[change] Added more env variables in nginx image

[pandafy]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• N/A I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

[nemesifier]

@coderabbitai review

[pandafy]

@coderabbitai review!

[coderabbitai]

@pandafy: I'll review the changes in this PR right away!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds environment-driven NGINX configuration: three new ENV vars (NGINX_WORKER_PROCESSES, NGINX_WORKER_CONNECTIONS, NGINX_EVENTS_BLOCK) in the Dockerfile; a templated nginx.template.conf that substitutes those vars and exposes worker_rlimit_nofile via ${NGINX_WORKER_RLIMIT_NOFILE}; and changes to images/common/init_command.sh that set NGINX_EVENTS_BLOCK, default NGINX_WORKER_RLIMIT_NOFILE to UNSET, run envsubst to generate /etc/nginx/nginx.conf from the template, then remove UNSET placeholders, any worker_rlimit_nofile directives, and empty lines.

Sequence Diagram

sequenceDiagram
    participant Container as Container Startup
    participant InitScript as init_command.sh
    participant EnvSubst as envsubst
    participant Cleanup as cleanup (sed)
    participant NginxConf as /etc/nginx/nginx.conf

    Container->>InitScript: execute init_command.sh
    InitScript->>InitScript: set NGINX_EVENTS_BLOCK (printf)
    InitScript->>InitScript: default NGINX_WORKER_RLIMIT_NOFILE=__UNSET__
    InitScript->>EnvSubst: envsubst nginx.template.conf -> /etc/nginx/nginx.conf
    EnvSubst->>NginxConf: write substituted nginx.conf
    InitScript->>Cleanup: remove __UNSET__, worker_rlimit_nofile lines, empty lines
    Cleanup->>NginxConf: update nginx.conf (cleaned)
    NginxConf-->>Container: configuration ready

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description lacks a detailed explanation of changes and closes statement; only a partial checklist is provided.	Add a 'Description of Changes' section explaining what environment variables were added and why, and include a 'Closes #' reference.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding environment variables to the nginx image configuration.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch nginx-config

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@images/common/init_command.sh`:
- Around line 61-63: The script decodes NGINX_EVENTS_BLOCK after envsubst wrote
/etc/nginx/nginx.conf and emits a debug echo; move the printf "%b" decode so
NGINX_EVENTS_BLOCK is decoded before running envsubst (so the decoded multi-line
block is substituted into the generated nginx.conf), remove the debug echo line
that prints "$NGINX_EVENTS_BLOCK", and keep the existing sed cleanup (sed -i
'/__UNSET__/d; /^worker_rlimit_nofile *$/d; /^[ \t]*$/d' /etc/nginx/nginx.conf)
so only the decoded block is templated into the final file without logging raw
content.

In `@images/openwisp_nginx/nginx.template.conf`:
- Line 8: The template uses unsupported `${VAR:-default}` fallback so `envsubst`
leaves it unchanged; update the nginx.template.conf line to use plain
`${NGINX_WORKER_RLIMIT_NOFILE}` (or `$NGINX_WORKER_RLIMIT_NOFILE`) and ensure a
default is applied before envsubst by setting/exporting
NGINX_WORKER_RLIMIT_NOFILE in images/common/init_command.sh (e.g., assign
NGINX_WORKER_RLIMIT_NOFILE=${NGINX_WORKER_RLIMIT_NOFILE:-<desired_default>} or
export the value) so worker_rlimit_nofile is rendered correctly without relying
on envsubst to handle defaults.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 18600e99-e95c-4ae4-82be-174f70ef29c5

📥 Commits

Reviewing files that changed from the base of the PR and between 0700ed3 and 196cf1b.

📒 Files selected for processing (3)

• images/common/init_command.sh
• images/openwisp_nginx/Dockerfile
• images/openwisp_nginx/nginx.template.conf

📜 Review details

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2026-02-17T17:08:12.144Z

Learnt from: atif09
Repo: openwisp/docker-openwisp PR: 555
File: .env:7-9
Timestamp: 2026-02-17T17:08:12.144Z
Learning: In docker-openwisp, OPENWISP_VERSION=edge is intentionally set as the default in .env to maintain consistency with the existing TAG=edge default in the Makefile. Production users are expected to override OPENWISP_VERSION in their .env file to pin to a specific stable release tag.

