From 64c72237d29340426ebdf74dbb51e0cb155aec2f Mon Sep 17 00:00:00 2001
From: Ash <tuxdude@Baymax.area51>
Date: Fri, 10 May 2024 20:03:47 -0700
Subject: [PATCH] feat: Build and package all the nginx modules from the oss
 repo.

---
 Dockerfile            | 74 ++++++++++++++++++++++++++++++++++++++-----
 config/ARGS           |  7 ++++
 scripts/build-args.sh | 38 +---------------------
 3 files changed, 74 insertions(+), 45 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 56eba5f..fa4d78d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,52 @@
+ARG BASE_IMAGE_NAME
+ARG BASE_IMAGE_TAG
+FROM ${BASE_IMAGE_NAME}:${BASE_IMAGE_TAG} AS builder
+
+SHELL ["/bin/bash", "-c"]
+
+ARG XSLSCRIPT_PL_SHA256_CHECKSUM
+ARG NGINX_VERSION
+ARG NGINX_RELEASE_SUFFIX
+ARG NGINX_MODULES
+
+RUN \
+    set -e -o pipefail \
+    && homelab install util-linux patch quilt build-essential make cmake g++ \
+        git mercurial \
+        lsb-release devscripts equivs debhelper \
+        libkrb5-dev \
+        libbrotli-dev \
+        libssl-dev libpcre2-dev zlib1g-dev \
+        libgeoip-dev libmaxminddb-dev \
+        libgd-dev \
+        libedit-dev libxml2-dev libxslt-dev libyaml-cpp-dev libboost-dev \
+        libre2-dev \
+        libxml2-utils xsltproc libparse-recdescent-perl \
+    && homelab install-bin \
+        https://hg.nginx.org/xslscript/raw-file/01dc9ba12e1b/xslscript.pl \
+        ${XSLSCRIPT_PL_SHA256_CHECKSUM:?} \
+        xslscript.pl \
+        xslscript \
+        /opt/bin/xslscript.pl \
+        root \
+        root \
+    && mkdir -p /tmp/nginx-modules-build \
+    && pushd /tmp/nginx-modules-build \
+    && hg clone -r ${NGINX_VERSION:?}-${NGINX_RELEASE_SUFFIX:?} https://hg.nginx.org/pkg-oss/ \
+    && popd \
+    && pushd /tmp/nginx-modules-build/pkg-oss/debian \
+    && for nginx_module in ${NGINX_MODULES:?}; do \
+        echo "Building ${nginx_module:?} for nginx ${NGINX_VERSION:?}-${NGINX_RELEASE_SUFFIX:?}"; \
+        make rules-module-${nginx_module:?} BASE_VERSION=${NGINX_VERSION:?} NGINX_VERSION=${NGINX_VERSION:?}; \
+        mk-build-deps --install '--tool=apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes' debuild-module-${nginx_module:?}/nginx-${NGINX_VERSION:?}/debian/control; \
+        make module-${nginx_module:?} BASE_VERSION=${NGINX_VERSION:?} NGINX_VERSION=${NGINX_VERSION:?}; \
+        done \
+    && popd \
+    && mkdir -p /nginx-modules-build \
+    && mv /tmp/nginx-modules-build/*.deb /nginx-modules-build \
+    && rm /nginx-modules-build/*dbg_*.deb \
+    && rm -rf /tmp/nginx-modules-build
+
 ARG BASE_IMAGE_NAME
 ARG BASE_IMAGE_TAG
 FROM ${BASE_IMAGE_NAME}:${BASE_IMAGE_TAG}
@@ -8,13 +57,16 @@ ARG USER_NAME
 ARG GROUP_NAME
 ARG USER_ID
 ARG GROUP_ID
+ARG NGINX_VERSION
+ARG NGINX_RELEASE_SUFFIX
+ARG NGINX_RELEASE_DISTRO
+ARG NGINX_REPO
 ARG NGINX_GPG_KEY
-ARG NGINX_GPG_KEY_PATH
 ARG NGINX_GPG_KEY_SERVER
-ARG NGINX_SRC_REPO
-ARG NGINX_PACKAGES
+ARG NGINX_GPG_KEY_PATH
 
