153 lines
4.4 KiB
Bash
153 lines
4.4 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
log "Nginx konfigurieren …"
|
||
|
||
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||
|
||
NGINX_SITE="/etc/nginx/sites-available/${APP_USER}.conf"
|
||
NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf"
|
||
ACME_ROOT="/var/www/letsencrypt"
|
||
install -d -m 0755 "$ACME_ROOT"
|
||
|
||
# Default-Sites konsequent entfernen (verhindert doppelten default_server)
|
||
rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true
|
||
|
||
# HTTP/2 prüfen
|
||
NGINX_HTTP2_SUFFIX=""
|
||
if nginx -V 2>&1 | grep -q http_v2; then
|
||
NGINX_HTTP2_SUFFIX=" http2"
|
||
fi
|
||
|
||
# PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen
|
||
detect_php_fpm_sock(){
|
||
for v in 8.3 8.2 8.1 8.0 7.4; do
|
||
s="/run/php/php${v}-fpm.sock"
|
||
[[ -S "$s" ]] && { echo "unix:${s}"; return; }
|
||
done
|
||
[[ -S "/run/php/php-fpm.sock" ]] && { echo "unix:/run/php/php-fpm.sock"; return; }
|
||
echo "127.0.0.1:9000"
|
||
}
|
||
PHP_FPM_TARGET="$(detect_php_fpm_sock)"
|
||
if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
|
||
FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET#unix:};"
|
||
else
|
||
FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
|
||
fi
|
||
|
||
# Prüfen, ob UI-Zert vorhanden ist
|
||
UI_CERT="/etc/ssl/ui/fullchain.pem"
|
||
UI_KEY="/etc/ssl/ui/privkey.pem"
|
||
SSL_ENABLED=0
|
||
[[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SSL_ENABLED=1
|
||
|
||
TPL="${ROOT_DIR}/config/nginx/site.conf.tmpl"
|
||
[[ -f "$TPL" ]] || die "Nginx-Template fehlt: $TPL"
|
||
render="$(cat "$TPL")"
|
||
|
||
# --------- Bausteine, die in das Template eingesetzt werden ---------
|
||
|
||
# (A) HTTP-Body, wenn KEIN SSL → App direkt über Port 80
|
||
HTTP_BODY_APP="$(cat <<'HTTP'
|
||
root ${APP_DIR}/public;
|
||
index index.php index.html;
|
||
|
||
access_log /var/log/nginx/${APP_USER}_access.log;
|
||
error_log /var/log/nginx/${APP_USER}_error.log;
|
||
|
||
client_max_body_size 25m;
|
||
|
||
location / { try_files $uri $uri/ /index.php?$query_string; }
|
||
location ~ \.php$ {
|
||
include snippets/fastcgi-php.conf;
|
||
__FASTCGI_PASS__
|
||
try_files $uri =404;
|
||
}
|
||
location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
|
||
location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
|
||
HTTP
|
||
)"
|
||
|
||
# (B) HTTP-Body, wenn SSL → nur Redirect auf 443
|
||
HTTP_BODY_REDIRECT='return 301 https://$host$request_uri;'
|
||
|
||
# (C) kompletter SSL-Serverblock (wird nur eingefügt, wenn SSL aktiv)
|
||
SSL_BLOCK="$(cat <<'SSL'
|
||
server {
|
||
listen 443 ssl${NGINX_HTTP2_SUFFIX};
|
||
listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
|
||
server_name _;
|
||
|
||
ssl_certificate ${UI_CERT};
|
||
ssl_certificate_key ${UI_KEY};
|
||
ssl_protocols TLSv1.2 TLSv1.3;
|
||
|
||
root ${APP_DIR}/public;
|
||
index index.php index.html;
|
||
|
||
access_log /var/log/nginx/${APP_USER}_ssl_access.log;
|
||
error_log /var/log/nginx/${APP_USER}_ssl_error.log;
|
||
|
||
client_max_body_size 25m;
|
||
|
||
location / { try_files $uri $uri/ /index.php?$query_string; }
|
||
location ~ \.php$ {
|
||
include snippets/fastcgi-php.conf;
|
||
__FASTCGI_PASS__
|
||
try_files $uri =404;
|
||
}
|
||
location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
|
||
location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
|
||
|
||
# WebSocket: Laravel Reverb
|
||
location /ws/ {
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Upgrade $http_upgrade;
|
||
proxy_set_header Connection "Upgrade";
|
||
proxy_set_header Host $host;
|
||
proxy_read_timeout 60s;
|
||
proxy_send_timeout 60s;
|
||
proxy_pass http://127.0.0.1:8080/;
|
||
}
|
||
|
||
# Reverb HTTP API
|
||
location /apps/ {
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Host $host;
|
||
proxy_read_timeout 60s;
|
||
proxy_send_timeout 60s;
|
||
proxy_pass http://127.0.0.1:8080/apps/;
|
||
}
|
||
}
|
||
SSL
|
||
)"
|
||
|
||
# --------- Platzhalter ersetzen ---------
|
||
if [[ $SSL_ENABLED -eq 1 ]]; then
|
||
render="${render/__HTTP_BODY__/$HTTP_BODY_REDIRECT}"
|
||
render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}"
|
||
else
|
||
render="${render/__HTTP_BODY__/$HTTP_BODY_APP}"
|
||
# HTTPS-Block komplett entfernen
|
||
render="${render/__SSL_SERVER_BLOCK__/}"
|
||
fi
|
||
|
||
# Variablen & __FASTCGI_PASS__ im fertigen Render ersetzen
|
||
render="$(echo "$render" \
|
||
| sed "s|\${APP_DIR}|${APP_DIR}|g; s|\${APP_USER}|${APP_USER}|g; \
|
||
s|\${UI_CERT}|${UI_CERT}|g; s|\${UI_KEY}|${UI_KEY}|g; \
|
||
s|\${NGINX_HTTP2_SUFFIX}|${NGINX_HTTP2_SUFFIX}|g; \
|
||
s|__FASTCGI_PASS__|${FASTCGI_PASS}|g")"
|
||
|
||
# Schreiben/aktivieren
|
||
echo "$render" > "$NGINX_SITE"
|
||
ln -sf "$NGINX_SITE" "$NGINX_SITE_LINK"
|
||
|
||
# Test & reload
|
||
if nginx -t; then
|
||
systemctl enable --now nginx >/dev/null 2>&1 || true
|
||
systemctl reload nginx || true
|
||
else
|
||
die "nginx -t fehlgeschlagen – siehe /var/log/nginx/*.log"
|
||
fi |