bunkerized-nginx/helpers/install.sh

#!/bin/bash

NGINX_VERSION="${NGINX_VERSION-1.20.2}"
BUILD_MODE="${BUILD_MODE-prod}"

function git_secure_checkout() {
	if [ "$CHANGE_DIR" != "" ] ; then
		cd "$CHANGE_DIR"
	fi
	path="$1"
	commit="$2"
	cd "$path"
	output="$(git checkout "${commit}^{commit}" 2>&1)"
	if [ $? -ne 0 ] ; then
		echo "❌ Commit hash $commit is absent from submodules $path !"
		echo "$output"
		cleanup
		exit 4
	fi
}

function git_secure_clone() {
	cd /tmp/bunkerweb
	repo="$1"
	commit="$2"
	folder="$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")"
	output="$(git clone "$repo" 2>&1)"
	if [ $? -ne 0 ] ; then
		echo "❌ Error cloning $1"
		echo "$output"
		cleanup
		exit 2
	fi
	cd "$folder"
	output="$(git checkout "${commit}^{commit}" 2>&1)"
	if [ $? -ne 0 ] ; then
		echo "❌ Commit hash $commit is absent from repository $repo"
		echo "$output"
		cleanup
		exit 3
	fi
}

function secure_download() {
	cd /tmp/bunkerweb
	link="$1"
	file="$2"
	hash="$3"
	output="$(wget -q -O "$file" "$link" 2>&1)"
	if [ $? -ne 0 ] ; then
		echo "❌ Error downloading $link"
		echo "$output"
		cleanup
		exit 5
	fi
	check="$(sha512sum "$file" | cut -d ' ' -f 1)"
	if [ "$check" != "$hash" ] ; then
		echo "❌️ Wrong hash from file $link (expected $hash got $check)"
		cleanup
		exit 6
	fi
}

function do_and_check_cmd() {
	if [ "$CHANGE_DIR" != "" ] ; then
		cd "$CHANGE_DIR"
	fi
	output=$("$@" 2>&1)
	ret="$?"
	if [ $ret -ne 0 ] ; then
		echo "❌ Error from command : $*"
		echo "$output"
		cleanup
		exit $ret
	fi
	#echo $output
	return 0
}

function cleanup() {
	echo "ℹ️ Cleaning /tmp/bunkerweb"
	rm -rf /tmp/bunkerweb
}

function get_sign_repo_key() {
	key="-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I
QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE
fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt
97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5
XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg
a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol
kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr
KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG
F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN
1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD
oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi
MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S
YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx
JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/
Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk
RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J
SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf
Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6
cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f
YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y
Va3l3WuB+rgKjsQ=
=EWWI
-----END PGP PUBLIC KEY BLOCK-----"
	echo "$key"
}

function get_sign_repo_key_rsa() {
	key="-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/hT2Chq4hhn+zasCn1gv
N3AVdNYGm4FVkJmWzHBc3lvoTLIMR1uoopg9EbH2faBG3yQjxtAkUme6aauaSmpm
LNvhCfENsrDhRx8KRqwNgvM8jQLOCEMZ2WSGxE4HEsBbQ7p9F4qj8D2YMrl1ZvTw
Gy2UW3wc5vMEf90lsoKmQQS3UJOUxHw0fhJ8vzNUVUeMQpRAjjRfVAQdnoxXSNSw
+OQD2z9obDf6YhQclNbe8itoKRckbfe1sxh5/TFef0y+wJkTzOKXK9yWnJrQp8V3
gmfJy6nnaErhxbocMg55QG7vCNejuV0a384ax0SRTNSZyIhps2Yuswbx9CLX8l+r
bQIDAQAB
-----END PUBLIC KEY-----"
	echo "$key"
}

