#!/bin/bash
: '
Copyright (C) 2022 - now  HaoZi Technology Co., Ltd.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.
'

source <(curl -f -s --connect-timeout 10 --retry 3 https://dl.cdn.haozi.net/panel/public.sh)
if [ $? -ne 0 ]; then
    echo "下载 public.sh 失败，请检查网络或稍后重试。"
    echo "Download public.sh failed, please check the network or try again later."
    exit 1
fi

channel=${1}
version=${2}
nginx_path="${setup_path}/server/nginx"
j=$(calculate_j)

# 安装依赖
if [ ${OS} == "rhel" ]; then
    dnf makecache -y
    dnf groupinstall "Development Tools" -y
    dnf install cmake tar unzip gd gd-devel git-core flex perl oniguruma oniguruma-devel libsodium-devel libxml2-devel libxslt-devel bison yajl yajl-devel curl curl-devel ncurses-devel libevent-devel readline-devel libuuid-devel brotli-devel icu libicu libicu-devel openssl openssl-devel libzstd-devel -y
elif [ ${OS} == "debian" ] || [ ${OS} == "ubuntu" ]; then
    apt-get update
    apt-get install build-essential cmake tar unzip libgd3 libgd-dev git flex perl libonig-dev libsodium-dev libxml2-dev libxslt1-dev bison libyajl-dev curl libcurl4-openssl-dev libncurses5-dev libevent-dev libreadline-dev uuid-dev libbrotli-dev icu-devtools libicu-dev openssl libssl-dev libzstd-dev -y
else
    error "不支持的操作系统"
fi
if [ "$?" != "0" ]; then
    error "安装依赖软件失败"
fi

# 预检查
systemctl is-active --quiet nginx
if [ "$?" != "0" ]; then
    error "应用运行状态不正常"
fi

# 准备目录
cd ${nginx_path}
rm -rf src

# 下载源码
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ${nginx_path}/openresty-${version}.tar.gz ${download_url}/nginx/openresty-${version}.tar.gz
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ${nginx_path}/openresty-${version}.tar.gz.sha256 ${download_url}/nginx/openresty-${version}.tar.gz.sha256

if ! sha256sum --status -c openresty-${version}.tar.gz.sha256; then
    rm -f openresty-${version}.tar.gz
    rm -f openresty-${version}.tar.gz.sha256
    error "nginx 校验失败"
fi

tar -zxvf openresty-${version}.tar.gz
rm -f openresty-${version}.tar.gz
rm -f openresty-${version}.tar.gz.sha256
mv openresty-${version} src
cd src

# tls library
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O openssl-3.5.0.7z ${download_url}/tls/openssl-3.5.0.7z
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O openssl-3.5.0.7z.sha256 ${download_url}/tls/openssl-3.5.0.7z.sha256

if ! sha256sum --status -c openssl-3.5.0.7z.sha256; then
    rm -rf ${nginx_path}/src
    error "openssl 校验失败"
fi

7z x openssl-3.5.0.7z
rm -f openssl-3.5.0.7z
rm -f openssl-3.5.0.7z.sha256
mv openssl-3.5.0 openssl
chmod -R 700 openssl

# 加载 tls 模块，ktls 需要
modprobe tls
# TODO OpenSSL 3.5.0 已经打过补丁，下次更新不要忘记在这里打补丁哦

# pcre2
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O pcre2-10.45.7z ${download_url}/nginx/pcre/pcre2-10.45.7z
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O pcre2-10.45.7z.sha256 ${download_url}/nginx/pcre/pcre2-10.45.7z.sha256

if ! sha256sum --status -c pcre2-10.45.7z.sha256; then
    rm -rf ${nginx_path}/src
    error "pcre 校验失败"
fi

7z x pcre2-10.45.7z
rm -f pcre2-10.45.7z
rm -f pcre2-10.45.7z.sha256
mv pcre2-10.45 pcre2
chmod -R 700 pcre2

