#!/bin/bash

set -e

echo "=== init folder ==="

mkdir -p /var/www/letsencrypt
mkdir -p /root/ssl

echo "=== <%= domain %>.conf ==="

cat <<EOF >> /etc/nginx/conf.d/<%= domain %>.conf
server {
  listen 80;
  server_name <%= domain %>;

  location ^~ /.well-known/acme-challenge/ {
      default_type "text/plain";
      root /var/www/letsencrypt;
  }

  location / {
   return 301 https://<%= domain %>\$request_uri;
  }
}
EOF

echo "=== nginx ==="

nginx -s reload
sleep 2


echo "=== renew ssl ==="

/root/.acme.sh/acme.sh --issue -d <%= domain %> -w /var/www/letsencrypt --issue -d <%= domain %> -w /var/www/letsencrypt

echo "=== copy ssl cert ==="

/root/.acme.sh/acme.sh --issue -d <%= domain %> -w /var/www/letsencrypt --installcert -d <%= domain %> \
--keypath       /root/ssl/<%= domain %>.key  \
--fullchainpath /root/ssl/<%= domain %>.key.pem \
--reloadcmd     "nginx -s reload"

echo "=== append https to nginx config ==="

cat <<EOF >> /etc/nginx/sites-enabled/<%= domain %>.conf

server {
  server_name <%= domain %>;
  listen 443 ssl;

  gzip on;
  gzip_proxied any;
  gzip_types text/css text/javascript text/xml text/plain application/javascript application/x-javascript application/json;

  ssl_protocols TLSv1.2;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_prefer_server_ciphers on;

  ssl_certificate /root/ssl/<%= domain %>.key.pem;
  ssl_certificate_key /root/ssl/<%= domain %>.key;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;

  # buffer larger messages
  client_max_body_size 0;
  
  location / {
    proxy_http_version 1.1;
    
    proxy_set_header   Host \$http_host;
    proxy_set_header   Upgrade \$http_upgrade;
    proxy_set_header   Connection "Upgrade";
    proxy_set_header   X-Forwarded-Proto \$scheme;
    proxy_set_header   X-Forwarded-Ssl on;
    proxy_set_header   X-Real-IP \$remote_addr;
    proxy_pass  http://localhost:<%= docker_http_port %>;
  }
}
EOF

echo "=== nginx reload ==="

nginx -s reload
sleep 2

echo "=== test ==="

curl -I https://<%= domain %>
echo ""