Applied to files:

• images/openwisp_nginx/Dockerfile

📚 Learning: 2026-02-17T12:50:25.569Z

Learnt from: pandafy
Repo: openwisp/docker-openwisp PR: 564
File: images/common/utils.sh:33-40
Timestamp: 2026-02-17T12:50:25.569Z
Learning: For shell scripts under images/common that invoke certbot, in certbot >= 3.3.0 (Mar 2025), you no longer need --register-unsafely-without-email when using --noninteractive --agree-tos without providing an email. If your scripts previously passed this flag, remove it to rely on default account registration without an email. This applies when no email is supplied; if an email is provided, behavior is unchanged. Update tests to reflect that certbot will proceed without prompting for an email in non-interactive mode.

Applied to files:

• images/common/init_command.sh

🔇 Additional comments (2)

images/openwisp_nginx/Dockerfile (1)

45-47: Good defaulting for new nginx worker env vars.

These defaults are sensible and keep backward-compatible behavior while enabling runtime overrides.

images/openwisp_nginx/nginx.template.conf (1)

15-16: Nice extensibility in the events block.

Parameterizing worker_connections and allowing optional block injection here is a clean, scoped way to enable runtime tuning.

[coderabbitai]

♻️ Duplicate comments (1)

images/common/init_command.sh (1)

61-63: ⚠️ Potential issue | 🔴 Critical

Export NGINX_WORKER_RLIMIT_NOFILE before envsubst.

Line 61 only assigns a shell-local variable. When NGINX_WORKER_RLIMIT_NOFILE is not already exported, Line 62 renders worker_rlimit_nofile ;, and Line 63 does not delete that line. The generated nginx.conf is then invalid on the unset/default path.

🐛 Proposed fix

-	NGINX_WORKER_RLIMIT_NOFILE="${NGINX_WORKER_RLIMIT_NOFILE:-__UNSET__}"
+	export NGINX_WORKER_RLIMIT_NOFILE="${NGINX_WORKER_RLIMIT_NOFILE:-__UNSET__}"

Run this to verify the behavior difference:

#!/bin/bash
set -eu

tmpl='worker_rlimit_nofile ${NGINX_WORKER_RLIMIT_NOFILE};\n'

echo 'Current behavior (assigned, not exported):'
sh -c 'NGINX_WORKER_RLIMIT_NOFILE="__UNSET__"; printf "%b" "'"$tmpl"'" | envsubst'

echo
echo 'Expected behavior (exported):'
sh -c 'export NGINX_WORKER_RLIMIT_NOFILE="__UNSET__"; printf "%b" "'"$tmpl"'" | envsubst'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@images/common/init_command.sh` around lines 61 - 63, The envsubst call uses
NGINX_WORKER_RLIMIT_NOFILE but the script only assigns it as a shell-local
variable, so when not exported envsubst leaves an empty/invalid
"worker_rlimit_nofile  ;" in the generated file; change the assignment to export
NGINX_WORKER_RLIMIT_NOFILE (i.e., export
NGINX_WORKER_RLIMIT_NOFILE="${NGINX_WORKER_RLIMIT_NOFILE:-__UNSET__}") before
calling envsubst in init_command.sh so envsubst sees the variable, and keep the
existing sed cleanup to remove the __UNSET__ marker if needed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@images/common/init_command.sh`:
- Around line 61-63: The envsubst call uses NGINX_WORKER_RLIMIT_NOFILE but the
script only assigns it as a shell-local variable, so when not exported envsubst
leaves an empty/invalid "worker_rlimit_nofile  ;" in the generated file; change
the assignment to export NGINX_WORKER_RLIMIT_NOFILE (i.e., export
NGINX_WORKER_RLIMIT_NOFILE="${NGINX_WORKER_RLIMIT_NOFILE:-__UNSET__}") before
calling envsubst in init_command.sh so envsubst sees the variable, and keep the
existing sed cleanup to remove the __UNSET__ marker if needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f4a61540-8203-4f94-b589-7828a2b3b122

📥 Commits

Reviewing files that changed from the base of the PR and between 196cf1b and c6b1c9b.

