# ---
# type:
#
#    1. Adjust variables 'grafana_host_name' and 'grafana_port' and if not a
#       standard installation also nginx concerning variables
#
#    2. source README.nginx
#
# ---

grafana_host_name="grafana.ndneu.de"
grafana_port=3002


nginx_path_sites_available="/etc/nginx/sites-available"
nginx_path_sites_enabled="/etc/nginx/sites-enabled"
nginx_config_file="${nginx_path_sites_available}/${grafana_host_name}.conf"

cat << EOF > ${nginx_config_file}
# This is required to proxy Grafana Live WebSocket connections.
map \$http_upgrade \$connection_upgrade {
  default upgrade;
  '' close;
}

upstream grafana {
  server localhost:${grafana_port};
}

server {
   listen 80;
   listen [::]:80;
   server_name ${grafana_host_name};

   return 301 https://\$server_name\$request_uri;
}

server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name grafana.ndneu.de;

   # Include location directive for Let's Encrypt ACME Challenge
   #
   # Needed for (automated) updating certificate
   #
   include snippets/letsencrypt-acme-challenge.conf;


   # Use Mozilla's guidelines for SSL/TLS settings
   # https://mozilla.github.io/server-side-tls/ssl-config-generator/
   ssl_certificate /var/lib/dehydrated/certs/grafana.ndneu.de/fullchain.pem;
   ssl_certificate_key /var/lib/dehydrated/certs/grafana.ndneu.de/privkey.pem;

   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
   #
   # To generate a dhparam.pem file, run in a terminal
   #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
   #
   ssl_dhparam /etc/nginx/ssl/dhparam.pem;

   # Speeds things up a little bit when resuming a session
   ssl_session_timeout 1d;
   #ssl_session_cache shared:MozSSL:10m;
   ssl_session_tickets off;

   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
   ssl_prefer_server_ciphers off;

   # HSTS (ngx_http_headers_module is required) (63072000 seconds)
   add_header Strict-Transport-Security "max-age=63072000" always;

   add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";


   # OCSP stapling
   ssl_stapling on;
   ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

   root /usr/share/nginx/html;

   index index.html index.htm;

   location / {
      proxy_set_header Host \$host;
      proxy_pass http://grafana;
   }

   # Proxy Grafana Live WebSocket connections.
   location /api/live/ {
      proxy_http_version 1.1;
      proxy_set_header Upgrade \$http_upgrade;
      proxy_set_header Connection \$connection_upgrade;
      proxy_set_header Host \$host;
      proxy_pass http://grafana;
   }
}
EOF

# Delete existin symlink
#
if [[ -f "${nginx_path_sites_enabled}/$(basename "${nginx_config_file}")" ]] ; then
   rm "${nginx_path_sites_enabled}/$(basename "${nginx_config_file}")"
fi

# Activate site
#
ln -s "../sites-available/$(basename "${nginx_config_file}")" \
   "${nginx_path_sites_enabled}/$(basename "${nginx_config_file}")"