setup.d/nginx

#!/usr/bin/env bash
# Copyright (C) 2021 Rodrigo Silva (MestreLion) <linux@rodrigosilva.com>
# License: GPLv3 or later. See <http://www.gnu.org/licenses/gpl.html>
# -----------------------------------------------------------------------------

DESCRIPTION='Nginx Stable from nginx.org upstream repository'
ARGS='[OPT_ARG1]'

setuplib=${SETUP_LIB_PATH:-"$(dirname "$(readlink -f "$0")")"/../setuplib}
# shellcheck source=../setuplib
if [[ -r "$setuplib" ]]; then source "$setuplib"; else
	echo "Setup library not found: $setuplib" >&2; exit 1;
fi
# -----------------------------------------------------------------------------

# Adapted from https://nginx.org/en/linux_packages.html#Ubuntu

# /etc/apt/keyrings/ is recommended over /usr/share/keyrings/ for local install
# of keys that are not managed by the packages themselves.
# See https://wiki.debian.org/DebianRepository/UseThirdParty
# and `man 5 sources.list` in Ubuntu 22.04+
key=/etc/apt/keyrings/nginx-archive-keyring.gpg
url=https://nginx.org/en/linux_packages.html#Ubuntu
repo=http://nginx.org/packages/ubuntu
line="[arch=${SETUP_APT_ARCH} signed-by=$(escape "$key")] ${repo} ${SETUP_CODENAME} nginx"

# -----------------------------------------------------------------------------

message "Install dependencies"
# Most installed by default. Changed to gnupg instead of transitional gnupg2
install_package curl gnupg ca-certificates lsb-release ubuntu-keyring

message "Add Nginx.org signing key, confirm fingerprint matches $url"
setup_run sudo mkdir -p -- "${key%/*}"
curl -Ss https://nginx.org/keys/nginx_signing.key | gpg --dearmor |
	setup_run sudo tee -- "$key" >/dev/null
# Just for visual confirmation:
gpg --dry-run --quiet --import --import-options import-show "$key"

message "Add Nginx.org APT repository and pin it"
setup_run sudo tee /etc/apt/sources.list.d/nginx-mainline.list <<-EOF
	$(signature)

	deb     ${line}
	deb-src ${line}
EOF
setup_run sudo tee /etc/apt/preferences.d/nginx.pref <<-EOF
	$(signature)

	Package: *
	Pin: origin nginx.org
	Pin: release o=nginx
	Pin-Priority: 900
EOF

message "Install Nginx"
setup_run sudo apt update
install_package nginx

message "Enable Firewall rules"
setup_run sudo tee /etc/ufw/applications.d/nginx <<-EOF
	$(signature)
	# Taken from Ubuntu/Debian downstream nginx source package
	# https://git.launchpad.net/ubuntu/+source/nginx/tree/debian/ufw/nginx
	# https://salsa.debian.org/nginx-team/nginx/-/blob/master/debian/ufw/nginx

	[Nginx HTTP]
	title=Web Server (Nginx, HTTP)
	description=Small, but very powerful and efficient web server
	ports=80/tcp

	[Nginx HTTPS]
	title=Web Server (Nginx, HTTPS)
	description=Small, but very powerful and efficient web server
	ports=443/tcp

	[Nginx Full]
	title=Web Server (Nginx, HTTP + HTTPS)
	description=Small, but very powerful and efficient web server
	ports=80,443/tcp
EOF
setup_run sudo ufw allow 'Nginx Full'
setup_run sudo ufw reload