# Variables
NTASK=$(nproc)

# Check if we are root
if [ $(id -u) -ne 0 ] ; then
	echo "❌ Run me as root"
	exit 1
fi

# Detect OS
OS=""
if [ "$(grep Debian /etc/os-release)" != "" ] ; then
	OS="debian"
elif [ "$(grep Ubuntu /etc/os-release)" != "" ] ; then
	OS="ubuntu"
elif [ "$(grep CentOS /etc/os-release)" != "" ] ; then
	OS="centos"
elif [ "$(grep Fedora /etc/os-release)" != "" ] ; then
	OS="fedora"
elif [ "$(grep Arch /etc/os-release)" != "" ] ; then
	OS="archlinux"
elif [ "$(grep Alpine /etc/os-release)" != "" ] ; then
	OS="alpine"
fi
if [ "$OS" = "" ] ; then
	echo "❌ Unsupported Operating System"
	exit 1
fi
old_dir="${PWD}"

# Create /tmp/bunkerweb
if [ -e "/tmp/bunkerweb" ] ; then
	echo "ℹ️ Remove existing /tmp/bunkerweb"
	do_and_check_cmd rm -rf /tmp/bunkerweb
fi

# Create /opt/bunkerweb
if [ -d "/opt/bunkerweb" ] ; then
	echo "❌️ Looks like bunkerweb is already installed. Updating is not supported yet, you need to uninstall first and then install it again."
	exit 1
fi
echo "ℹ️ Create /opt/bunkerweb"
do_and_check_cmd mkdir /opt/bunkerweb

# Check nginx version
NGINX_CHECK_VERSION="$(nginx -V 2>&1 | sed -rn 's~^nginx version: nginx/(.*)$~\1~p')"
# Add nginx official repo and install
if [ "$NGINX_CHECK_VERSION" = "" ] ; then
	get_sign_repo_key > /tmp/bunkerweb/nginx_signing.key
	if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then
		echo "ℹ️ Add nginx official repository"
		do_and_check_cmd cp /tmp/bunkerweb/nginx_signing.key /etc/apt/trusted.gpg.d/nginx_signing.asc
		do_and_check_cmd apt update
		DEBIAN_FRONTEND=noninteractive do_and_check_cmd apt install -y gnupg2 ca-certificates lsb-release software-properties-common
		do_and_check_cmd add-apt-repository "deb http://nginx.org/packages/${OS} $(lsb_release -cs) nginx"
		do_and_check_cmd apt update
		echo "ℹ️ Install nginx"
		DEBIAN_FRONTEND=noninteractive do_and_check_cmd apt install -y "nginx=$NGINX_VERSION"
	elif [ "$OS" = "centos" ] ; then
		echo "ℹ️ Add nginx official repository"
		do_and_check_cmd yum install -y yum-utils
		do_and_check_cmd cp /tmp/bunkerweb/nginx_signing.key /etc/pki/rpm-gpg/RPM-GPG-KEY-nginx
		do_and_check_cmd rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-nginx
		repo="[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-nginx
enabled=1
module_hotfixes=true"
		echo "$repo" > /tmp/bunkerweb/nginx.repo
		do_and_check_cmd cp /tmp/bunkerweb/nginx.repo /etc/yum.repos.d/nginx.repo
		echo "ℹ️ Install nginx"
		do_and_check_cmd yum install -y "nginx-$NGINX_VERSION"
	elif [ "$OS" = "fedora" ] ; then
		echo "ℹ️ Install nginx"
		do_and_check_cmd dnf install -y "nginx-$NGINX_VERSION"
	elif [ "$OS" = "archlinux" ] ; then
		echo "ℹ️ Update pacman DB"
		do_and_check_cmd pacman -Sy
		echo "ℹ️ Install nginx"
		do_and_check_cmd pacman -S --noconfirm "nginx=$NGINX_VERSION"
	elif [ "$OS" = "alpine" ] ; then
		echo "ℹ️ Add nginx official repository"
		get_sign_repo_key_rsa > /tmp/bunkerweb/nginx_signing.rsa.pub
		do_and_check_cmd cp /tmp/nginx_signing.rsa.pub /etc/apk/keys/nginx_signing.rsa.pub
		echo "@nginx http://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories
		echo "ℹ️ Install nginx"
		do_and_check_cmd apk add "nginx@nginx=$NGINX_VERSION"
	fi
	NGINX_CHECK_VERSION="$(nginx -V 2>&1 | sed -rn 's~^nginx version: nginx/(.*)$~\1~p')"
fi
echo "ℹ️ Detected nginx version ${NGINX_CHECK_VERSION}"
if [ "$NGINX_CHECK_VERSION" != "$NGINX_VERSION" ] ; then
	echo "⚠️ Detected nginx version ${NGINX_CHECK_VERSION} but the official nginx version supported is ${NGINX_VERSION}. We recommend you to uninstall nginx and run the installation script again."
	read -p "Abort installation of BunkerWeb (Y/n) ? " -n 1 -r
	echo
	if [ "$REPLY" = "Y" ] || [ "$REPLY" = "y"] || [ "$REPLY" = "" ] ; then
		cleanup
		exit 1
	fi
	NGINX_VERSION="$NGINX_CHECK_VERSION"
fi

