FROM nginx:latest

RUN apt-get update \
 && apt-get install -y --no-install-recommends \
    libengine-pkcs11-openssl \
    libsofthsm2 \
 && rm -rf /var/lib/apt/lists

RUN usermod -a -G softhsm nginx

COPY tls.conf /etc/nginx/conf.d/
COPY openssl.cnf.nginx /etc/ssl/openssl.cnf

VOLUME /var/lib/softhsm

CMD ["nginx", "-g", "daemon off;ssl_engine pkcs11;"]
