#!/bin/bash

#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================

source _common.sh
source /usr/share/yunohost/helpers

#=================================================
# MANAGE SCRIPT FAILURE
#=================================================

ynh_clean_setup () {
	### Remove this function if there's nothing to clean before calling the remove script.
	true
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors

#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST
#=================================================

domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH #TODO: Check if possible with wireguard_ui to use sub path
admin=$YNH_APP_ARG_ADMIN
is_public=$YNH_APP_ARG_IS_PUBLIC # Forced to use it to pass root installation check as public

app=$YNH_APP_INSTANCE_NAME

#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
ynh_script_progression --message="Validating installation parameters..." --weight=1

final_path=/opt/yunohost/$app
test ! -e "$final_path" || ynh_die --message="This path already contains a folder"

# Register (book) web path
ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url

#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
ynh_script_progression --message="Storing installation settings..." --weight=1

ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=is_public --value=$is_public # Forced to use it to pass root installation check as public

#=================================================
# STANDARD MODIFICATIONS
#=================================================
# FIND AND OPEN A PORT
#=================================================
ynh_script_progression --message="Configuring firewall..." --weight=1

# Find an available port for WireGuard
port_wg=$(ynh_find_port --port=8095)
ynh_app_setting_set --app=$app --key=port_wg --value=$port_wg

# Find an available port for WireGuard UI
port=$(ynh_find_port --port=8096)
ynh_app_setting_set --app=$app --key=port --value=$port

# Open the WireGuard port
ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $port_wg

#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Installing dependencies..." --weight=7

#Add buster-backports repo
ynh_add_repo --uri="http://deb.debian.org/debian" --suite="buster-backports" --component="main" --name="$app"

#Add pin-priority for wireguard package
ynh_pin_repo --package="wireguard*" --pin="origin deb http://deb.debian.org/debian buster-backports main" --priority=995 --name="$app"

# Update the list of package with the new repo
ynh_package_update

ynh_add_app_dependencies --package="$pkg_dependencies"

#Remove buster-backports repo and pin-priority
ynh_remove_extra_repo --name=$app

#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
ynh_script_progression --message="Setting up source files..." --weight=1

ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path" --source_id="$(ynh_detect_arch)"

#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring nginx web server..." --weight=1

# Create a dedicated nginx config
ynh_add_nginx_config

#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Configuring system user..." --weight=1

# Create a system user
ynh_system_user_create --username=$app

#=================================================
# SPECIFIC SETUP
#=================================================
# CONFIGURING WIREGUARD
#=================================================

# Create db directory for securing it later
mkdir -p $final_path/db/server

# Add interface configuration file for the Web UI
cp ../conf/interfaces.json $final_path/db/server/interfaces.json
ynh_replace_string --match_string="__PORT_WG__" --replace_string="$port_wg" --target_file="$final_path/db/server/interfaces.json"

# Create WireGuard configuration directory
mkdir -p /etc/wireguard

# Add interace configuration file for WireGuard
cp ../conf/wg0.conf /etc/wireguard/wg0.conf
ynh_replace_string --match_string="__PORT_WG__" --replace_string="$port_wg" --target_file="/etc/wireguard/wg0.conf"
ynh_replace_string --match_string="__PRIVATE_KEY__" --replace_string="$(wg genkey)" --target_file="/etc/wireguard/wg0.conf"

#=================================================
# SETUP SYSTEMD
#=================================================
ynh_script_progression --message="Configuring a systemd service..." --weight=1

# Create a dedicated systemd config for the web UI
ynh_add_systemd_config --service=wireguard_ui --template=wireguard_ui.service --others_var="port"

# Create a dedicated systemd config for monitoring WireGuard's configuration
cp ../conf/wireguard.path /etc/systemd/system/wireguard.path
systemctl enable --quiet wireguard.path

# Create a dedicated systemd config for restarting WireGuard
ynh_add_systemd_config --service=wireguard --template=wireguard.service --others_var="port_wg"

#=================================================
# GENERIC FINALIZATION
#=================================================
# SECURE FILES AND DIRECTORIES
#=================================================

### For security reason, any app should set the permissions to root: before anything else.
### Then, if write authorization is needed, any access should be given only to directories
### that really need such authorization.

# Set permissions to app files
chown -R root: $final_path
chown -R $app: $final_path/db
chmod -R 750 $final_path/db

chown -R $app:$app /etc/wireguard

#=================================================
# SETUP LOGROTATE
#=================================================
ynh_script_progression --message="Configuring log rotation..." --weight=1

### `ynh_use_logrotate` is used to configure a logrotate configuration for the logs of this app.
### Use this helper only if there is effectively a log file for this app.
### If you're not using this helper:
###		- Remove the section "BACKUP LOGROTATE" in the backup script
###		- Remove also the section "REMOVE LOGROTATE CONFIGURATION" in the remove script
###		- As well as the section "RESTORE THE LOGROTATE CONFIGURATION" in the restore script
###		- And the section "SETUP LOGROTATE" in the upgrade script

# Use logrotate to manage application logfile(s)
ynh_use_logrotate

#=================================================
# INTEGRATE SERVICE IN YUNOHOST
#=================================================
ynh_script_progression --message="Integrating service in YunoHost..." --weight=1

yunohost service add wireguard --description "WireGuard" --needs_exposed_ports $port_wg --test_status "wg show | grep wg0"
yunohost service add wireguard_ui --description "WireGuard UI" --log "/var/log/$app/ui.log"

### Additional options starting with 3.8:
###
### --needs_exposed_ports "$port" a list of ports that needs to be publicly exposed
###                               which will then be checked by YunoHost's diagnosis system
###                               (N.B. DO NOT USE THIS is the port is only internal !!!)
###
### --test_status "some command"  a custom command to check the status of the service
###                               (only relevant if 'systemctl status' doesn't do a good job)
###
### --test_conf "some command"    some command similar to "nginx -t" that validates the conf of the service
###
### Re-calling 'yunohost service add' during the upgrade script is the right way
### to proceed if you later realize that you need to enable some flags that
### weren't enabled on old installs (be careful it'll override the existing
### service though so you should re-provide all relevant flags when doing so)
###

#=================================================
# START SYSTEMD SERVICE
#=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=1

# Start a systemd service
ynh_systemd_action --service_name=wireguard_ui --action="start" --log_path="/var/log/$app/ui.log"

#=================================================
# SETUP SSOWAT
#=================================================
ynh_script_progression --message="Configuring permissions..." --weight=1

# Make app public if necessary to pass root installation check
if [ $is_public -eq 1 ]
then
	ynh_permission_update --permission "main" --add visitors
else
	ynh_permission_update --permission "main" --remove "all_users" --add "$admin"
fi

#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading nginx web server..." --weight=1

ynh_systemd_action --service_name=nginx --action=reload

#=================================================
# END OF SCRIPT
#=================================================

ynh_script_progression --message="Installation of $app completed" --last