# Stop nginx on Linux
if [ "$OS" != "alpine" ] ; then
	systemctl status nginx > /dev/null 2>&1
	if [ $? -eq 0 ] ; then
		echo "ℹ️ Stop nginx service"
		do_and_check_cmd systemctl stop nginx
	fi
fi

# Install dependencies
echo "ℹ️ Update packet list"
if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then
	do_and_check_cmd apt update
elif [ "$OS" = "archlinux" ] ; then
	do_and_check_cmd pacman -Sy
fi
echo "ℹ️ Install compilation and runtime dependencies"
if [ "$OS" = "debian" ] || [ "$OS" = "ubuntu" ] ; then
	DEBIAN_DEPS="git autoconf pkg-config libpcre++-dev automake libtool g++ make libgd-dev libssl-dev wget libbrotli-dev gnupg patch libreadline-dev certbot python3 python3-pip procps sudo"
	DEBIAN_FRONTEND=noninteractive do_and_check_cmd apt install -y $DEBIAN_DEPS
elif [ "$OS" = "centos" ] ; then
	do_and_check_cmd yum install -y epel-release
	CENTOS_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make gd-devel openssl-devel wget brotli-devel gnupg patch readline-devel ca-certificates certbot python3 python3-pip procps sudo"
	do_and_check_cmd yum install -y $CENTOS_DEPS
elif [ "$OS" = "fedora" ] ; then
	FEDORA_DEPS="git autoconf pkg-config pcre-devel automake libtool gcc-c++ make gd-devel openssl-devel wget brotli-devel gnupg libxslt-devel perl-ExtUtils-Embed gperftools-devel patch readline-devel certbot python3 python3-pip procps nginx-mod-stream sudo"
	do_and_check_cmd dnf install -y $FEDORA_DEPS
elif [ "$OS" = "archlinux" ] ; then
	ARCHLINUX_DEPS="git autoconf pkgconf pcre2 automake libtool gcc make gd openssl wget brotli gnupg libxslt patch readline certbot python python-pip procps sudo"
	do_and_check_cmd pacman -S --noconfirm $ARCHLINUX_DEPS
elif [ "$OS" = "alpine" ] ; then
	ALPINE_DEPS_COMPILE="git build autoconf libtool automake git geoip-dev yajl-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev"
	do_and_check_cmd apk add --no-cache --virtual build $ALPINE_DEPS_COMPILE
	ALPINE_DEPS_RUNTIME="certbot bash libgcc yajl libstdc++ openssl py3-pip git"
	do_and_check_cmd apk add --no-cache $ALPINE_DEPS_RUNTIME
fi

# Clone the repo
if [ ! -d "/tmp/bunkerweb-data" ] ls; then
	echo "ℹ️ Clone bunkerity/bunkerweb"
	if [ "$BUILD_MODE" = "prod" ] ; then
		CHANGE_DIR="/tmp" do_and_check_cmd git_secure_clone https://github.com/bunkerity/bunkerweb.git 3d2f5e2389e5f75131ae22f822a673b92cb12cca
	else
		CHANGE_DIR="/tmp" do_and_check_cmd git clone https://github.com/bunkerity/bunkerweb.git
		CHANGE_DIR="/tmp/bunkerweb" do_and_check_cmd git checkout dev
	fi
# Or rename the folder
else
	echo "ℹ️ Move /tmp/bunkerweb-data to /tmp/bunkerweb"
	do_and_check_cmd mv /tmp/bunkerweb-data /tmp/bunkerweb
fi

