#!/bin/bash

INSTALL_ACMESH=0;
DOWNLOAD_DEFAULT=0;

GIST="https://gist.github.com/Decicus/2f09db5d30f4f24e39de3792bba75b72/raw"
NGINX="/etc/nginx"
SSL_BASE="/srv/ssl"
DEFAULT_DIR="$NGINX/conf.d";
DEFAULT_NAME="000-default.conf";
DH_PARAMS_BITS=2048;

help()
{
cat << EOF
usage: $0
Install the \`nginx\` package via apt and add extra configuration files.
OPTIONS:
    -h        Shows helptext
    -a        Installs acme.sh and downloads "bootstrapping" files.
    -d        Downloads the $DEFAULT_NAME file into $DEFAULT_DIR
    -b        Use 4096 bits for dhparams (default: $DH_PARAMS_BITS)
EOF
}

while getopts "hadb" opt; do
    case $opt in
        h)
            help
            exit 0
            ;;
        a)
            INSTALL_ACMESH=1;
            echo "Installing and bootstrapping \`acme.sh\`";
            ;;
        d)
            DOWNLOAD_DEFAULT=1;
            echo "Downloading 000-default.conf to /etc/nginx/conf.d";
            ;;
        b)
            DH_PARAMS_BITS=4096;
            echo "Using 4096 bits for dhparams";
            ;;
        \?)
            echo "Invalid option: -$OPTARG" >&2
            exit 1
            ;;
        :)
            echo "Option -$OPTARG requires an argument." >&2
            exit 1
            ;;
    esac
done

# Make sure the 'essentials' are installed
# We use `nginx` as the script assumes the script for using nginx.org APT repos has been used (https://git.io/nginx-debian)
# Using `nginx-full` would in this case use the Debian/Ubuntu repos, which are a few versions behind.
sudo apt install -y nginx openssl curl

if [[ $INSTALL_ACMESH != 0 ]]; then
    # Get acme.sh for issuing certificates
    curl -L https://get.acme.sh/ | sudo bash
fi

# Create preferred base directory for storing SSL certificates
mkdir -p $SSL_BASE
chown -R root:root $SSL_BASE
chmod -R 600 $SSL_BASE

# Now the fun starts

# I have bash scripts that interact with acme.sh
# But I use zsh as the main shell
# Therefore I need a shared "environment file" that loads acme.sh
# And related environment variables
if [[ $INSTALL_ACMESH != 0 ]]; then
    # Add to ZSH/Bash config files
    curl -L "$GIST/.acmeenv" > "$HOME/.acmeenv"
    echo '. "$HOME/.acmeenv"' >> "$HOME/.zshrc";
    echo '. "$HOME/.acmeenv"' >> "$HOME/.bashrc";
fi

# Get the alias config for Let's Encrypt challenges:
curl -L "$GIST/letsencrypt.conf" > "$NGINX/letsencrypt.conf"

# Get the base SSL configuration
curl -L "$GIST/ssl_params.conf" > "$NGINX/ssl_params.conf"

# Get the base reverse proxy configuration
curl -L "$GIST/proxy_params" > "$NGINX/proxy_params"

# Get the PHP 8.1 FPM configuration (not enabled by default)
# You also need to install PHP before enabling it.
curl -L "$GIST/phpfpm.conf" > "$NGINX/phpfpm.conf"

# Get the dhparams file generation script, and execute.
DH_PARAMS_TEMP="$(mktemp)";
curl -L "$GIST/generate-dhparams.sh" -o "${DH_PARAMS_TEMP}";
sudo bash "${DH_PARAMS_TEMP}" $DH_PARAMS_BITS;
rm "${DH_PARAMS_TEMP}";

# Check if systemd is installed and enable the service.
# Since I usually just install stock Debian with systemd, this may not be required.
CHECK_SYSTEMD=$(whereis systemctl)
if [[ $? -eq 0 ]]; then
    systemctl enable --now nginx
fi

if [[ $DOWNLOAD_DEFAULT != 0 ]]; then
    curl -L "$GIST/$DEFAULT_NAME" > "$DEFAULT_DIR/$DEFAULT_NAME"

    # Remove the default configuration included when installing nginx.
    rm /etc/nginx/conf.d/default.conf
fi

echo "Base setup done. Open this link for a base nginx site configuration: $GIST/$DEFAULT_NAME"