merge upstream

Author: Zoey2936

Dockerfile

@@ -50,7 +50,8 @@ RUN ln -s /app/password-reset.js /usr/local/bin/password-reset.js && \
     ln -s /app/index.js /usr/local/bin/index.js
 
 ENV NODE_ENV=production \
-    DB_SQLITE_FILE=/data/database.sqlite
+    NODE_CONFIG_DIR=/data/etc/npm \
+    DB_SQLITE_FILE=/data/etc/npm/database.sqlite
 
 WORKDIR /app
 ENTRYPOINT ["start.sh"]

README.md

@@ -46,6 +46,8 @@ so that the barrier for entry here is low.
 - Only use TLSv1.2 and TLSv1.3
 - Uses OCSP Stapling
   - Needs manual migration if you use custom certificates, just upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder
+- fixed dnspod plugin
+  - Needs manual migration, please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/nginx-proxy-manager/blob/develop/global/certbot-dns-plugins.js) for the template)
 - Smaller then the original
 - Runs the admin interface on port 81 with https
 - Default page runs also with https
@@ -64,18 +66,18 @@ so that the barrier for entry here is low.
 - Auto database vacuum (only sqlite) (FULLCLEAN=true)
 - Auto certbot old certs clean (FULLCLEAN=true)
 - Passwort reset (only sqlite) (`docker exec -it nginx-proxy-manager password-reset.js USER_EMAIL PASSWORD`)
+- TLS supported for MariaDB/MySQL, please set the `DB_MYSQL_TLS` env to true. If you use self signed certificates you can upload them for example to `/data/etc/npm/ca.crt` and set the `DB_MYSQL_CA` to `/data/etc/npm/ca.crt` (not tested)
 
 ## Soon
-- disabling IPv4/IPv6
-- MariaDB/MySQL TLS support (if requested)
+- disabling IPv4/IPv6 ([1](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh) / [2](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh) / nginx templates (nginx.js lines 200-300))
 - support changing the PUID/PGID (maybe)
 - more
 
 ## migration
 - **NOTE: migrating back to the original is not possible**, so make first a **backup** before migration, so you can use the backup to switch back
 - if you use custom certificates, you need to upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder
 - some buttons have changed, check if they are still correct
-- please delete all dnspod certs and recreate them
+- please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/nginx-proxy-manager/blob/develop/global/certbot-dns-plugins.js) for the template)
 - changing the PUID/PGID is not supported (since it would break running in network_mode host)
 
 # Use as webserver

backend/db.js

@@ -1,7 +1,7 @@
 const config = require('./lib/config');
 
 if (!config.has('database')) {
-	throw new Error('Database config does not exist! Please read the instructions: https://nginxproxymanager.com/setup/');
+	throw new Error('Database config does not exist! Please read the instructions: https://nginxproxymanager.com/setup');
 }
 
 function generateDbConfig() {
@@ -16,7 +16,8 @@ function generateDbConfig() {
 			user:     cfg.user,
 			password: cfg.password,
 			database: cfg.name,
-			port:     cfg.port
+			port:     cfg.port,
+			ssl:      cfg.tls,
 		},
 		migrations: {
 			tableName: 'migrations'

backend/internal/certificate.js

@@ -4,7 +4,6 @@ const https            = require('https');
 const tempWrite        = require('temp-write');
 const moment           = require('moment');
 const logger           = require('../logger').ssl;
-const config           = require('../lib/config');
 const error            = require('../lib/error');
 const utils            = require('../lib/utils');
 const certificateModel = require('../models/certificate');
@@ -16,8 +15,8 @@ const archiver         = require('archiver');
 const path             = require('path');
 const { isArray }      = require('lodash');
 
-const letsencryptConfig  = '/data/tls/certbot/config.ini';
-const certbotCommand     = 'certbot --config-dir /data/tls/certbot';
+const certbotConfig  = '/data/tls/certbot/config.ini';
+const certbotCommand = 'certbot --config-dir /data/tls/certbot';
 
 function omissions() {
 	return ['is_deleted'];

backend/lib/config.js

@@ -2,14 +2,14 @@ const fs      = require('fs');
 const NodeRSA = require('node-rsa');
 const logger  = require('../logger').global;
 
-const keysFile = '/data/keys.json';
+const keysFile = '/data/etc/npm/keys.json';
 
 let instance = null;
 
 // 1. Load from config file first (not recommended anymore)
 // 2. Use config env variables next
 const configure = () => {
-	const filename = (process.env.NODE_CONFIG_DIR || './config') + '/' + (process.env.NODE_ENV || 'default') + '.json';
+	const filename = (process.env.NODE_CONFIG_DIR || '/data/etc/npm') + '/' + (process.env.NODE_ENV || 'default') + '.json';
 	if (fs.existsSync(filename)) {
 		let configData;
 		try {
@@ -29,6 +29,8 @@ const configure = () => {
 	const envMysqlHost = process.env.DB_MYSQL_HOST || null;
 	const envMysqlUser = process.env.DB_MYSQL_USER || null;
 	const envMysqlName = process.env.DB_MYSQL_NAME || null;
+	const envMysqlTls  = process.env.DB_MYSQL_TLS  || null;
+	const envMysqlCa   = process.env.DB_MYSQL_CA   || '/etc/ssl/certs/ca-certificates.crt';
 	if (envMysqlHost && envMysqlUser && envMysqlName) {
 		// we have enough mysql creds to go with mysql
 		logger.info('Using MySQL configuration');
@@ -40,13 +42,14 @@ const configure = () => {
 				user:     envMysqlUser,
 				password: process.env.DB_MYSQL_PASSWORD,
 				name:     envMysqlName,
+				ssl:      envMysqlTls ? { ca: fs.readFileSync(envMysqlCa) } : false,
 			},
 			keys: getKeys(),
 		};
 		return;
 	}
 
-	const envSqliteFile = process.env.DB_SQLITE_FILE || '/data/database.sqlite';
+	const envSqliteFile = process.env.DB_SQLITE_FILE || '/data/etc/npm/database.sqlite';
 	logger.info(`Using Sqlite: ${envSqliteFile}`);
 	instance = {
 		database: {