From d8434a02cf3d3195b3c15af045a4d1ae1137c23f Mon Sep 17 00:00:00 2001
From: Stan Yagolnitser <syagolnitser@walmartlabs.com>
Date: Fri, 14 Dec 2018 12:18:28 -0800
Subject: [PATCH] added sanity checks for /setup/systemd route

---
 nginx.conf | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/nginx.conf b/nginx.conf
index 69f5ff3..1ea1b35 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -121,9 +121,26 @@ http {
              alias /ca/ca.crt;
         }
 
-        location /setup {
+        location /setup/systemd {
             add_header "Content-type" "text/plain" always;
             return 200 '
+set -e 
+
+if [ ! -d /etc/systemd ]; then   
+   echo "Not a systemd system"
+   exit 1
+fi
+
+if [[ $EUID -ne 0 ]]; then
+   echo "Must be root to change system files"
+   exit 1
+fi
+
+if [[ $(systemctl is-active --quiet docker.service) -ne 0 ]]; then
+   echo "Docker service missing"
+   exit 1
+fi
+
 mkdir -p /etc/systemd/system/docker.service.d
 cat << EOD > /etc/systemd/system/docker.service.d/http-proxy.conf
 [Service]
@@ -132,7 +149,12 @@ EOD
 
 # Get the CA certificate from the proxy and make it a trusted root.
 curl $scheme://$http_host/ca.crt > /usr/share/ca-certificates/docker_registry_proxy.crt
-echo "docker_registry_proxy.crt" >> /etc/ca-certificates.conf
+if fgrep -q "docker_registry_proxy.crt" /etc/ca-certificates.conf ; then
+   echo "certificate refreshed"
+else
+   echo "docker_registry_proxy.crt" >> /etc/ca-certificates.conf
+fi
+
 update-ca-certificates --fresh
 
 # Reload systemd
@@ -140,11 +162,10 @@ systemctl daemon-reload
 
 # Restart dockerd
 systemctl restart docker.service
+echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
 ';
-        }
-
-        # @TODO: add a dynamic root path that generates instructions for usage on docker clients
-    }
+        } # end location /setup/systemd
+    } # end server
 
 
     # The caching layer