From 26b196af3e7c0c41d1e26a66e517f5fb2c09ae92 Mon Sep 17 00:00:00 2001
From: Ivan Isaev <ivan.dev@gmail.com>
Date: Wed, 11 May 2016 20:13:35 +0500
Subject: [PATCH] Optional passphrase support

---
 README.md  |  5 +++++
 nginx.tmpl | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/README.md b/README.md
index 2e217be..b8753fb 100644
--- a/README.md
+++ b/README.md
@@ -105,6 +105,11 @@ hosts in use.  The certificate and keys should be named after the virtual host w
 `.key` extension.  For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a
 `foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory.
 
+#### Passphrase
+
+Optionally you can set passphrase file for each certificate by creating `.pw` file with passphrase in certs directory.
+For example `foo.bar.com.pw`.
+
 #### Diffie-Hellman Groups
 
 If you have Diffie-Hellman groups enabled, the files should be named after the virtual host with a
diff --git a/nginx.tmpl b/nginx.tmpl
index 855e90d..0b28d3e 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -69,6 +69,9 @@ server {
 
 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
+	{{ if (exists "/etc/nginx/certs/default.pw") }}
+	ssl_password_file /etc/nginx/certs/default.pw;
+	{{ end }}
 }
 {{ end }}
 
@@ -149,6 +152,10 @@ server {
 	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
 	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
 
+	{{ if (exists (printf "/etc/nginx/certs/%s.pw" $cert)) }}
+	ssl_password_file {{ printf "/etc/nginx/certs/%s.pw" $cert }};
+	{{ end }}
+
 	{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
 	{{ end }}
@@ -213,6 +220,9 @@ server {
 
 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
+	{{ if (exists "/etc/nginx/certs/default.pw") }}
+	ssl_password_file /etc/nginx/certs/default.pw;
+	{{ end }}
 }
 {{ end }}