From c3536b49c8d9a74f2a4f50f9b41f505ad27bd70e Mon Sep 17 00:00:00 2001
From: jude <jude@jellywx.com>
Date: Wed, 5 Nov 2025 18:52:36 +0000
Subject: [PATCH] WIP Use nginx to serve a self-signed cert

---
 compose.yaml          | 27 +++++++++++++++++++++++++++
 nginx/selfsigned.conf | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 nginx/selfsigned.conf

diff --git a/compose.yaml b/compose.yaml
index 4df1c1b..f59587c 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -39,5 +39,32 @@ services:
         ports:
             - "18920:18920"
 
+    nginx:
+        image: nginx:alpine
+        restart: always
+        depends_on:
+            - bot
+        ports:
+            - "80:80"
+            - "443:443"
+        volumes:
+            - ./nginx/selfsigned.conf:/etc/nginx/conf.d/default.conf:ro
+            - nginx_certs:/etc/nginx/certs
+        entrypoint:
+            - "/bin/sh"
+            - "-c"
+        command: |
+            set -e
+            apk add --no-cache openssl
+            mkdir -p /etc/nginx/certs
+            if [ ! -f /etc/nginx/certs/selfsigned.key ] || [ ! -f /etc/nginx/certs/selfsigned.crt ]; then
+              openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+                -keyout /etc/nginx/certs/selfsigned.key \
+                -out /etc/nginx/certs/selfsigned.crt \
+                -subj "/CN=localhost"
+            fi
+            exec nginx -g 'daemon off;'
+
 volumes:
     reminders:
+    nginx_certs:
diff --git a/nginx/selfsigned.conf b/nginx/selfsigned.conf
new file mode 100644
index 0000000..103998f
--- /dev/null
+++ b/nginx/selfsigned.conf
@@ -0,0 +1,40 @@
+# Nginx configuration for local development with self-signed TLS
+# Proxies HTTPS traffic to the Rocket dashboard running in the `bot` service.
+
+# Redirect all HTTP to HTTPS
+server {
+    listen 80;
+    server_name _;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name _;
+
+    ssl_certificate     /etc/nginx/certs/selfsigned.crt;
+    ssl_certificate_key /etc/nginx/certs/selfsigned.key;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    proxy_buffer_size 128k;
+    proxy_buffers 4 256k;
+    proxy_busy_buffers_size 256k;
+
+    client_max_body_size 10M;
+
+    location / {
+        proxy_pass http://bot:18920;
+        proxy_redirect off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /static {
+        proxy_pass http://bot:18920/static;
+        expires 30d;
+    }
+}