# Create deps folder
echo "ℹ️ Create /opt/bunkerweb/deps"
do_and_check_cmd mkdir /opt/bunkerweb/deps

# Compile and install lua
echo "ℹ️ Compile and install lua-5.1.5"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-5.1.5" do_and_check_cmd make -j $NTASK linux
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-5.1.5" do_and_check_cmd make INSTALL_TOP=/opt/bunkerweb/deps install

# Download, compile and install libmaxminddb
echo "ℹ️ Compile and install libmaxminddb"
CHANGE_DIR="/tmp/bunkerweb/deps/src/libmaxminddb" do_and_check_cmd ./bootstrap
CHANGE_DIR="/tmp/bunkerweb/deps/src/libmaxminddb" do_and_check_cmd ./configure --prefix=/opt/bunkerweb/deps --disable-tests
CHANGE_DIR="/tmp/bunkerweb/deps/src/libmaxminddb" do_and_check_cmd make -j $NTASK
CHANGE_DIR="/tmp/bunkerweb/deps/src/libmaxminddb" do_and_check_cmd make install

# Download, compile and install ModSecurity
echo "ℹ️ Compile and install ModSecurity"
# temp fix : Debian run it twice
# TODO : patch it in clone.sh
cd /tmp/bunkerweb/deps/src/ModSecurity && ./build.sh > /dev/null 2>&1
CHANGE_DIR="/tmp/bunkerweb/deps/src/ModSecurity" do_and_check_cmd sh build.sh
CHANGE_DIR="/tmp/bunkerweb/deps/src/ModSecurity" do_and_check_cmd ./configure --disable-doxygen-doc --disable-dependency-tracking --disable-examples --prefix=/opt/bunkerweb/deps --with-maxmind=/opt/bunkerweb/deps
CHANGE_DIR="/tmp/bunkerweb/deps/src/ModSecurity" do_and_check_cmd make -j $NTASK
CHANGE_DIR="/tmp/bunkerweb/deps/src/ModSecurity" do_and_check_cmd make install-strip

# Compile and install luajit2
echo "ℹ️ Compile and install luajit2"
CHANGE_DIR="/tmp/bunkerweb/deps/src/luajit2" do_and_check_cmd make -j $NTASK
CHANGE_DIR="/tmp/bunkerweb/deps/src/luajit2" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps install

# Install lua-resty-core
echo "ℹ️ Install openresty/lua-resty-core"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-resty-core" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps install

# Install lua-resty-lrucache
echo "ℹ️ Install lua-resty-lrucache"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-resty-lrucache" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps install

# Install lua-resty-dns
echo "ℹ️ Install lua-resty-dns"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-resty-dns" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps install

# Install lua-resty-session
echo "ℹ️ Install lua-resty-session"
do_and_check_cmd cp -r /tmp/bunkerweb/deps/src/lua-resty-session/lib/resty/* /opt/bunkerweb/deps/lib/lua/resty

# Install lua-resty-random
echo "ℹ️ Install lua-resty-random"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-resty-random" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps install

# Install lua-resty-string
echo "ℹ️ Install lua-resty-string"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-resty-string" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps install

# Compile and install lua-cjson
echo "ℹ️ Compile and install lua-cjson"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-cjson" do_and_check_cmd make LUA_INCLUDE_DIR=/opt/bunkerweb/deps/include -j $NTASK
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-cjson" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps LUA_CMODULE_DIR=/opt/bunkerweb/deps/lib/lua LUA_MODULE_DIR=/opt/bunkerweb/deps/lib/lua install
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-cjson" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps LUA_CMODULE_DIR=/opt/bunkerweb/deps/lib/lua LUA_MODULE_DIR=/opt/bunkerweb/deps/lib/lua install-extra

