#!/usr/bin/env bash
# Fill in the following variables
appname=            #google
proxyurl=           #http://webapps.kvm:4001
domain=             #www.google.com
eff_email_address=  #eff@eff.com

# Check privilege
if [ $(id -u) -ne 0 ]
then
    echo "This script must be run by root" >&2
    exit 1
fi

# Variable check
if [ -z ${appname} ] || [ -z ${proxyurl} ] || [ -z ${domain} ] || [ -z ${eff_email_address} ]
then
    echo "Missing variable, exiting..."
    exit 1
fi

# Figure out nginx conf directory
if grep -q 'include.*conf.d' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/conf.d
elif grep -q 'include.*sites-available' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/sites-available
    ln -s -f /etc/nginx/sites-available/${appname}.conf /etc/nginx/sites-enabled/
else
    echo "Missing nginx directory, exiting..."
    exit 1
fi

# Virtual proxy
cat <<- 'proxy' | \
sed -e "s|{{domain}}|${domain}|" \
    -e "s|{{proxyurl}}|${proxyurl}|" \
    -e "s|{{appname}}|${appname}|" | tee ${nginxdir}/${appname}.conf >/dev/null
server {
    server_name {{domain}};

    location / {
        proxy_pass {{proxyurl}};
        error_log  /var/log/nginx/{{appname}}_error.log;
        access_log /var/log/nginx/{{appname}}_access.log;

        # proxy_params;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;

        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_cache_bypass  $http_upgrade;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # http_upgrade
    # Security
    server_tokens off;
    add_header X-Frame-Options                   "SAMEORIGIN"        	always;
    add_header X-Content-Type-Options            "nosniff"           	always;
    add_header X-XSS-Protection                  "1; mode=block"     	always;
    add_header Referrer-Policy                   "strict-origin"       	always;
    add_header X-Permitted-Cross-Domain-Policies "none"              	always;
    add_header X-Robots-Tag                      "noindex, nofollow" 	always;
    # add_header Content-Security-Policy 	    "default-src 'self';" 	always;

    # http2
    http2 on;

    # http3
    listen 443 quic;
    add_header Alt-Svc 'h3=":443"; ma=86400';
    quic_retry on;
    http3 on;

    # Certbot defaults
    listen 443 ssl;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
}
proxy

# Run certbot
if nginx -t
then
    certbot --nginx --non-interactive --agree-tos --no-eff-email -m ${eff_email_address} -d ${domain} \
        --staple-ocsp --hsts --no-redirect --renew-hook 'docker exec --interactive --tty myvemail /bin/ash -c "dovecot reload; postfix reload"'

    # Link certificates
    ln -s /etc/letsencrypt/live/${domain}/fullchain.pem ./data/ssl/tls.pem
    ln -s /etc/letsencrypt/live/${domain}/privkey.pem ./data/ssl/tls.key
fi