📒 Files selected for processing (2)

• images/common/init_command.sh
• images/openwisp_nginx/nginx.template.conf

📜 Review details

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-02-17T12:50:25.569Z

Learnt from: pandafy
Repo: openwisp/docker-openwisp PR: 564
File: images/common/utils.sh:33-40
Timestamp: 2026-02-17T12:50:25.569Z
Learning: For shell scripts under images/common that invoke certbot, in certbot >= 3.3.0 (Mar 2025), you no longer need --register-unsafely-without-email when using --noninteractive --agree-tos without providing an email. If your scripts previously passed this flag, remove it to rely on default account registration without an email. This applies when no email is supplied; if an email is provided, behavior is unchanged. Update tests to reflect that certbot will proceed without prompting for an email in non-interactive mode.

Applied to files:

• images/common/init_command.sh

[kilo-code-bot]

WARNING: \t in bracket expression not interpreted as tab by BusyBox sed

In Alpine Linux, sed is provided by BusyBox, which does not interpret \t as a tab character inside a bracket expression [ \t]. The pattern /^[ \t]*$/d will only match lines containing literal backslash and t characters, not actual tab characters. Lines consisting solely of tab characters will not be removed.

Use $'\t' expansion or a POSIX character class instead:

Suggested change

	sed -i '/__UNSET__/d; /^worker_rlimit_nofile *$/d; /^[ \t]*$/d' /etc/nginx/nginx.conf
	sed -i '/__UNSET__/d; /^worker_rlimit_nofile *$/d; /^[[:space:]]*$/d' /etc/nginx/nginx.conf

[kilo-code-bot]

Code Review Summary

Status: 3 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	3
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
images/common/init_command.sh	63	\t in bracket expression [ \t] is not interpreted as tab by BusyBox sed on Alpine Linux; use [[:space:]] instead
docs/user/settings.rst	N/A	New env variables NGINX_WORKER_PROCESSES, NGINX_WORKER_CONNECTIONS, NGINX_EVENTS_BLOCK, and NGINX_WORKER_RLIMIT_NOFILE are not documented. The PR checklist explicitly shows documentation is unchecked. Other NGINX_* variables (e.g. NGINX_GZIP_*, NGINX_SSL_*) are documented in this file.
tests/	N/A	No tests added for the new nginx worker configuration env variables. The PR checklist marks tests as N/A, but new configurable env variables affecting nginx behavior should have test coverage to prevent regressions.

Other Observations (not in diff)

Issues found in unchanged code or outside the diff that cannot receive inline comments:

File	Line	Issue
docs/user/settings.rst	N/A	WARNING: Documentation not updated — 4 new env variables (NGINX_WORKER_PROCESSES, NGINX_WORKER_CONNECTIONS, NGINX_EVENTS_BLOCK, NGINX_WORKER_RLIMIT_NOFILE) are introduced but not documented in the settings reference. All other NGINX_* variables are documented here.
tests/	N/A	WARNING: No regression tests added for the new nginx worker configuration variables. The PR checklist marks tests as N/A, but given that these variables affect nginx startup behavior (including the sed cleanup logic), test coverage would help prevent regressions.

Files Reviewed (3 files)

• images/common/init_command.sh - 1 issue
• images/openwisp_nginx/nginx.template.conf - 0 issues
• images/openwisp_nginx/Dockerfile - 0 issues

Fix these issues in Kilo Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@images/common/init_command.sh`:
- Line 60: The decoded NGINX_EVENTS_BLOCK is currently assigned only as a shell
variable so envsubst can't see it; change the assignment so the value is
exported to the environment (e.g., export NGINX_EVENTS_BLOCK after or during the
printf assignment) so envsubst can substitute the decoded content into
nginx.conf; update the code around the NGINX_EVENTS_BLOCK assignment in
init_command.sh to ensure NGINX_EVENTS_BLOCK is an exported environment variable
visible to envsubst.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 14a3300a-7c3a-4fa2-ab43-402e7e1367ee

📥 Commits

Reviewing files that changed from the base of the PR and between c6b1c9b and 1a7c5e4.

