[Subtree] Bring openbmc machines to top level

The new subtree model brings the subtrees up from the openbmc-machines
layer.

Change-Id: I58a03ae1be374bc79ae1438e65e888375d12d0c0
Signed-off-by: Dave Cobbley <david.j.cobbley@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

5 files changed, 184 insertions, 0 deletions

diff --git a/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh b/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh
new file mode 100644
index 000000000..480266f3b
--- /dev/null
+++ b/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+PEM="/etc/ssl/certs/nginx/cert.pem"
+
+if [ ! -f $PEM ]; then
+    openssl req -x509 -sha256 -newkey rsa:2048 -keyout $PEM -out $PEM \
+    -days 3650 -subj "/O=openbmc-project.xyz/CN=localhost" \
+    -nodes
+fi
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
new file mode 100644
index 000000000..7d65183ec
--- /dev/null
+++ b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
@@ -0,0 +1,114 @@
+
+user www-data;
+worker_processes  1;
+
+error_log  stderr;
+
+pid        /run/nginx/nginx.pid;
+
+
+# Nginx requires this section, even if no options
+events {
+}
+
+# Note that a lot of these settings come from the OWASP Secure
+# Configuration guide for nginx
+# https://www.owasp.org/index.php/SCG_WS_nginx
+# and the mozilla security guidelines
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+
+http {
+    include       mime.types;
+
+    # For certain locations, only allow one connection per IP
+    limit_conn_zone $binary_remote_addr zone=addr:10m;
+
+    # Default log format
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    # Comment out to enable access log in /var/log/nginx/
+    access_log  off;
+
+    client_body_timeout   30;
+    client_header_timeout 10;
+    keepalive_timeout     5 5;
+    send_timeout          30;
+
+    # Do not return nginx version to clients
+    server_tokens  off;
+
+    client_max_body_size 100k;
+    client_body_buffer_size  100K;
+    client_header_buffer_size 1k;
+    large_client_header_buffers 4 8k;
+
+    # redirect all http traffic to https
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen       443 ssl;
+        server_name  127.0.0.1;
+
+        ssl                  on;
+        ssl_certificate      @CERTPATH@/cert.pem;
+        ssl_certificate_key  @CERTPATH@/cert.pem;
+        ssl_session_timeout  5m;
+        ssl_protocols  TLSv1.2;
+        ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+        ssl_prefer_server_ciphers   on;
+
+        location / {
+                # This location lets us serve the static pre-compressed webui
+                # content (rooted at /usr/share/www). Also if the URI points to
+                # something else (that is unmatched by other locations), we
+                # fallback to the rest server. This approach is based on the
+                # guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content.
+                root /usr/share/www;
+                # For clients that support gzip encoding, serve them
+                # pre-compressed gzip content. For clients that don't,
+                # uncompress on the BMC. The module gunzip requires
+                # gzip_static to be set to 'always'; gzip_static is the
+                # module that serves compressed content for clients that
+                # support gzip.
+                gunzip on;
+                gzip_static always;
+                try_files $uri $uri/ @rest_server;
+        }
+        location @rest_server {
+                # Use 127.0.0.1 instead of localhost since nginx will
+                # first use ipv6 address of ::1 which the upstream server
+                # is not listening on. This generates an error msg to
+                # the journal. Nginx then uses the 127.0.0.1 and everything
+                # works fine but want to avoid the error msg to the log.
+                proxy_pass http://127.0.0.1:8081;
+
+                # WebSocket support
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+        }
+        location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
+                 # Marked as 33MB to allow for firmware image updating and dump
+                 # downloads
+                 client_max_body_size 33M;
+
+                 # Only 1 connection at a time here from an IP
+                 limit_conn addr 1;
+
+                 proxy_pass http://127.0.0.1:8081;
+        }
+        location /redfish {
+                proxy_pass http://127.0.0.1:8082;
+                proxy_http_version 1.1;
+        }
+
+        include /etc/nginx/sites-enabled/443_*.conf;
+    }
+}
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.service b/meta-ibm/recipes-httpd/nginx/files/nginx.service
new file mode 100644
index 000000000..3f9dd3de6
--- /dev/null
+++ b/meta-ibm/recipes-httpd/nginx/files/nginx.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=The NGINX HTTP and reverse proxy server
+After=network.target
+
+[Service]
+Type=forking
+SyslogIdentifier=nginx
+ExecStartPre=/usr/bin/env gen-cert.sh
+ExecStartPre=-/usr/bin/env mkdir /var/volatile/nginx/
+ExecStartPre=/usr/bin/env nginx -t -p /var/volatile/nginx
+ExecStart=/usr/bin/env nginx -p /var/volatile/nginx
+ExecReload=/usr/bin/env kill -s HUP $MAINPID
+ExecStop=/usr/bin/env kill -s QUIT $MAINPID
+PrivateTmp=true
+# First time on system takes longer for initial setup so
+# give double normal timeout
+TimeoutStartSec=180
+
+[Install]
+WantedBy={SYSTEMD_DEFAULT_TARGET}
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.socket b/meta-ibm/recipes-httpd/nginx/files/nginx.socket
new file mode 100644
index 000000000..24be604da
--- /dev/null
+++ b/meta-ibm/recipes-httpd/nginx/files/nginx.socket
@@ -0,0 +1,8 @@
+[Unit]
+Description=Nginx
+
+[Socket]
+ListenStream=8081
+
+[Install]
+WantedBy=sockets.target
diff --git a/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend b/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend
new file mode 100644
index 000000000..8eb7e402b
--- /dev/null
+++ b/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend
@@ -0,0 +1,33 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+inherit systemd
+inherit obmc-phosphor-systemd
+
+SRC_URI += " \
+    file://nginx.conf \
+    file://nginx.service \
+    file://gen-cert.sh \
+    "
+
+EXTRA_OECONF =+ " --without-select_module --with-http_gunzip_module"
+
+SSLCERTPATH = "/etc/ssl/certs/nginx/"
+
+
+do_install_append() {
+
+    install -m 644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx
+    install -m 0755 ${WORKDIR}/gen-cert.sh ${D}${sbindir}/gen-cert.sh
+
+    install -d ${D}${SSLCERTPATH}
+    chown -R www:www-data      ${D}${SSLCERTPATH}
+
+
+    echo SSLCERTPATH
+    echo ${SSLCERTPATH}
+    sed -i 's,@CERTPATH@,${SSLCERTPATH},g' ${D}${sysconfdir}/nginx/nginx.conf
+}
+
+FILES_${PN} += " ${SSLCERTPATH} "
+
+SYSTEMD_SERVICE_${PN} += " nginx.service"