feat(nginx): Make nginx Non-root & Read-only-friendly

[kiblik]

Fix #11031

[Maffooch]

@mtesauro does this fit into your plans for image hardening?

[mtesauro]

@mtesauro does this fit into your plans for image hardening?

TBH, I was going to start with the DefectDojo/Django containers first as those are the containers where we have the most code / do the most modifications.

Changing the UID to under the typical 1000+ is interesting but I don't believe it will cause issues for k8s and it also seems that OpenSift has stopped wanting specific UIDs based on this so this shouldn't hurt those using k8s or compose currently as far as I can tell.

[mtesauro]

I can test this PR out when it's not a draft as well

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[kiblik]

I can test this PR out when it's not a draft as well

The current issue with this PR is that as soon as the process tries to modify configs

django-DefectDojo/docker/entrypoint-nginx.sh

Line 24 in 1b338e2

sed -i '/listen \[::\]:/d' "$NGINX_CONFIG"

django-DefectDojo/docker/entrypoint-nginx.sh

Line 28 in 1b338e2

sed -i "s/#stub_status/stub_status/g;" $NGINX_CONFIG

django-DefectDojo/docker/entrypoint-nginx.sh

Line 33 in 1b338e2

sed -i "s/#auth_basic/auth_basic/g;" $NGINX_CONFIG

django-DefectDojo/docker/entrypoint-nginx.sh

Line 36 in 1b338e2

echo "$METRICS_HTTP_AUTH_USER":"$openssl_passwd" >> /etc/nginx/.htpasswd

execution fails (because FS is read-only).

I'm considering creating a separate PR that will be responsible for generating the final config, which will be on a read-write location. It would combine multiple partial definitions of the nginx.conf file. Also, I would like to merge it with nginx_TLS.conf because most of the file is the same.