# Compile and install lua-gd
echo "ℹ️ Compile and install lua-gd"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-gd" do_and_check_cmd make "CFLAGS=-O3 -Wall -fPIC -fomit-frame-pointer -I/opt/bunkerweb/deps/include -DVERSION=\\\"2.0.33r3\\\"" "LFLAGS=-shared -L/opt/bunkerweb/deps/lib -llua -lgd -Wl,-rpath=/opt/bunkerweb/deps/lib" LUABIN=/opt/bunkerweb/deps/bin/lua -j $NTASK
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-gd" do_and_check_cmd make INSTALL_PATH=/opt/bunkerweb/deps/lib/lua install

# Download and install lua-resty-http
echo "ℹ️ Install lua-resty-http"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-resty-http" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps install

# Download and install lualogging
echo "ℹ️ Install lualogging"
do_and_check_cmd cp -r /tmp/bunkerweb/deps/src/lualogging/src/* /opt/bunkerweb/deps/lib/lua

# Compile and install luasocket
echo "ℹ️ Compile and install luasocket"
CHANGE_DIR="/tmp/bunkerweb/deps/src/luasocket" do_and_check_cmd make LUAINC_linux=/opt/bunkerweb/deps/include -j $NTASK
CHANGE_DIR="/tmp/bunkerweb/deps/src/luasocket" do_and_check_cmd make prefix=/opt/bunkerweb/deps CDIR_linux=lib/lua LDIR_linux=lib/lua install

# Compile and install luasec
echo "ℹ️ Compile and install luasec"
CHANGE_DIR="/tmp/bunkerweb/deps/src/luasec" do_and_check_cmd make INC_PATH=-I/opt/bunkerweb/deps/include linux -j $NTASK
CHANGE_DIR="/tmp/bunkerweb/deps/src/luasec" do_and_check_cmd make LUACPATH=/opt/bunkerweb/deps/lib/lua LUAPATH=/opt/bunkerweb/deps/lib/lua install

# Install lua-resty-iputils
echo "ℹ️ Install lua-resty-iputils"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-resty-iputils" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps LUA_LIB_DIR=/opt/bunkerweb/deps/lib/lua install

# Install lua-resty-redis
echo "ℹ️ Install lua-resty-redis"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-resty-redis" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps LUA_LIB_DIR=/opt/bunkerweb/deps/lib/lua install

# Install lua-resty-upload
echo "ℹ️ Install lua-resty-upload"
CHANGE_DIR="/tmp/bunkerweb/deps/src/lua-resty-upload" do_and_check_cmd make PREFIX=/opt/bunkerweb/deps LUA_LIB_DIR=/opt/bunkerweb/deps/lib/lua install

# Compile dynamic modules
echo "ℹ️ Compile and install dynamic modules"
CONFARGS="$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')"
CONFARGS="${CONFARGS/-Os -fomit-frame-pointer -g/-Os}"
if [ "$OS" = "fedora" ] ; then
	CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt='.*'//" | sed "s/--with-cc-opt='.*'//")"
fi
echo "\#!/bin/bash" > "/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}/configure-fix.sh"
echo "./configure $CONFARGS --add-dynamic-module=/tmp/bunkerweb/deps/src/ModSecurity-nginx --add-dynamic-module=/tmp/bunkerweb/deps/src/headers-more-nginx-module --add-dynamic-module=/tmp/bunkerweb/deps/src/ngx_http_geoip2_module --add-dynamic-module=/tmp/bunkerweb/deps/src/nginx_cookie_flag_module --add-dynamic-module=/tmp/bunkerweb/deps/src/lua-nginx-module --add-dynamic-module=/tmp/bunkerweb/deps/src/ngx_brotli" >> "/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}/configure-fix.sh"
do_and_check_cmd chmod +x "/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}/configure-fix.sh"
CHANGE_DIR="/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}" LUAJIT_LIB="/opt/bunkerweb/deps/lib -Wl,-rpath,/opt/bunkerweb/deps/lib" LUAJIT_INC="/opt/bunkerweb/deps/include/luajit-2.1" MODSECURITY_LIB="/opt/bunkerweb/deps/lib" MODSECURITY_INC="/opt/bunkerweb/deps/include" do_and_check_cmd ./configure-fix.sh
CHANGE_DIR="/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}" do_and_check_cmd make -j $NTASK modules
do_and_check_cmd mkdir /opt/bunkerweb/modules
do_and_check_cmd chown root:nginx /opt/bunkerweb/modules
do_and_check_cmd chmod 750 /opt/bunkerweb/modules
CHANGE_DIR="/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}" do_and_check_cmd cp ./objs/*.so /opt/bunkerweb/modules
do_and_check_cmd chmod 740 /opt/bunkerweb/modules/*.so