# ngx_cache_purge
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_cache_purge-2.3.tar.gz ${download_url}/nginx/modules/ngx_cache_purge-2.3.tar.gz
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_cache_purge-2.3.tar.gz.sha256 ${download_url}/nginx/modules/ngx_cache_purge-2.3.tar.gz.sha256

if ! sha256sum --status -c ngx_cache_purge-2.3.tar.gz.sha256; then
    rm -rf ${nginx_path}/src
    error "ngx_cache_purge 校验失败"
fi

tar -zxvf ngx_cache_purge-2.3.tar.gz
rm -f ngx_cache_purge-2.3.tar.gz
rm -f ngx_cache_purge-2.3.tar.gz.sha256
mv ngx_cache_purge-2.3 ngx_cache_purge

# nginx-sticky-module
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O nginx-sticky-module.zip ${download_url}/nginx/modules/nginx-sticky-module.zip
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O nginx-sticky-module.zip.sha256 ${download_url}/nginx/modules/nginx-sticky-module.zip.sha256

if ! sha256sum --status -c nginx-sticky-module.zip.sha256; then
    rm -rf ${nginx_path}/src
    error "nginx-sticky-module 校验失败"
fi

unzip -o nginx-sticky-module.zip
rm -f nginx-sticky-module.zip
rm -f nginx-sticky-module.zip.sha256

# nginx-dav-ext-module
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O nginx-dav-ext-module-3.0.0.tar.gz ${download_url}/nginx/modules/nginx-dav-ext-module-3.0.0.tar.gz
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O nginx-dav-ext-module-3.0.0.tar.gz.sha256 ${download_url}/nginx/modules/nginx-dav-ext-module-3.0.0.tar.gz.sha256

if ! sha256sum --status -c nginx-dav-ext-module-3.0.0.tar.gz.sha256; then
    rm -rf ${nginx_path}/src
    error "nginx-dav-ext-module 校验失败"
fi

tar -xvf nginx-dav-ext-module-3.0.0.tar.gz
rm -f nginx-dav-ext-module-3.0.0.tar.gz
rm -f nginx-dav-ext-module-3.0.0.tar.gz.sha256
mv nginx-dav-ext-module-3.0.0 nginx-dav-ext-module

# ngx_http_security_headers_module
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_http_security_headers_module.zip ${download_url}/nginx/modules/ngx_http_security_headers_module.zip
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_http_security_headers_module.zip.sha256 ${download_url}/nginx/modules/ngx_http_security_headers_module.zip.sha256
if ! sha256sum --status -c ngx_http_security_headers_module.zip.sha256; then
    rm -rf ${nginx_path}/src
    error "ngx_http_security_headers_module 校验失败"
fi
unzip -o ngx_http_security_headers_module.zip
rm -f ngx_http_security_headers_module.zip
rm -f ngx_http_security_headers_module.zip.sha256

# ngx_http_trim_filter_module
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_http_trim_filter_module.zip ${download_url}/nginx/modules/ngx_http_trim_filter_module.zip
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_http_trim_filter_module.zip.sha256 ${download_url}/nginx/modules/ngx_http_trim_filter_module.zip.sha256
if ! sha256sum --status -c ngx_http_trim_filter_module.zip.sha256; then
    rm -rf ${nginx_path}/src
    error "ngx_http_trim_filter_module 校验失败"
fi
unzip -o ngx_http_trim_filter_module.zip
rm -f ngx_http_trim_filter_module.zip
rm -f ngx_http_trim_filter_module.zip.sha256

# ngx_http_zstd_module
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_http_zstd_module.zip ${download_url}/nginx/modules/ngx_http_zstd_module.zip
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_http_zstd_module.zip.sha256 ${download_url}/nginx/modules/ngx_http_zstd_module.zip.sha256
if ! sha256sum --status -c ngx_http_zstd_module.zip.sha256; then
    rm -rf ${nginx_path}/src
    error "ngx_http_zstd_module 校验失败"
fi
unzip -o ngx_http_zstd_module.zip
rm -f ngx_http_zstd_module.zip
rm -f ngx_http_zstd_module.zip.sha256