📒 Files selected for processing (1)

• images/common/init_command.sh

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: CI Build

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-02-17T12:50:25.569Z

Learnt from: pandafy
Repo: openwisp/docker-openwisp PR: 564
File: images/common/utils.sh:33-40
Timestamp: 2026-02-17T12:50:25.569Z
Learning: For shell scripts under images/common that invoke certbot, in certbot >= 3.3.0 (Mar 2025), you no longer need --register-unsafely-without-email when using --noninteractive --agree-tos without providing an email. If your scripts previously passed this flag, remove it to rely on default account registration without an email. This applies when no email is supplied; if an email is provided, behavior is unchanged. Update tests to reflect that certbot will proceed without prompting for an email in non-interactive mode.

Applied to files:

• images/common/init_command.sh

🔇 Additional comments (1)

images/common/init_command.sh (1)

61-63: LGTM!

• Line 61 correctly exports NGINX_WORKER_RLIMIT_NOFILE with a sentinel default for later cleanup.
• Line 63 properly uses [[:space:]] for POSIX-compliant blank line removal in BusyBox sed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@images/common/init_command.sh`:
- Around line 60-61: The export using command substitution for
NGINX_EVENTS_BLOCK masks the exit status (SC2155); change to first assign the
expansion to the variable name NGINX_EVENTS_BLOCK (e.g.,
NGINX_EVENTS_BLOCK="$(printf "%b" "${NGINX_EVENTS_BLOCK:-}")") and then run
export NGINX_EVENTS_BLOCK in a separate statement so the printf exit code is not
hidden; apply the same pattern anywhere you see export combined with command
substitution (the current line exporting NGINX_EVENTS_BLOCK is the target).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 88dbdff7-9c47-4dac-8f7f-216802564f72

📥 Commits

Reviewing files that changed from the base of the PR and between 55205ea and de8a50b.

📒 Files selected for processing (3)

• images/common/init_command.sh
• images/openwisp_nginx/Dockerfile
• images/openwisp_nginx/nginx.template.conf

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: CI Build

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2026-02-17T17:08:12.144Z

Learnt from: atif09
Repo: openwisp/docker-openwisp PR: 555
File: .env:7-9
Timestamp: 2026-02-17T17:08:12.144Z
Learning: In docker-openwisp, OPENWISP_VERSION=edge is intentionally set as the default in .env to maintain consistency with the existing TAG=edge default in the Makefile. Production users are expected to override OPENWISP_VERSION in their .env file to pin to a specific stable release tag.

Applied to files:

• images/openwisp_nginx/Dockerfile

📚 Learning: 2026-02-17T12:50:25.569Z

Learnt from: pandafy
Repo: openwisp/docker-openwisp PR: 564
File: images/common/utils.sh:33-40
Timestamp: 2026-02-17T12:50:25.569Z
Learning: For shell scripts under images/common that invoke certbot, in certbot >= 3.3.0 (Mar 2025), you no longer need --register-unsafely-without-email when using --noninteractive --agree-tos without providing an email. If your scripts previously passed this flag, remove it to rely on default account registration without an email. This applies when no email is supplied; if an email is provided, behavior is unchanged. Update tests to reflect that certbot will proceed without prompting for an email in non-interactive mode.

Applied to files:

• images/common/init_command.sh

🪛 Shellcheck (0.11.0)

images/common/init_command.sh

[warning] 60-60: Declare and assign separately to avoid masking return values.

(SC2155)

---

[warning] 60-60: Quote this to prevent word splitting.

(SC2046)

🔇 Additional comments (4)

images/openwisp_nginx/Dockerfile (1)

45-47: LGTM!

The new environment variables are well-structured with sensible defaults:

• NGINX_WORKER_PROCESSES=1 - appropriate single-worker default for containers
• NGINX_WORKER_CONNECTIONS=1024 - standard default matching nginx defaults
• NGINX_EVENTS_BLOCK='' - allows optional additional events configuration

The placement after NGINX_CUSTOM_FILE groups related nginx configuration variables logically.

images/common/init_command.sh (1)

62-63: LGTM!

The environment-driven nginx configuration generation is well implemented:

• envsubst correctly generates nginx.conf from the template
• The sed cleanup properly removes __UNSET__ placeholders, empty worker_rlimit_nofile directives, and blank lines
• Using [[:space:]] instead of \t ensures compatibility with BusyBox sed on Alpine

images/openwisp_nginx/nginx.template.conf (2)

7-8: LGTM!