 RUN \
+    --mount=type=bind,target=/nginx-modules-build,from=builder,source=/nginx-modules-build \
     set -e -o pipefail \
     # Create the user and the group. \
     && homelab add-user \
@@ -23,17 +75,23 @@ RUN \
         ${GROUP_NAME:?} \
         ${GROUP_ID:?} \
         --no-create-home-dir \
-    && homelab export-gpg-key "${NGINX_GPG_KEY_SERVER:?}" "${NGINX_GPG_KEY:?}" "${NGINX_GPG_KEY_PATH}" \
-    && homelab install-pkg-from-deb-src "${NGINX_SRC_REPO:?}" "${NGINX_PACKAGES:?}" \
+    && homelab export-gpg-key \
+        "${NGINX_GPG_KEY_SERVER:?}" \
+        "${NGINX_GPG_KEY:?}" \
+        "${NGINX_GPG_KEY_PATH:?}" \
+    && homelab install-pkg-from-deb-src \
+        "deb-src [signed-by=${NGINX_GPG_KEY_PATH:?}] ${NGINX_REPO:?} ${NGINX_RELEASE_DISTRO:?} nginx" \
+        "nginx=${NGINX_VERSION:?}-${NGINX_RELEASE_SUFFIX:?}~${NGINX_RELEASE_DISTRO:?}" \
+    && homelab install /nginx-modules-build/*.deb \
     && sed -i '/user  nginx;/d' /etc/nginx/nginx.conf \
     && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
     && sed -i "/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
     # nginx user must own the cache and etc directory to write cache and tweak the nginx config \
     && chown -R ${USER_NAME:?}:${GROUP_NAME:?} /var/cache/nginx \
-    # && chmod -R g+w /var/cache/nginx \
     && chown -R ${USER_NAME:?}:${GROUP_NAME:?} /etc/nginx \
-    # && chmod -R g+w /etc/nginx \
-    && chown ${USER_NAME:?}:${GROUP_NAME:?} /var/log/nginx/access.log /var/log/nginx/error.log \
+    # Forward request and error logs to the docker logs collector. \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
     # Clean up. \
     && homelab cleanup
 
diff --git a/config/ARGS b/config/ARGS
index da06431..7e174d2 100644
--- a/config/ARGS
+++ b/config/ARGS
@@ -4,5 +4,12 @@ USER_NAME=nginx
 GROUP_NAME=nginx
 USER_ID=16001
 GROUP_ID=16001
+NGINX_VERSION=1.26.0
+NGINX_RELEASE_SUFFIX=1
+NGINX_RELEASE_DISTRO=bookworm
+NGINX_REPO="https://nginx.org/packages/debian/"
+NGINX_MODULES=auth-spnego brotli encrypted-session fips-check geoip geoip2 headers-more image-filter lua ndk njs opentracing otel passenger perl rtmp set-misc subs-filter xslt
 NGINX_GPG_KEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
 NGINX_GPG_KEY_SERVER=hkp://keyserver.ubuntu.com:80
+NGINX_GPG_KEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg
+XSLSCRIPT_PL_SHA256_CHECKSUM=467df171f045e68ce31448ce6cf183073fc5043cba24a4dc639aed1000825c22
diff --git a/scripts/build-args.sh b/scripts/build-args.sh
index 3df320c..88c46ab 100755
--- a/scripts/build-args.sh
+++ b/scripts/build-args.sh
@@ -6,41 +6,7 @@ repo_dir="$(realpath "${script_parent_dir:?}/..")"
 
 ARGS_FILE="${repo_dir:?}/config/ARGS"
 
-NGINX_REPO="https://nginx.org/packages/debian/"
-NGINX_VERSION="1.26.0-1"
-NGINX_DEBIAN_RELEASE="bookworm"
-NGINX_MODULES=""
-GPG_KEY_PATH="/usr/share/keyrings/nginx-archive-keyring.gpg"
-# Candidate modules are listed below:
-# NGINX_MODULES="xslt geoip image-filter perl"
-# There is also njs which uses a slightly different version format than the rest.
-# The list can be seen here: https://nginx.org/packages/debian/pool/nginx/n/nginx/
-
-nginx_src_repo() {
-    echo -n "deb-src [signed-by=${GPG_KEY_PATH:?}] ${NGINX_REPO:?} ${NGINX_DEBIAN_RELEASE:?} nginx"
-}
-
-nginx_packages() {
-    echo -n "nginx=${NGINX_VERSION:?}~${NGINX_DEBIAN_RELEASE:?} "
-    if [[ "${NGINX_MODULES}" != "" ]]; then
-        for module in ${NGINX_MODULES:?}; do
-            echo -n "nginx-module-${module}=${NGINX_VERSION:?}~${NGINX_DEBIAN_RELEASE:?} "
-        done
-    fi
-}
-
-nginx_build_args() {
-    if [[ "$1" == "docker-flags" ]]; then
-        local prefix="--build-arg "
-        echo -n "${prefix:?}NGINX_SRC_REPO=\"$(nginx_src_repo)\" "
-        echo -n "${prefix:?}NGINX_PACKAGES=\"$(nginx_packages)\" "
-        echo -n "${prefix:?}NGINX_GPG_KEY_PATH=\"${GPG_KEY_PATH:?}\" "
-    else
-        echo "NGINX_SRC_REPO=$(nginx_src_repo)"
-        echo "NGINX_PACKAGES=$(nginx_packages)"
-        echo "NGINX_GPG_KEY_PATH=${GPG_KEY_PATH:?}"
-    fi
-}
+# The latest nginx version can be obtained from https://nginx.org/packages/debian/pool/nginx/n/nginx/
 
 args_file_as_build_args() {
     local prefix=""
@@ -58,13 +24,11 @@ args_file_as_build_args() {
 
 github_env_dump() {
     args_file_as_build_args
-    nginx_build_args
 }
 
 if [[ "$1" == "docker-flags" ]]; then
     # --build-arg format used with the docker build command.
     args_file_as_build_args $1
-    nginx_build_args $1
 else
     output=$(github_env_dump)
     if [ -n "${GITHUB_OUTPUT}" ]; then