#!/bin/bash

LATESTNGINX="1.11.10"
BUILDROOT="/tmp/boring-nginx"

# Pre-req
sudo apt-get update
sudo apt-get upgrade -y

# Install deps
sudo apt-get install -y \
  build-essential \
  cmake \
  git \
  gnupg \
  gnupg-curl \
  golang \
  libpcre3-dev \
  curl \
  zlib1g-dev \
  libcurl4-openssl-dev

# make build root dir
mkdir -p $BUILDROOT
cd $BUILDROOT

# Build BoringSSL
git clone https://boringssl.googlesource.com/boringssl 
cd boringssl
mkdir build 
cd $BUILDROOT/boringssl/build
cmake ..
make

# Make an .openssl directory for nginx and then symlink BoringSSL's include directory tree
mkdir -p "$BUILDROOT/boringssl/.openssl/lib"
cd "$BUILDROOT/boringssl/.openssl"
ln -s ../include include

# Copy the BoringSSL crypto libraries to .openssl/lib so nginx can find them
cd "$BUILDROOT/boringssl"
cp "build/crypto/libcrypto.a" ".openssl/lib"
cp "build/ssl/libssl.a" ".openssl/lib"

# Prep nginx
mkdir -p "$BUILDROOT/nginx"
cd $BUILDROOT/nginx
curl -L -O https://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key
curl -L -O "http://nginx.org/download/nginx-$LATESTNGINX.tar.gz"
tar xzf "nginx-$LATESTNGINX.tar.gz"
cd "$BUILDROOT/nginx/nginx-$LATESTNGINX"

# Run the config with default options and append any additional options specified by the above section
sudo ./configure --prefix=/usr/share/nginx \
	--sbin-path=/usr/sbin/nginx \
	--conf-path=/etc/nginx/nginx.conf \
	--error-log-path=/var/log/nginx/error.log \
	--http-log-path=/var/log/nginx/access.log \
        --pid-path=/run/nginx.pid \
        --lock-path=/run/lock/subsys/nginx \
        --user=www-data \
        --group=www-data \
        --with-threads \
        --with-file-aio \
        --with-http_ssl_module \
        --with-http_v2_module \
        --with-http_realip_module \
        --with-http_gunzip_module \
        --with-http_gzip_static_module \
        --with-http_slice_module \
        --with-http_stub_status_module \
        --without-select_module \
        --without-poll_module \
        --without-mail_pop3_module \
        --without-mail_imap_module \
        --without-mail_smtp_module \
	--with-openssl="$BUILDROOT/boringssl" \
	--with-cc-opt="-g -O2 -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -I $BUILDROOT/boringssl/.openssl/include/" \
	--with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L $BUILDROOT/boringssl/.openssl/lib/" \

# Fix "Error 127" during build
touch "$BUILDROOT/boringssl/.openssl/include/openssl/ssl.h"

# Build nginx
sudo make
sudo make install


# Add systemd service
cat >/lib/systemd/system/nginx.service <<EOL
[Unit]
Description=NGINX with BoringSSL
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
 
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/usr/bin/nginx -s stop
PrivateTmp=true
 
[Install]
WantedBy=multi-user.target
EOL

# NOTE: The below fails on Docker containers but i *think* will work elsewhere
# Enable & start service
sudo systemctl enable nginx.service
sudo systemctl start nginx.service

# Finish script
sudo systemctl reload nginx.service