nginx: allow custom nginx config under sites-enabled

fix 562

CHANGELOG.md

@@ -2,12 +2,12 @@
 
 ## untagged
 
+- Allow custom nginx config files
+  ([#617](https://github.com/chatmail/relay/pull/617))
+
 - Check whether GCC is installed in initenv.sh
   ([#608](https://github.com/chatmail/relay/pull/608))
 
-- Automate file ownership setting from host migration process
-  ([#609](https://github.com/chatmail/relay/pull/609))
-
 - Expire push notification tokens after 90 days
   ([#583](https://github.com/chatmail/relay/pull/583))
 

README.md

@@ -255,6 +255,19 @@ This starts a local live development cycle for chatmail web pages:
 
 - Starts a browser window automatically where you can "refresh" as needed.
 
+#### Custom web pages
+
+If you want to include other pages,
+they need their separate nginx config
+under `/etc/nginx/sites-enabled/`.
+Note that they need to listen on port 8443 instead of 443.
+
+To request TLS certificates for the corresponding domains,
+point the DNS records to your Server and run `acmetool want <domain>`.
+You can find the TLS certificates under `/var/lib/acme/live`.
+They will be automatically renewed.
+
+
 ## Mailbox directory layout
 
 Fresh chatmail addresses have a mailbox directory that contains: 
@@ -395,6 +408,15 @@ in this case, just run `ssh-keygen -R "mail.example.org"` as recommended.
    Postfix and Dovecot are disabled for now; we will enable them later. 
    We first need to make the new site fully operational. 
 
+3. On the new site, run the following to ensure the ownership is correct in case UIDs/GIDs changed:
+
+   ```
+    chown root: -R /var/lib/acme
+    chown opendkim: -R /etc/dkimkeys
+    chown vmail: -R /home/vmail/mail
+    chown echobot: -R /run/echobot
+   ```
+
 4. Now, update DNS entries. 
 
    If other MTAs try to deliver messages to your chatmail domain they may fail intermittently,

cmdeploy/src/cmdeploy/__init__.py

@@ -424,6 +424,12 @@ def _configure_nginx(config: Config, debug: bool = False) -> bool:
     """Configures nginx HTTP server."""
     need_restart = False
 
+    files.link(
+        name="disable nginx default site",
+        path="/etc/nginx/sites-enabled/default",
+        present=False,
+    )
+
     main_config = files.template(
         src=importlib.resources.files(__package__).joinpath("nginx/nginx.conf.j2"),
         dest="/etc/nginx/nginx.conf",
@@ -748,20 +754,6 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
     _remove_rspamd()
     opendkim_need_restart = _configure_opendkim(mail_domain, "opendkim")
 
-    #
-    # If this system is pre-populated with data from a previous instance,
-    # we might need to adjust ownership of files.
-    #
-    stateful_paths = {
-        "/etc/dkimkeys": "opendkim",
-        "/home/vmail/mail": "vmail",
-        "/run/echobot": "echobot",
-        "/var/lib/acme": "root",
-    }
-    for stateful_path, path_owner in stateful_paths.items():
-        files.directory(stateful_path)  # In case it doesn't exist yet.
-        server.shell("chown {}: -R {}".format(path_owner, stateful_path))
-
     systemd.service(
         name="Start and enable OpenDKIM",
         service="opendkim.service",

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -136,4 +136,7 @@ http {
 		return 301 $scheme://{{ config.domain_name }}$request_uri;
 		access_log syslog:server=unix:/dev/log,facility=local7;
 	}
+
+    # Include custom pages; they need to listen on port 8443 instead of port 443
+	include /etc/nginx/sites-enabled/*;
 }