#!/bin/sh
set -x
# create nginx user/group first, to be consistent throughout docker variants
addgroup -g 101 -S nginx
adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx
nginxPackages="nginx=${NGINX_VERSION}-r${PKG_RELEASE}"
# install prerequisites for public key and pkg-oss checks
apk add --no-cache --virtual .checksum-deps openssl
set -x
KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655"
wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub
if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \
    echo "key verification succeeded!"; \
    mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
else \
    echo "key verification failed!"; \
    exit 1; \
fi
apk add -X "https://nginx.org/packages/ainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages
# remove checksum deps
apk del --no-network .checksum-deps
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi
if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi
if [ -f "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi
# Bring in gettext so we can get `envsubst`, then throw
# the rest away. To do this, we need to install `gettext`
# then move `envsubst` out of the way so `gettext` can
# be deleted completely, then move `envsubst` back.
apk add --no-cache --virtual .gettext gettext
mv /usr/bin/envsubst /tmp/ \

runDeps="$( \
    scanelf --needed --nobanner /tmp/envsubst \
        | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
        | sort -u \
        | xargs -r apk info --installed \
        | sort -u \
)"
apk add --no-cache $runDeps
apk del --no-network .gettext
mv /tmp/envsubst /usr/local/bin/
# Bring in tzdata so users could set the timezones through the environment
# variables
apk add --no-cache tzdata
# forward request and error logs to docker log collector
ln -sf /dev/stdout /var/log/nginx/access.log
ln -sf /dev/stderr /var/log/nginx/error.log
# create a docker-entrypoint.d directory
mkdir /docker-entrypoint.d