#!/bin/bash

# Run this script with "(sudo) bash <filename> <args>".

# Exit on error.
#set -e
# Debug
set -eux

# Install Debian nginx-full & ssl-cert package.
apt install nginx-full ssl-cert

# Disable default site configuration.
rm -vf /etc/nginx/sites-enabled/default

# Simple default ssl-only configuration using snippets/snakeoil.conf.
cat <<NGX > /etc/nginx/sites-available/custom-default
# Add custom http block options, upstreams etc into a file like snippets/custom-default-10-myupstream.pre.
include snippets/custom-default-*.pre;

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    include snippets/snakeoil.conf;

    # Add custom server block options, api locations etc into a file like snippets/custom-default-api.inc.
    include snippets/custom-default-*.inc;
}
NGX

# Enable our custom default config.
ln -sfv /etc/nginx/sites-available/custom-default /etc/nginx/sites-enabled/custom-default

nginx -t

systemctl force-reload nginx