .../templates/services/syncthing.conf.template     | 20 ++++++++++
 services/nginx/fs/sbin/cmd.bash                    | 11 ++++++
 services/nginx/sbin/cmd.bash                       | 11 ------
 10 files changed, 113 insertions(+), 113 deletions(-)
 delete mode 100644 services/nginx/etc/nginx/templates/default.conf.template
 delete mode 100644 services/nginx/etc/nginx/templates/services/cgit.conf.template
 delete mode 100644 services/nginx/etc/nginx/templates/services/radicale.conf.template
 delete mode 100644 services/nginx/etc/nginx/templates/services/syncthing.conf.template
 create mode 100644 services/nginx/fs/etc/nginx/templates/default.conf.template
 create mode 100644 services/nginx/fs/etc/nginx/templates/services/cgit.conf.template
 create mode 100644 services/nginx/fs/etc/nginx/templates/services/radicale.conf.template
 create mode 100644 services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template
 create mode 100755 services/nginx/fs/sbin/cmd.bash
 delete mode 100755 services/nginx/sbin/cmd.bash

(limited to 'services/nginx')

diff --git a/services/nginx/etc/nginx/templates/default.conf.template b/services/nginx/etc/nginx/templates/default.conf.template
deleted file mode 100644
index f90b61a..0000000
--- a/services/nginx/etc/nginx/templates/default.conf.template
+++ /dev/null
@@ -1,46 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name ${NGINX__HOST}
-                www.${NGINX__HOST}
-                dav.${NGINX__HOST}
-                git.${NGINX__HOST}
-                sync.${NGINX__HOST};
-
-    # Prevent nginx HTTP Server Detection
-    server_tokens off;
-
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    server_name ${NGINX__HOST} www.${NGINX__HOST};
-
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
-
-    location / {
-        root /srv;
-    }
-}
-
-server {
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
-
-    server_name _;
-
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
-
-    return 444;
-}
-
-# Docker embedded DNS server
-resolver 127.0.0.11 valid=2s;
-
-include /etc/nginx/conf.d/services/*.conf;
diff --git a/services/nginx/etc/nginx/templates/services/cgit.conf.template b/services/nginx/etc/nginx/templates/services/cgit.conf.template
deleted file mode 100644
index c0fa070..0000000
--- a/services/nginx/etc/nginx/templates/services/cgit.conf.template
+++ /dev/null
@@ -1,17 +0,0 @@
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    server_name git.${NGINX__HOST};
-
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
-
-    location / {
-        proxy_pass http://cgit:80;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
diff --git a/services/nginx/etc/nginx/templates/services/radicale.conf.template b/services/nginx/etc/nginx/templates/services/radicale.conf.template
deleted file mode 100644
index d6e4617..0000000
--- a/services/nginx/etc/nginx/templates/services/radicale.conf.template
+++ /dev/null
@@ -1,19 +0,0 @@
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    server_name dav.${NGINX__HOST};
-
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
-
-    location / {
-        proxy_pass        http://radicale:5232;
-        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header  X-Forwarded-Host $host;
-        proxy_set_header  X-Forwarded-Port $server_port;
-        proxy_set_header  X-Forwarded-Proto $scheme;
-        proxy_set_header  Host $http_host;
-        proxy_pass_header Authorization;
-    }
-}
diff --git a/services/nginx/etc/nginx/templates/services/syncthing.conf.template b/services/nginx/etc/nginx/templates/services/syncthing.conf.template
deleted file mode 100644
index 31c90bb..0000000
--- a/services/nginx/etc/nginx/templates/services/syncthing.conf.template
+++ /dev/null
@@ -1,20 +0,0 @@
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    server_name sync.${NGINX__HOST};
-
-    ssl_certificate     /run/secrets/server.crt;
-    ssl_certificate_key /run/secrets/server.key;
-
-    location / {
-        proxy_pass http://syncthing:8384;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        proxy_read_timeout      600s;
-        proxy_send_timeout      600s;
-    }
-}
diff --git a/services/nginx/fs/etc/nginx/templates/default.conf.template b/services/nginx/fs/etc/nginx/templates/default.conf.template
new file mode 100644
index 0000000..f90b61a
--- /dev/null
+++ b/services/nginx/fs/etc/nginx/templates/default.conf.template
@@ -0,0 +1,46 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name ${NGINX__HOST}
+                www.${NGINX__HOST}
+                dav.${NGINX__HOST}
+                git.${NGINX__HOST}
+                sync.${NGINX__HOST};
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name ${NGINX__HOST} www.${NGINX__HOST};
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    location / {
+        root /srv;
+    }
+}
+
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name _;
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    return 444;
+}
+
+# Docker embedded DNS server
+resolver 127.0.0.11 valid=2s;
+
+include /etc/nginx/conf.d/services/*.conf;
diff --git a/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template
new file mode 100644
index 0000000..c0fa070
--- /dev/null
+++ b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template
@@ -0,0 +1,17 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name git.${NGINX__HOST};
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    location / {
+        proxy_pass http://cgit:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
diff --git a/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template
new file mode 100644
index 0000000..d6e4617
--- /dev/null
+++ b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template
@@ -0,0 +1,19 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name dav.${NGINX__HOST};
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    location / {
+        proxy_pass        http://radicale:5232;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Host $host;
+        proxy_set_header  X-Forwarded-Port $server_port;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_set_header  Host $http_host;
+        proxy_pass_header Authorization;
+    }
+}
diff --git a/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template b/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template
new file mode 100644
index 0000000..31c90bb
--- /dev/null
+++ b/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template
@@ -0,0 +1,20 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name sync.${NGINX__HOST};
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    location / {
+        proxy_pass http://syncthing:8384;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_read_timeout      600s;
+        proxy_send_timeout      600s;
+    }
+}
diff --git a/services/nginx/fs/sbin/cmd.bash b/services/nginx/fs/sbin/cmd.bash
new file mode 100755
index 0000000..e024b4f
--- /dev/null
+++ b/services/nginx/fs/sbin/cmd.bash
@@ -0,0 +1,11 @@
+#!/usr/bin/bash
+set -eu
+
+# Install sensitive data in tmpfs
+install --mode 400 /run/host_secrets/server.crt /run/secrets/server.crt
+install --mode 400 /run/host_secrets/server.key /run/secrets/server.key
+
+# We have to run the entrypoint again
+# Because if the first positional parameter is not "nginx" or "nginx-debug" the scripts in /docker-entrypoint.d are not ran.
+# https://github.com/nginx/docker-nginx/blob/master/stable/debian/docker-entrypoint.sh
+exec /docker-entrypoint.sh nginx -g "daemon off;"
diff --git a/services/nginx/sbin/cmd.bash b/services/nginx/sbin/cmd.bash
deleted file mode 100755
index e024b4f..0000000
--- a/services/nginx/sbin/cmd.bash
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/bash
-set -eu
-
-# Install sensitive data in tmpfs
-install --mode 400 /run/host_secrets/server.crt /run/secrets/server.crt
-install --mode 400 /run/host_secrets/server.key /run/secrets/server.key
-
-# We have to run the entrypoint again
-# Because if the first positional parameter is not "nginx" or "nginx-debug" the scripts in /docker-entrypoint.d are not ran.
-# https://github.com/nginx/docker-nginx/blob/master/stable/debian/docker-entrypoint.sh
-exec /docker-entrypoint.sh nginx -g "daemon off;"
-- 
cgit v1.3.1