#!/usr/bin/env bash
# a script to build nginx against openssl-dev on ubuntu/debian/arch linux/alpine linux
# includes nginx fancyindex module

# exit on error
set -e

# display last non-zero exit code in a failed pipeline
set -o pipefail

# subshells and functions inherit ERR traps
set -E

# select the nginx version to build
NGINX="1.19.2"

# select the openssl branch to build
OPENSSL="OpenSSL_1_1_1-stable"

# set core count for make
core_count="$(grep -c ^processor /proc/cpuinfo)"

# choose where to put the build files
# by default this is in a temporary directory
BUILDROOT="$(mktemp -d)"

# remove the build directory on exit
function cleanup {
	sudo rm -rf "$BUILDROOT"
}
trap cleanup EXIT

# if pacman is installed, use the arch dependencies
if command -v pacman 2>&1 >/dev/null; then
	sudo pacman -S gcc cmake git gnupg go pcre libcurl-compat zlib --noconfirm --needed

# if apt is installed, use the debian dependencies
elif command -v apt 2>&1 >/dev/null; then
	sudo apt-get install -y build-essential gcc g++ cmake git gnupg golang libpcre3 libpcre3-dev curl zlib1g-dev libcurl4-openssl-dev

# if apk is installed, install the alpine dependencies
elif command -v apk 2>&1 > /dev/null; then
	sudo apk add gcc g++ cmake git gnupg go pcre-dev curl zlib-dev openssl-dev

# otherwise list the expected packages and ask the user to install them manually
else
        echo -e "\nCompatible package manager not found."
        echo -e "\nThe following packages are typically required: gcc, g++, cmake, git, gnupg, go, pcre, libcurl, zlib. Please install them manually and re-run the script."
        read -p $'If all dependencies are installed and you would like to proceed, please type ACCEPT and press Enter.\n\n' acknowledgement2

        # if the user acknowledges, begin the build
        if [ "$acknowledgement2" = "ACCEPT" ]; then
                echo -e ""
        # otherwise, exit with error
        else
                echo -e "\nExiting script...\n"
                exit 1
        fi
fi

# delete any previous build directory
if [ -d "$BUILDROOT" ]; then
	sudo rm -rf "$BUILDROOT"
fi

# create the build directory
mkdir -p "$BUILDROOT"
cd "$BUILDROOT"

# check if git supports forced ipv4, added in 2.8
git_version="$(git --version | awk '{print $3}' | cut -d"." -f1-2 )"
ishigher="$(echo -e "$git_version\n2.8" | sort -V | tail -n1)"
if [[ "$git_version" == "$ishigher" ]]; then
        forcev4="-4"
else
        forcev4=""
fi

# clone the desired openssl branch, over ipv4 if supported due to slow ipv6 connectivity
git clone "$forcev4" -b "$OPENSSL" git://git.openssl.org/openssl.git
cd openssl

# use default openssl configurations
./config

# build openssl
make -j"$core_count"

# fetch the desired version of nginx
mkdir -p "$BUILDROOT/nginx"
cd "$BUILDROOT"/nginx
curl -L -O "http://nginx.org/download/nginx-$NGINX.tar.gz"
tar xzf "nginx-$NGINX.tar.gz"
cd "$BUILDROOT/nginx/nginx-$NGINX"

# fetch the fancy-index module
git clone https://github.com/aperezdc/ngx-fancyindex.git "$BUILDROOT"/ngx-fancyindex

# configure the nginx source to include our added modules
# and to use our newly built openssl library
sudo ./configure --prefix=/usr/share/nginx \
	--add-module="$BUILDROOT"/ngx-fancyindex \
	--sbin-path=/usr/sbin/nginx \
	--conf-path=/etc/nginx/nginx.conf \
	--error-log-path=/var/log/nginx/error.log \
	--http-log-path=/var/log/nginx/access.log \
	--pid-path=/run/nginx.pid \
	--lock-path=/run/lock/subsys/nginx \
	--user=www-data \
	--group=www-data \
	--with-threads \
	--with-file-aio \
	--with-pcre \
	--with-pcre-jit \
	--with-http_ssl_module \
	--with-http_v2_module \
	--with-http_realip_module \
	--with-http_gunzip_module \
	--with-http_gzip_static_module \
	--without-select_module \
	--without-poll_module \
	--without-mail_pop3_module \
	--without-mail_imap_module \
	--without-mail_smtp_module \
	--with-openssl="$BUILDROOT/openssl" \
	--with-cc-opt="-g -O3 -march=native -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -I $BUILDROOT/openssl" \
	--with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L $BUILDROOT/openssl/"

# build nginx
sudo make -j"$core_count"
sudo make install

# if systemctl is installed (fairly strong indicator systemd is in use), add a service unit file if it does not exist
if command -v systemctl 2>&1 >/dev/null && [ ! -f "/lib/systemd/system/nginx.service" ]; then

# add systemd service file
cat <<EOL | sudo tee /lib/systemd/system/nginx.service
[Unit]
Description=NGINX with OpenSSL-dev
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/usr/bin/nginx -s stop
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOL

# enable and start nginx
sudo systemctl enable nginx.service
sudo systemctl start nginx.service

# reload nginx config
sudo systemctl restart nginx.service
fi