#!/bin/bash
set -eu
### --help Info: настройка конфигов nginx
### --help Usage:
### --help Example:
. /opt/fox_utils/crab_sys.sh
declare ARG_CERTBOT_RENEW
sys::arg_parse "$@"

declare DOMAIN=
declare NGINX_USE_CERTBOT=
declare ADMIN_EMAIL=

declare NGINX_ENABLED EXTERNAL_PORT_HTTPS DISABLE_HTTPS_REDIRECT EVA_DEPLOY_TYPE
declare EVA_HTTP_PORT EVA_HTTPS_PORT BASE_HREF
source /opt/CONFIG


prepare() {
	# rm -f /etc/nginx/sites-enabled/default
	if [ ! -f /mnt/tmp/etc/nginx/dh4096.pem ]; then
		mkdir -p /mnt/tmp/etc/nginx/
		openssl dhparam -dsaparam -out /mnt/tmp/etc/nginx/dh4096.pem 4096
	fi
	return 0
}


localhost_domain() {
	if [[ ${EVA_DEPLOY_TYPE:-} = k8s || $(id -u) != 0 ]]; then  # fixme lxc and root
		echo "Skip patch /etc/hosts EVA_DEPLOY_TYPE=${EVA_DEPLOY_TYPE:-}, uid=$(id -u)"
		return 0
	fi

	echo "Прописываем 127.0.0.1 $DOMAIN в /etc/hosts" >&2
	if ! grep -q "127.0.0.1 $DOMAIN" /etc/hosts; then
		echo "127.0.0.1 $DOMAIN" >> /etc/hosts || true
		# Для read-only docker-контейнеров должен использоваться параметр -h
	fi
	return 0
}


configure_base_href() {
	# Возможность работы под префиксом.
	local base_href='' base_href_redirect=''
	if [[ ${BASE_HREF:-} ]]; then
		base_href="$BASE_HREF"
		# Приведём к виду /prefix
		base_href="${base_href%/}"
		base_href="${base_href#/}"
		base_href="/$base_href"
		base_href_redirect="location / { rewrite ^ https://\$host"
		base_href_redirect+="${EXTERNAL_PORT_HTTPS:+:$EXTERNAL_PORT_HTTPS}"
		base_href_redirect+="$base_href\$request_uri redirect; }"
	fi
	sed -i "s~@@@base_href%%%~$base_href~g" \
		/mnt/tmp/etc/nginx/conf.d/eva-app.conf
	sed -i -Ee "s~@@@base_href_redirect%%%~$base_href_redirect~" \
		/mnt/tmp/etc/nginx/conf.d/eva-app.conf
	# !!! do not touch read-only files, patch by backend endpoint on-fly
	# sed -i -Ee "/<base href=/ s~href=\"[^\"]*\"~href=\"${base_href}/\"~" \
	# 	/opt/eva-app/dist/cmf-angular/index.html || true
	/opt/fox_utils/crab_conf set BASE_HREF "$base_href" /opt/eva-app/custom/config.py
	return 0
}


configure_listen_ports() {
	# Возможность переопределить порты
	sed -i "s/@@@eva_http_port%%%/${EVA_HTTP_PORT:-1080}/g" /mnt/tmp/etc/nginx/conf.d/eva-app.conf
	sed -i "s/@@@eva_https_port%%%/${EVA_HTTPS_PORT:-1443}/g" /mnt/tmp/etc/nginx/conf.d/eva-app.conf
	# Dont listen private port in non-root mode
	if [[ $(id -u) = 0 ]]; then
		sed -i "s/@@@listen_http_private%%%/listen 80;/g" /mnt/tmp/etc/nginx/conf.d/eva-app.conf
		sed -i "s/@@@listen_https_private%%%/listen 443 ssl;/g" /mnt/tmp/etc/nginx/conf.d/eva-app.conf
	else
		sed -i "s/@@@listen_http_private%%%//g" /mnt/tmp/etc/nginx/conf.d/eva-app.conf
		sed -i "s/@@@listen_https_private%%%//g" /mnt/tmp/etc/nginx/conf.d/eva-app.conf
	fi
	return 0
}


configure_https_redirect() {
	if [[ ${DISABLE_HTTPS_REDIRECT:-} ]]; then
		sed -i 's/@@@https_redirect_schema%%%/redirect_disabled/g' \
			/mnt/tmp/etc/nginx/conf.d/eva-app.conf
	else
		sed -i 's/@@@https_redirect_schema%%%/http/g' \
			/mnt/tmp/etc/nginx/conf.d/eva-app.conf
	fi
	return 0
}


build_scheme_domain() {
	echo "Настраиваем работу на домене ${DOMAIN} ..."
	# configure
	cp -a /opt/bin/templates/eva-app.conf /mnt/tmp/etc/nginx/conf.d/eva-app.conf
	sed -i "s/@@@eva_domain%%%/${DOMAIN}/g" /mnt/tmp/etc/nginx/conf.d/eva-app.conf
	sed -i "s/@@@external_https_port%%%/${EXTERNAL_PORT_HTTPS:+:$EXTERNAL_PORT_HTTPS}/g" \
		/mnt/tmp/etc/nginx/conf.d/eva-app.conf
	configure_https_redirect
	configure_base_href
	configure_listen_ports
	return 0
}


check_certbot() {
	local nginx_conf
	if [[ "${NGINX_USE_CERTBOT:-}" != 1 ]]; then
		echo "NGINX_USE_CERTBOT disabled. Skip Certificate renewal." >&2
		return 0
	fi
	echo "Проверяем сертификат LetsEncrypt"
	# certbot портит конфиг, сохраним и восстановим его
	nginx_conf="$(</mnt/tmp/etc/nginx/conf.d/eva-app.conf)"
	if ! certbot --nginx -d "$DOMAIN" -m "$ADMIN_EMAIL" -n --agree-tos; then
		echo "Ошибка получения сертификата Lets Encrypt!"
		echo "Возможно, домен $DOMAIN недоступен из сети интернет или указан неверно."
		echo "Если домен недоступен из интернета (например, доступен только в интранете)"
		echo "то нужно отключить опцию NGINX_USE_CERTBOT и добавить сертификат вручную"
		echo "$nginx_conf" >/mnt/tmp/etc/nginx/conf.d/eva-app.conf
		return 0
	fi
	echo "$nginx_conf" >/mnt/tmp/etc/nginx/conf.d/eva-app.conf
	ln -sf /etc/letsencrypt/live/${DOMAIN}/fullchain.pem \
		/etc/nginx/ssl/${DOMAIN}.crt
	ln -sf /etc/letsencrypt/live/${DOMAIN}/privkey.pem \
		/etc/nginx/ssl/${DOMAIN}.key
	return 0
}


main() {
	if [ "${NGINX_ENABLED:-TRUE}" != 'TRUE' ]; then
		echo "Сервис nginx отключен, пропускаем процедуру его конфигурации" >&2
		exit 0
	fi
	if [[ ${ARG_CERTBOT_RENEW:-} = TRUE ]]; then
		check_certbot
		return 0
	fi
	prepare
	localhost_domain
	build_scheme_domain
	check_certbot
	return 0
}


main
exit 0