The template correctly uses plain ${VAR} syntax compatible with GNU envsubst. The worker_rlimit_nofile directive with ${NGINX_WORKER_RLIMIT_NOFILE} will be properly handled by the init script's sed cleanup when not set.

---

14-17: The sed pattern cleanup works correctly and doesn't need changes.

The first sed pattern /__UNSET__/d removes the entire line containing __UNSET__ (including the trailing semicolon). After envsubst with NGINX_WORKER_RLIMIT_NOFILE=__UNSET__, line 8 becomes worker_rlimit_nofile __UNSET__;, which is completely deleted by the first pattern, leaving no residual content. The second pattern /^worker_rlimit_nofile *$/d is redundant but harmless since the line no longer exists after the first pattern executes.

			> Likely an incorrect or invalid review comment.

[nemesifier]

@coderabbitai review and approve or summarize outstanding issues

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch PR diff and file contents
gh pr diff 573 --repo openwisp/docker-openwisp

echo "---FILE: init_command.sh---"
cat images/common/init_command.sh

echo "---FILE: Dockerfile---"
cat images/openwisp_nginx/Dockerfile

echo "---FILE: nginx.template.conf---"
cat images/openwisp_nginx/nginx.template.conf

Length of output: 10254

---

@nemesifier: I've reviewed all the changes in this PR. The implementation is functionally correct and the approach is sound. Here's a summary of the outstanding issues to address before approving:

---

Outstanding Issues

1. NGINX_WORKER_RLIMIT_NOFILE not exposed in Dockerfile ENV block
This variable is handled entirely in init_command.sh (defaulting to __UNSET__ sentinel when unset/empty) but is absent from the Dockerfile's ENV declarations. Unlike the other three new variables, it won't appear in docker inspect output and is invisible to users scanning the Dockerfile for supported variables. Consider adding it with a placeholder comment:

# NGINX_WORKER_RLIMIT_NOFILE=65535  # Uncomment/set to enable

Or document it clearly in the project docs.

2. Documentation not updated
The PR description explicitly marks the documentation checkbox as unchecked. Since four new tuneable variables (NGINX_WORKER_PROCESSES, NGINX_WORKER_CONNECTIONS, NGINX_EVENTS_BLOCK, NGINX_WORKER_RLIMIT_NOFILE) are being introduced, the project docs should reference them, especially since NGINX_EVENTS_BLOCK supports multiline injection via printf "%b" escape sequences — a non-obvious feature.

3. Overly aggressive blank-line removal in sed

sed -i '/__UNSET__/d; /^worker_rlimit_nofile *$/d; /^[[:space:]]*$/d' /etc/nginx/nginx.conf

The third clause (/^[[:space:]]*$/d) removes all blank lines from the generated nginx.conf, not just the one left behind by the removed worker_rlimit_nofile directive. The generated config will have no whitespace separation between blocks, making it harder to debug. A more targeted approach would only remove the blank line immediately following the deleted directive.

4. Redundant sed pattern
The pattern /^worker_rlimit_nofile *$/d is dead code — when NGINX_WORKER_RLIMIT_NOFILE is unset/empty, the init script sets it to __UNSET__, so the substituted line becomes worker_rlimit_nofile __UNSET__;, which is always caught by /__UNSET__/d. The second pattern can never match a line ending with a semicolon (as the template has one), so it's unreachable. It's harmless but adds confusion.

---

What's Working Well

• The __UNSET__ sentinel pattern correctly handles both unset and empty-string cases (via :-).
• printf "%b" for NGINX_EVENTS_BLOCK cleanly enables multiline block injection.
• Default values (NGINX_WORKER_PROCESSES=1, NGINX_WORKER_CONNECTIONS=1024) preserve backward compatibility.

Items 1 and 2 are the blocking concerns; items 3 and 4 are minor improvements. Happy to approve once the documentation gap is addressed.

[nemesifier]

@pandafy shouldn't NGINX_WORKER_RLIMIT_NOFILE be listed here or not?

[pandafy]

It was not strictly required since we were providing the default value in the init command. For sake of completeness, I have added this.