devops: revise TLS key setup procedure

Allow setting TLS/SSL key URIs using environment variables, export the URIs as NUMWAL_TLS_PUBLIC_KEY_URI and NUMWAL_TLS_PRIVATE_KEY_URI on the host before building containers

Update tls/ directory structure

Update SETUP.md

Author: mounaiban

SETUP.md

@@ -139,6 +139,12 @@ The following settings may be altered without editing any project or
 configuration files, by exporting these environment variables on
 the host:
 
+* `NUMWAL_TLS_PRIVATE_KEY_URI`: use this variable to change the URI
+  to the private key in the Nginx server.
+
+* `NUMWAL_TLS_PUBLIC_KEY_URI`: use this variable to change the URI
+  to the public key certificate in the Nginx server.
+
 * `NUMWAL_CACHE_CLEAR`: set to any integer 1 or higher to order the
   underlying Fat Free Framework to clear caches.
 

compose.yml

@@ -47,6 +47,8 @@ services:
       NUMWAL_HTTP_PORT: 8080
       NUMWAL_HTTPS_PORT: 443
       NUMWAL_HOST: numwal
+      NUMWAL_TLS_PUBLIC_KEY_URI: ${NUMWAL_TLS_PUBLIC_KEY_URI:-/etc/ssl/keys/numwal-cert.pem}
+      NUMWAL_TLS_PRIVATE_KEY_URI: ${NUMWAL_TLS_PRIVATE_KEY_URI:-/etc/ssl/private/numwal-private.pem}
     ports:
       - 9080:8080
       - 9443:443

conf/numwal-with-tls.conf.template

@@ -20,9 +20,9 @@ server {
     listen [::]:${NUMWAL_HTTPS_PORT} ssl;
 
     # Remember to change the certificate and private key filenames as required
-    ssl_certificate /etc/ssl/keys/numwal-cert.pem;
-    ssl_certificate_key /etc/ssl/private/numwal-private.pem;
-    
+    ssl_certificate ${NUMWAL_TLS_PUBLIC_KEY_URI};
+    ssl_certificate_key ${NUMWAL_TLS_PRIVATE_KEY_URI};
+
     location / {
         index index.php index.html index.htm;
         try_files $uri /index.php?query_string;

tls/README-tls.md

@@ -1,15 +1,13 @@
 # TLS Certificate and Private Key Directory
 
-Place your certificate and private key in this directory, so the image build
-process can find them and insert them into your image.
+Place your public key certificate in the `keys/` directory, and your
+private key in the `private/` directory. Please do this only for
+self-signed test keys.
 
-The Dockerfile expects your certificate (public key) to be named `numwal.pem`
-and your private key to be named `numwal-private.pem`.
+The key URIs may be set using the `NUMWAL_TLS_PUBLIC_KEY_URI` and
+`NUMWAL_TLS_PRIVATE_KEY_URI` environment variables on the host before
+building the containers.
 
-If you wish to use different names for keys, and/or source them from another
-path, please keep the Dockerfile `Dockerfile-nginx-tls` and the Nginx 
-configuration file `numwal-nginx` in sync with these changes.
-
-**PROTIP**: Triple-check your commits before you make them to watch for
-private key leaks!
+**PROTIP**: Triple-check your commits before you make them to watch
+for private key leaks!
 

tls/keys/README-tls-keys.txt

@@ -0,0 +1 @@
+Put public key certificate in this directory...

tls/private/README-tls-private.txt

@@ -0,0 +1,3 @@
+Put private key in this directory...
+Please do this for self-signed test keys only.
+For a more secure setup, use a secure key server.