# TODO : temp fix for fedora
if [ "$OS" = "fedora" ] ; then
	cp /usr/lib64/nginx/modules/ngx_stream_module.so /opt/bunkerweb/modules/ngx_stream_module.so
fi

# Dependencies are installed
echo "ℹ️ Dependencies for bunkerweb successfully compiled and installed !"

# Remove build dependencies in container
if [ "$OS" = "alpine" ] ; then
	echo "ℹ️ Remove build dependencies"
	do_and_check_cmd apk del build
fi

# Install Python dependencies
echo "ℹ️ Install python dependencies"
do_and_check_cmd pip3 install --upgrade pip
do_and_check_cmd pip3 install -r /tmp/bunkerweb/gen/requirements.txt
do_and_check_cmd pip3 install -r /tmp/bunkerweb/job/requirements.txt
if [ "$OS" != "alpine" ] ; then
	do_and_check_cmd pip3 install -r /tmp/bunkerweb/ui/requirements.txt
fi
do_and_check_cmd pip3 install cryptography --upgrade

# Copy generator
echo "ℹ️ Copy generator"
do_and_check_cmd cp -r /tmp/bunkerweb/gen /opt/bunkerweb

# Copy configs
echo "ℹ️ Copy configs"
do_and_check_cmd cp -r /tmp/bunkerweb/confs /opt/bunkerweb

# Copy LUA
echo "ℹ️ Copy lua"
do_and_check_cmd cp -r /tmp/bunkerweb/lua /opt/bunkerweb

# Copy misc
echo "ℹ️ Copy misc"
do_and_check_cmd cp -r /tmp/bunkerweb/misc /opt/bunkerweb

# Copy core
echo "ℹ️ Copy core"
do_and_check_cmd cp -r /tmp/bunkerweb/core /opt/bunkerweb

# Copy job
echo "ℹ️ Copy job"
do_and_check_cmd cp -r /tmp/bunkerweb/job /opt/bunkerweb

# Copy cli
echo "ℹ️ Copy cli"
do_and_check_cmd cp -r /tmp/bunkerweb/cli /opt/bunkerweb

# Copy utils
echo "ℹ️ Copy utils"
do_and_check_cmd cp -r /tmp/bunkerweb/utils /opt/bunkerweb

# Copy helpers
echo "ℹ️ Copy helpers"
do_and_check_cmd cp -r /tmp/bunkerweb/helpers /opt/bunkerweb

# Copy UI
if [ "$OS" != "alpine" ] ; then
	echo "ℹ️ Copy UI"
	do_and_check_cmd cp -r /tmp/bunkerweb/ui /opt/bunkerweb
	do_and_check_cmd cp /tmp/bunkerweb/ui/bunkerweb-ui.service /lib/systemd/system
fi

# Copy settings
echo "ℹ️ Copy settings"
do_and_check_cmd cp /tmp/bunkerweb/settings.json /opt/bunkerweb

# Copy bwcli
echo "ℹ️ Copy bwcli"
do_and_check_cmd cp /tmp/bunkerweb/helpers/bwcli /usr/local/bin

# Copy VERSION
echo "ℹ️ Copy VERSION"
do_and_check_cmd cp /tmp/bunkerweb/VERSION /opt/bunkerweb

# Replace old nginx.service file
if [ "$OS" != "alpine" ] ; then
	do_and_check_cmd mv /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.bak
	do_and_check_cmd cp /tmp/bunkerweb/misc/nginx.service /lib/systemd/system/
fi

