#!/bin/bash

#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================

source _common.sh
source /usr/share/yunohost/helpers

#=================================================
# MANAGE SCRIPT FAILURE
#=================================================

# Exit if an error occurs during the execution of the script
ynh_abort_if_errors

#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST
#=================================================

domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH
admin=$YNH_APP_ARG_ADMIN
is_public=$YNH_APP_ARG_IS_PUBLIC
language=$YNH_APP_ARG_LANGUAGE

# This is a multi-instance app, meaning it can be installed several times independently
# The id of the app as stated in the manifest is available as $YNH_APP_ID
# The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2", ...)
# The app instance name is available as $YNH_APP_INSTANCE_NAME
#    - the first time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample
#    - the second time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample__2
#    - ynhexample__{N} for the subsequent installations, with N=3,4, ...
# The app instance name is probably what you are interested the most, since this is
# guaranteed to be unique. This is a good unique identifier to define installation path,
# db names, ...
app=$YNH_APP_INSTANCE_NAME

#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================

final_path=/var/www/$app
test ! -e "$final_path" || ynh_die "This path already contains a folder"

# Normalize the url path syntax
path_url=$(ynh_normalize_url_path $path_url)

# Check web path availability
ynh_webpath_available $domain $path_url
# Register (book) web path
ynh_webpath_register $app $domain $path_url

#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================

ynh_app_setting_set $app domain $domain
ynh_app_setting_set $app path $path_url
ynh_app_setting_set $app admin $admin
ynh_app_setting_set $app is_public $is_public
ynh_app_setting_set $app language $language

#=================================================
# STANDARD MODIFICATIONS
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================

ynh_app_setting_set $app final_path $final_path
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source "$final_path"

#=================================================
# NGINX CONFIGURATION
#=================================================

# Create a dedicated nginx config
ynh_add_nginx_config

#=================================================
# CREATE DEDICATED USER
#=================================================

# Create a system user
ynh_system_user_create $app

#=================================================
# PHP-FPM CONFIGURATION
#=================================================

# Create a dedicated php-fpm config
ynh_add_fpm_config

#=================================================
# SPECIFIC SETUP
#=================================================
# CUSTOMIZE DOKUWIKI
#=================================================

# Set the "admin" user
ynh_replace_string "__YNH_ADMIN_USER__" "$admin"  "../conf/local.protected.php"

# Set the "language"
ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php"


# Copy Yunohost specific configuration

# Loading order of configuration files
#
# By default DokuWiki loads its configuration files in the following order:
#
# 1. conf/dokuwiki.php
# 2. conf/local.php
# 3. conf/local.protected.php
#
# See https://www.dokuwiki.org/plugin:config#protecting_settings

cp ../conf/local.protected.php $final_path/conf
# This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost
# It will only be updated by Yunohost package or directly by adventurous users

cp ../conf/local.php           $final_path/conf
# This file might be modified by dokuwiki admin panel or by plugins
# It will not be modified by Yunohost in order to keep user settings

# Restrict user rights by enforcing "read-only" mode for all users
# See https://www.dokuwiki.org/acl#background_info
# Default is "8"
cp ../conf/acl.auth.php $final_path/conf

#=================================================
# CREATE DEFAULT FILES
#=================================================

# For securing DokuWiki installation, create default files that will be writable in the "conf" folder.
# Other files will be read ony and owned by root.
# See https://www.dokuwiki.org/install:permissions


cp $final_path/conf/local.php.dist      $final_path/conf/local.php.bak
cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php

cp $final_path/inc/preload.php.dist     $final_path/inc/preload.php
# This file might be used by plugins like https://www.dokuwiki.org/plugin:siteexport
# Create it to be more "user friendly" as over the top security is not the main goal here
# This file could be use for bad behaviour.
# See https://www.dokuwiki.org/devel:preload?s[]=preload

# There is no template .dist provided inside DokuWiki installation folder
# Create "empty" files to be able to manage linux permissions
# Files content is taken from an existing DokuWiki installation
cp ../conf/plugins.local.php            $final_path/conf
cp ../conf/plugins.local.php            $final_path/conf/plugins.local.php.bak

# Create file if it does not exist
if [ ! -f "$final_path/conf/local.protected.php" ]; then
	# Set the default "admin"
	# Replace string in order to have a functionnal configuration file
	ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php"

	cp ../conf/local.protected.php $final_path/conf
fi

#=================================================
# STORE THE CHECKSUM OF THE CONFIG FILE
#=================================================

# Calculate and store the config file checksum into the app settings
ynh_store_file_checksum "$final_path/conf/local.protected.php"
ynh_store_file_checksum "$final_path/conf/local.php"
ynh_store_file_checksum "$final_path/conf/acl.auth.php"
#=================================================

#=================================================
# GENERIC FINALIZATION
#=================================================
# SECURE FILES AND DIRECTORIES
#=================================================

# Try to use "least privilege" to grant minimal access
# For details, see https://www.dokuwiki.org/install:permissions

# Files owned by DokuWiki can just read
chown -R root: $final_path

# DokuWiki needs to write inside these folders. Do "DokuWiki" owner
chown $app:root $final_path/conf
chown $app:root $final_path/inc

# Do "DokuWiki" owner of configuration files that must be writable
chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak}
# Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport
# See https://www.dokuwiki.org/devel:preload
chown $app:root $final_path/inc/preload.php
# Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them
# There are only files in the folder and there is sublevels. No need to use "find"
chmod -R a+r $final_path/conf
chmod -R a+r $final_path/inc

# Give write access to "data" and subfolders
chown -R $app:root $final_path/data
# Remove access to "other"
chmod -R o-rwx $final_path/data

# Allow the web admin panel to run, aka "Extension Manager"
chown -R $app:root $final_path/lib/plugins
# Allow to install templates
chown -R $app:root $final_path/lib/tpl

# Allow access to public assets like style sheets
find $final_path/lib -type f -print0 | xargs -0 chmod 0644
find $final_path/lib -type d -print0 | xargs -0 chmod 0755
# Using "find" instead of "chmod -R 755" so files does not become executable too
# chmod :   -rwxr-xr-x  1 root root  241 May  3 08:36 index.html   => BAD
# find  :   -rw-r--r--  1 1001 1002  241 May  3 08:36 index.html   => GOOD

#=================================================
# SETUP SSOWAT
#=================================================

# Not needed as no skipped_uris have been added before.
# Example : "ynh_app_setting_set $app skipped_uris ..."
# See https://github.com/YunoHost-Apps/dokuwiki_ynh/pull/37 for explanation
#if [ $is_public -eq 0 ]
#then	# Remove the public access
#	ynh_app_setting_delete $app skipped_uris
#fi

# Make app public if necessary
if [ $is_public -eq 1 ]
then
	# unprotected_uris allows SSO credentials to be passed anyway.
	ynh_app_setting_set $app unprotected_uris "/"
fi

#=================================================
# RELOAD NGINX
#=================================================

systemctl reload nginx