From 49d014e95102791dd2beedab1f4a366e7331739e Mon Sep 17 00:00:00 2001
From: Charlie Hileman <aiquicorp@gmail.com>
Date: Wed, 16 Dec 2020 10:11:21 -0500
Subject: [PATCH 1/4] ops: allow for upstream SSL

---
 .env                     | 4 +++-
 docker-compose.yml       | 7 ++++---
 files/nginx/odk-setup.sh | 9 ++++++++-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/.env b/.env
index 01f18b91..16f62520 100644
--- a/.env
+++ b/.env
@@ -1,3 +1,5 @@
-SSL_TYPE=selfsign|letsencrypt|customssl
+SSL_TYPE=selfsign|letsencrypt|customssl|upstream
 DOMAIN=local|your.domain.com
 SYSADMIN_EMAIL=administrator@email.com
+HTTP_PORT=80
+HTTPS_PORT=443
diff --git a/docker-compose.yml b/docker-compose.yml
index 5469ac99..81e2a7ba 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -47,12 +47,13 @@ services:
       - service
       - enketo
     environment:
-      - SSL_TYPE=${SSL_TYPE}
+      - SSL_TYPE=${SSL_TYPE:-letsencrypt}
       - DOMAIN=${DOMAIN}
       - CERTBOT_EMAIL=${SYSADMIN_EMAIL}
     ports:
-      - "80:80"
-      - "443:443"
+      - "${HTTP_PORT:-80}:80"
+      - "${HTTPS_PORT:-443}:443"
+
     healthcheck:
       test: [ "CMD-SHELL", "nc -z localhost 443 || exit 1" ]
     restart: always
diff --git a/files/nginx/odk-setup.sh b/files/nginx/odk-setup.sh
index 2e246f61..7a6a9085 100644
--- a/files/nginx/odk-setup.sh
+++ b/files/nginx/odk-setup.sh
@@ -1,5 +1,5 @@
 DHPATH=/etc/dh/nginx.pem
-if [ ! -e "$DHPATH" ]
+if [ ! -e "$DHPATH" ] && [ "$SSL_TYPE" != "upstream" ]
 then
   echo "diffie hellman private key does not exist; creating.."
   openssl dhparam -out "$DHPATH" 2048
@@ -25,6 +25,13 @@ if [ "$SSL_TYPE" = "letsencrypt" ]
 then
   echo "starting nginx with certbot.."
   /bin/bash /scripts/entrypoint.sh
+elif [ "$SSL_TYPE" = "upstream" ]
+then
+  perl -i -ne 's/listen 443.*/listen 80;/; print if ! /ssl_/' /etc/nginx/conf.d/odk.conf
+  perl -i -pe 's/X-Forwarded-Proto \$scheme/X-Forwarded-Proto https/;' /etc/nginx/conf.d/odk.conf
+  rm -f /etc/nginx/conf.d/certbot.conf
+  echo "starting nginx without local SSL to allow for upstream SSL.."
+  nginx -g "daemon off;"
 else
   echo "starting nginx without certbot.."
   nginx -g "daemon off;"

From 0a9e01bfaf0c6a67652b48381bb3ed4d5fefaffd Mon Sep 17 00:00:00 2001
From: Yaw Anokwa <yanokwa@gmail.com>
Date: Fri, 23 Apr 2021 14:16:31 -0700
Subject: [PATCH 2/4] ops: use env template to allow evolution of env and
 prevent merge conflicts

---
 .env          |  5 -----
 .env.template | 12 ++++++++++++
 2 files changed, 12 insertions(+), 5 deletions(-)
 delete mode 100644 .env
 create mode 100644 .env.template

diff --git a/.env b/.env
deleted file mode 100644
index 16f62520..00000000
--- a/.env
+++ /dev/null
@@ -1,5 +0,0 @@
-SSL_TYPE=selfsign|letsencrypt|customssl|upstream
-DOMAIN=local|your.domain.com
-SYSADMIN_EMAIL=administrator@email.com
-HTTP_PORT=80
-HTTPS_PORT=443
diff --git a/.env.template b/.env.template
new file mode 100644
index 00000000..78ad3963
--- /dev/null
+++ b/.env.template
@@ -0,0 +1,12 @@
+# Use fully qualified domain names. Set to DOMAIN=local if SSL_TYPE=selfsign.
+DOMAIN=your.domain.com
+
+# Used for Let's Encrypt expiration emails and Enketo technical support emails
+SYSADMIN_EMAIL=administrator@email.com
+
+# Options: letsencrypt, customssl, upstream, selfsign
+SSL_TYPE=letsencrypt
+
+# Do not change if using SSL_TYPE=letsencrypt
+HTTP_PORT=80
+HTTPS_PORT=443

From 2933d0cd7104222023622b2bbc2e2b884388bcf3 Mon Sep 17 00:00:00 2001
From: Yaw Anokwa <yanokwa@gmail.com>
Date: Fri, 7 May 2021 17:11:54 -0700
Subject: [PATCH 3/4] ops: not using 80 will result in unhealthy when
 upstreaming

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 81e2a7ba..eace1732 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -55,7 +55,7 @@ services:
       - "${HTTPS_PORT:-443}:443"
 
     healthcheck:
-      test: [ "CMD-SHELL", "nc -z localhost 443 || exit 1" ]
+      test: [ "CMD-SHELL", "nc -z localhost 80 || exit 1" ]
     restart: always
 
   pyxform:

From 686a8ec763f6dddd7864cd4f8fdbb553f7c65267 Mon Sep 17 00:00:00 2001
From: Yaw Anokwa <yanokwa@gmail.com>
Date: Thu, 13 May 2021 22:07:54 -0700
Subject: [PATCH 4/4] Remove seemingly random newlines

---
 docker-compose.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index eace1732..5df4f84c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,7 +18,6 @@ services:
     environment:
       - MAILNAME=${DOMAIN}
     restart: always
-
   service:
     container_name: service
     build:
@@ -53,16 +52,13 @@ services:
     ports:
       - "${HTTP_PORT:-80}:80"
       - "${HTTPS_PORT:-443}:443"
-
     healthcheck:
       test: [ "CMD-SHELL", "nc -z localhost 80 || exit 1" ]
     restart: always
-
   pyxform:
     container_name: pyxform
     image: 'getodk/pyxform-http:v1.3.4'
     restart: always
-
   secrets:
     container_name: secrets
     volumes:
@@ -106,10 +102,8 @@ services:
       - redis-server
       - /usr/local/etc/redis/redis.conf
     restart: always
-
 volumes:
   transfer:
   enketo_redis_main:
   enketo_redis_cache:
   secrets:
-