# Create nginx user
if [ "$(grep "nginx:" /etc/passwd)" = "" ] ; then
	echo "ℹ️ Add nginx user"
	do_and_check_cmd useradd -d /opt/bunkerweb -s /usr/sbin/nologin nginx
fi

# Create www folder
if [ ! -d "/opt/bunkerweb/www" ] ; then
	echo "ℹ️ Create /opt/bunkerweb/www folder"
	do_and_check_cmd mkdir /opt/bunkerweb/www
fi

# Create http-confs folder
if [ ! -d "/opt/bunkerweb/http-confs" ] ; then
	echo "ℹ️ Create /opt/bunkerweb/http-confs folder"
	do_and_check_cmd mkdir /opt/bunkerweb/http-confs
fi

# Create stream-confs folder
if [ ! -d "/opt/bunkerweb/stream-confs" ] ; then
	echo "ℹ️ Create /opt/bunkerweb/stream-confs folder"
	do_and_check_cmd mkdir /opt/bunkerweb/stream-confs
fi

# Create server-confs folder
if [ ! -d "/opt/bunkerweb/server-confs" ] ; then
	echo "ℹ️ Create /opt/bunkerweb/server-confs folder"
	do_and_check_cmd mkdir /opt/bunkerweb/server-confs
fi

# Create modsec-confs folder
if [ ! -d "/opt/bunkerweb/modsec-confs" ] ; then
	echo "ℹ️ Create /opt/bunkerweb/modsec-confs folder"
	do_and_check_cmd mkdir /opt/bunkerweb/modsec-confs
fi

# Create modsec-crs-confs folder
if [ ! -d "/opt/bunkerweb/modsec-crs-confs" ] ; then
	echo "ℹ️ Create /opt/bunkerweb/modsec-crs-confs folder"
	do_and_check_cmd mkdir /opt/bunkerweb/modsec-crs-confs
fi

# Create cache folder
if [ ! -d "/opt/bunkerweb/cache" ] ; then
	echo "ℹ️ Create /opt/bunkerweb/cache folder"
	do_and_check_cmd mkdir /opt/bunkerweb/cache
fi

# Create tmp folder
if [ ! -d "/opt/bunkerweb/tmp" ] ; then
	echo "ℹ️ Create /opt/bunkerweb/tmp folder"
	do_and_check_cmd mkdir -p /opt/bunkerweb/tmp
fi

# Create plugins folder
if [ ! -d "/opt/bunkerweb/plugins" ] ; then
	echo "ℹ️ Create /opt/bunkerweb/plugins folder"
	do_and_check_cmd mkdir /opt/bunkerweb/plugins
fi

# Set permissions for /opt/bunkerweb
echo "ℹ️ Set permissions on files and folders"
do_and_check_cmd chown -R root:nginx /opt/bunkerweb
do_and_check_cmd find /opt/bunkerweb -type f -exec chmod 0740 {} \;
do_and_check_cmd find /opt/bunkerweb -type d -exec chmod 0750 {} \;
do_and_check_cmd chmod 770 /opt/bunkerweb/cache
do_and_check_cmd chmod 770 /opt/bunkerweb/tmp
do_and_check_cmd chmod 750 /opt/bunkerweb/gen/main.py
do_and_check_cmd chmod 750 /opt/bunkerweb/job/main.py
do_and_check_cmd chmod 750 /opt/bunkerweb/cli/main.py
do_and_check_cmd chmod 750 /opt/bunkerweb/helpers/*.sh
# Set permissions for /usr/local/bin/bunkerweb
do_and_check_cmd chown root:nginx /usr/local/bin/bwcli
do_and_check_cmd chmod 750 /usr/local/bin/bwcli
# Set permissions for /opt
do_and_check_cmd chmod u+rx /opt
# Set permissions for /etc/nginx
do_and_check_cmd chown -R nginx:nginx /etc/nginx
do_and_check_cmd find /etc/nginx -type f -exec chmod 0774 {} \;
do_and_check_cmd find /etc/nginx -type d -exec chmod 0775 {} \;
# Set permissions for systemd files and reload config
if [ "$OS" != "alpine" ] ; then
	do_and_check_cmd chown root:root /lib/systemd/system/bunkerweb-ui.service
	do_and_check_cmd chmod 744 /lib/systemd/system/bunkerweb-ui.service
	do_and_check_cmd chown root:root /lib/systemd/system/nginx.service
	do_and_check_cmd chmod 744 /lib/systemd/system/nginx.service
	do_and_check_cmd systemctl daemon-reload
fi
# Allow RX access to others on /opt/bunkerweb
do_and_check_cmd chmod 755 /opt/bunkerweb
# Allow nginx group to do nginx reload as root
if [ "$OS" != "alpine" ] ; then
	do_and_check_cmd chown root:nginx /opt/bunkerweb/ui/linux.sh
	do_and_check_cmd chmod 750 /opt/bunkerweb/ui/linux.sh
	echo "nginx ALL=(root:root) NOPASSWD: /opt/bunkerweb/ui/linux.sh" >> /etc/sudoers
fi