# ngx_brotli
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_brotli-a71f931.zip ${download_url}/nginx/modules/ngx_brotli-a71f931.zip
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ngx_brotli-a71f931.zip.sha256 ${download_url}/nginx/modules/ngx_brotli-a71f931.zip.sha256

if ! sha256sum --status -c ngx_brotli-a71f931.zip.sha256; then
    rm -rf ${nginx_path}/src
    error "ngx_brotli 校验失败"
fi

unzip -o ngx_brotli-a71f931.zip
mv ngx_brotli-a71f931 ngx_brotli
rm -f ngx_brotli-a71f931.zip
rm -f ngx_brotli-a71f931.zip.sha256
cd ngx_brotli/deps/brotli
mkdir out && cd out
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
cmake --build . --config Release --target brotlienc
if [ "$?" != "0" ]; then
    rm -rf ${nginx_path}/src
    error "ngx_brotli 编译失败"
fi

cd ${nginx_path}/src

./configure --user=www --group=www \
    --prefix=${nginx_path} --with-luajit \
    --add-module=${nginx_path}/src/ngx_cache_purge \
    --add-module=${nginx_path}/src/nginx-sticky-module \
    --with-openssl=${nginx_path}/src/openssl \
    --with-openssl-opt=enable-ktls \
    --with-pcre=${nginx_path}/src/pcre2 --with-pcre-jit \
    --with-ld-opt="-Wl,-s -Wl,-Bsymbolic -Wl,--gc-sections" \
    --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC -march=native -mtune=native -Ofast -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" \
    --with-luajit-xcflags="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT" \
    --with-file-aio \
    --with-threads \
    --with-compat \
    --with-http_v2_module --with-http_v3_module \
    --with-http_slice_module \
    --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module \
    --with-http_stub_status_module \
    --with-http_ssl_module \
    --with-http_image_filter_module \
    --with-http_gzip_static_module --with-http_gunzip_module \
    --with-http_sub_module \
    --with-http_flv_module \
    --with-http_addition_module \
    --with-http_realip_module \
    --with-http_mp4_module \
    --with-http_auth_request_module \
    --with-http_secure_link_module \
    --with-http_random_index_module \
    --with-http_dav_module \
    --add-module=${nginx_path}/src/nginx-dav-ext-module \
    --add-module=${nginx_path}/src/ngx_http_security_headers_module \
    --add-module=${nginx_path}/src/ngx_http_trim_filter_module \
    --add-module=${nginx_path}/src/ngx_brotli \
    --add-module=${nginx_path}/src/ngx_http_zstd_module
make "-j${j}"
if [ "$?" != "0" ]; then
    error "编译失败"
fi

# 停止已有服务
systemctl stop nginx

make install
if [ ! -f "${nginx_path}/nginx/sbin/nginx" ]; then
    error "安装失败"
fi

cd ${nginx_path}

# 自动为所有PHP版本创建配置文件
if [ -d "${setup_path}/server/php" ]; then
    cd ${setup_path}/server/php
    phpList=$(ls -l | grep ^d | awk '{print $NF}')
    for phpVersion in ${phpList}; do
        if [ -d "${setup_path}/server/php/${phpVersion}" ]; then
            # 写入PHP配置文件
            cat >${nginx_path}/conf/enable-php-${phpVersion}.conf <<EOF
location ~ \.php$ {
    try_files \$uri =404;
    fastcgi_pass unix:/tmp/php-cgi-${phpVersion}.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
    include pathinfo.conf;
}
EOF
        fi
    done
fi

# 处理文件权限
chmod -R 755 ${nginx_path}
chmod -R 644 ${setup_path}/server/vhost

systemctl daemon-reload
systemctl start nginx
if [ "$?" != "0" ]; then
    error "启动失败"
fi

panel-cli app write nginx ${channel} ${version}

echo -e $HR
echo "升级完成"
echo -e $HR