#!/bin/bash

#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================

source _common.sh
source /usr/share/yunohost/helpers

#=================================================
# MANAGE SCRIPT FAILURE
#=================================================

# Exit if an error occurs during the execution of the script
ynh_abort_if_errors

#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST
#=================================================

domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH
admin=$YNH_APP_ARG_ADMIN
is_public=$YNH_APP_ARG_IS_PUBLIC
language=$YNH_APP_ARG_LANGUAGE

app=$YNH_APP_INSTANCE_NAME

#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
ynh_script_progression --message="Validating installation parameters..." --weight=2

final_path=/var/www/$app
test ! -e "$final_path" || ynh_die --message="This path already contains a folder"

# Register (book) web path
ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url

#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
ynh_script_progression --message="Storing installation settings..." --weight=2

ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=is_public --value=$is_public
ynh_app_setting_set --app=$app --key=language --value=$language

#=================================================
# STANDARD MODIFICATIONS
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
ynh_script_progression --message="Setting up source files..." --weight=2

ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path"

#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring nginx web server..." --weight=2

# Create a dedicated nginx config
ynh_add_nginx_config

#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Configuring system user..." --weight=2

# Create a system user
ynh_system_user_create --username=$app

#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring php-fpm..." --weight=2

# Create a dedicated php-fpm config
ynh_add_fpm_config

#=================================================
# SPECIFIC SETUP
#=================================================
# CUSTOMIZE DOKUWIKI
#=================================================
ynh_script_progression --message="Configuring dokuwiki..." --weight=2

# Loading order of configuration files
#
# By default DokuWiki loads its configuration files in the following order:
#
# 1. conf/dokuwiki.php
# 2. conf/local.php
# 3. conf/local.protected.php
#
# See https://www.dokuwiki.org/plugin:config#protecting_settings


### Copy Yunohost specific configuration
# This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost
# It will only be updated by Yunohost package or directly by adventurous users
cp ../conf/local.protected.php $final_path/conf

# Set the "admin" user
ynh_replace_string --match_string="__YNH_ADMIN_USER__" --replace_string="$admin"    --target_file="$final_path/conf/local.protected.php"


# This file might be modified by dokuwiki admin panel or by plugins
# It will not be modified by Yunohost in order to keep user settings
cp ../conf/local.php           $final_path/conf

# Set the "language"
ynh_replace_string --match_string="__YNH_LANGUAGE__"   --replace_string="$language" --target_file="$final_path/conf/local.php"


# Restrict user rights by enforcing "read-only" mode for all users
# See https://www.dokuwiki.org/acl#background_info
# Default is "8"
cp ../conf/acl.auth.php        $final_path/conf

#=================================================
# CREATE DEFAULT FILES
#=================================================

# For securing DokuWiki installation, create default files that will be writable in the "conf" folder.
# Other files will be read ony and owned by root.
# See https://www.dokuwiki.org/install:permissions

cp $final_path/conf/local.php.dist      $final_path/conf/local.php.bak
cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php

# This file might be used by plugins like https://www.dokuwiki.org/plugin:siteexport
# Create it to be more "user friendly" as over the top security is not the main goal here
# This file could be use for bad behaviour.
# See https://www.dokuwiki.org/devel:preload?s[]=preload
cp $final_path/inc/preload.php.dist     $final_path/inc/preload.php

# There is no template .dist provided inside DokuWiki installation folder
# Create "empty" files to be able to manage linux permissions
# Files content is taken from an existing DokuWiki installation
cp ../conf/plugins.local.php            $final_path/conf
cp ../conf/plugins.local.php            $final_path/conf/plugins.local.php.bak

#=================================================
# STORE THE CHECKSUM OF THE CONFIG FILE
#=================================================

# Calculate and store the config file checksum into the app settings
ynh_store_file_checksum --file="$final_path/conf/local.protected.php"
### Files '$final_path/conf/local.php' and '$final_path/conf/acl.auth.php' can be modified by user, no need to store checksum as they cannot be overwritten safely by the upgrade script

#=================================================
# INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN
#=================================================
ynh_script_progression --message="Installing logautherror plugin for fail2ban..." --weight=2

ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror

#=================================================
# GENERIC FINALIZATION
#=================================================
# SECURE FILES AND DIRECTORIES
#=================================================

# Try to use "least privilege" to grant minimal access
# For details, see https://www.dokuwiki.org/install:permissions

# Files owned by DokuWiki can just read
chown -R root: $final_path

# DokuWiki needs to write inside these folders. Make "DokuWiki" owner
chown $app:root $final_path/{conf,inc}

# Make "DokuWiki" owner of configuration files that must be writable
chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak}

# Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport
# See https://www.dokuwiki.org/devel:preload
chown $app:root $final_path/inc/preload.php

# Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them
# There are only files in the folder and there are no sublevels. No need to use "find"
chmod -R a+r $final_path/{conf,inc}

# Give write access to "data" and subfolders
chown -R $app:root $final_path/data
# Remove access to "other"
chmod -R o-rwx $final_path/data

# Allow the web admin panel to run, aka "Extension Manager"
chown -R $app:root $final_path/lib/plugins
# Allow to install templates
chown -R $app:root $final_path/lib/tpl

# Allow access to public assets like style sheets
find $final_path/lib -type f -print0 | xargs -0 chmod 0644
find $final_path/lib -type d -print0 | xargs -0 chmod 0755
# Using "find" instead of "chmod -R 755" so files does not become executable too
# chmod :   -rwxr-xr-x  1 root root  241 May  3 08:36 index.html   => BAD
# find  :   -rw-r--r--  1 1001 1002  241 May  3 08:36 index.html   => GOOD

#=================================================
# SETUP FAIL2BAN
#=================================================
ynh_script_progression --message="Configuring fail2ban..." --weight=7

ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: <HOST>,.*POST $path_url.*$" --max_retry=5

#=================================================
# SETUP SSOWAT
#=================================================
ynh_script_progression --message="Configuring SSOwat..."

# Make app public if necessary
if [ $is_public -eq 1 ]
then
	# unprotected_uris allows SSO credentials to be passed anyway.
	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
fi

#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading nginx web server..."

ynh_systemd_action --service_name=nginx --action=reload

#=================================================
# END OF SCRIPT
#=================================================

ynh_script_progression --message="Installation of $app completed" --last