# Prepare log files and folders
echo "ℹ️ Prepare log files and folders"
if [ ! -e "/var/log/nginx" ] ; then
	do_and_check_cmd mkdir /var/log/nginx
fi
if [ ! -e "/var/log/nginx/access.log" ] ; then
	do_and_check_cmd touch /var/log/nginx/access.log
fi
if [ ! -e "/var/log/nginx/error.log" ] ; then
	do_and_check_cmd touch /var/log/nginx/error.log
fi
if [ ! -e "/var/log/nginx/modsec_audit.log" ] ; then
	do_and_check_cmd touch /var/log/nginx/modsec_audit.log
fi
if [ ! -e "/var/log/nginx/jobs.log" ] ; then
	do_and_check_cmd touch /var/log/nginx/jobs.log
fi
if [ ! -e "/var/log/nginx/ui.log" ] ; then
	do_and_check_cmd touch /var/log/nginx/ui.log
fi
do_and_check_cmd chown -R root:nginx /var/log/nginx
do_and_check_cmd chmod -R 770 /var/log/nginx/

# Prepare Let's Encrypt files and folders
echo "ℹ️ Prepare Let's Encrypt files and folders"
if [ ! -e "/var/log/letsencrypt" ] ; then
	do_and_check_cmd mkdir /var/log/letsencrypt
fi
do_and_check_cmd chown root:nginx /var/log/letsencrypt
do_and_check_cmd chmod 770 /var/log/letsencrypt
if [ ! -e "/etc/letsencrypt" ] ; then
	do_and_check_cmd mkdir /etc/letsencrypt
fi
do_and_check_cmd chown root:nginx /etc/letsencrypt
do_and_check_cmd chmod 770 /etc/letsencrypt
if [ ! -e "/var/lib/letsencrypt" ] ; then
	do_and_check_cmd mkdir /var/lib/letsencrypt
fi
do_and_check_cmd chown root:nginx /var/lib/letsencrypt
do_and_check_cmd chmod 770 /var/lib/letsencrypt

# Docker specific
if [ "$OS" = "alpine" ] ; then
	echo "ℹ️ Preparing Docker image"
	# prepare folders
	folders="www http-confs server-confs stream-confs modsec-confs modsec-crs-confs cache plugins"
	for folder in $folders ; do
		if [ -e "/opt/bunkerweb/${folder}" ] ; then
			do_and_check_cmd rm -rf "/opt/bunkerweb/${folder}"
		fi
		do_and_check_cmd mkdir "/${folder}"
		do_and_check_cmd chown root:nginx "/${folder}"
		do_and_check_cmd chmod 770 "/${folder}"
		do_and_check_cmd ln -s "/$folder" "/opt/bunkerweb/$folder"
	done

	# prepare /var/log
	rm -f /var/log/nginx/*
	ln -s /proc/1/fd/2 /var/log/nginx/error.log
	ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log
	ln -s /proc/1/fd/1 /var/log/nginx/access.log
	ln -s /proc/1/fd/1 /var/log/nginx/jobs.log
fi

# We're done
cd "$old_dir"
cleanup
echo "ℹ️ bunkerweb successfully installed !"