#!/bin/bash

set -e

base_folder_and_perm_init() {

    #############################
    # Base yunohost conf folder #
    #############################

    mkdir -p /etc/yunohost
    # NB: x permission for 'others' is important for ssl-cert (and maybe mdns), otherwise slapd will fail to start because can't access the certs
    chmod 755 /etc/yunohost

    ################
    # Logs folders #
    ################

    mkdir -p /var/log/yunohost
    chown root:root /var/log/yunohost
    chmod 750 /var/log/yunohost

    ##################
    # Portal folders #
    ##################

    getent passwd ynh-portal &>/dev/null || useradd --no-create-home --shell /usr/sbin/nologin --system --user-group ynh-portal

    mkdir -p /etc/yunohost/portal
    chmod 500 /etc/yunohost/portal
    chown ynh-portal:ynh-portal /etc/yunohost/portal

    mkdir -p /usr/share/yunohost/portal/customassets
    chmod 775 /usr/share/yunohost/portal/customassets
    chown root:root /usr/share/yunohost/portal/customassets

    touch /var/log/yunohost-portalapi.log
    chown ynh-portal:root /var/log/yunohost-portalapi.log
    chmod 600 /var/log/yunohost-portalapi.log

    ###############################
    # Sessions folder and secrets #
    ###############################

    # Portal
    mkdir -p /var/cache/yunohost-portal/sessions
    chown ynh-portal:www-data /var/cache/yunohost-portal
    chmod 510 /var/cache/yunohost-portal
    chown ynh-portal:www-data /var/cache/yunohost-portal/sessions
    chmod 710 /var/cache/yunohost-portal/sessions

    # Webadmin
    mkdir -p /var/cache/yunohost/sessions
    chown root:root /var/cache/yunohost/sessions
    chmod 700 /var/cache/yunohost/sessions

    if test -e /etc/yunohost/installed
    then
        # Initialize session secrets
        # Obviously we only do this in the post_regen, ie during the postinstall, because we don't want every pre-installed instance to have the same secret
        if [ ! -e /etc/yunohost/.admin_cookie_secret ]; then
            dd if=/dev/urandom bs=1 count=1000 2>/dev/null | tr --complement --delete 'A-Za-z0-9' | head -c 64 > /etc/yunohost/.admin_cookie_secret
        fi
        chown root:root /etc/yunohost/.admin_cookie_secret
        chmod 400 /etc/yunohost/.admin_cookie_secret

        if [ ! -e /etc/yunohost/.ssowat_cookie_secret ]; then
            # NB: we need this to be exactly 32 char long, because it is later used as a key for AES256
            dd if=/dev/urandom bs=1 count=1000 2>/dev/null | tr --complement --delete 'A-Za-z0-9' | head -c 32 > /etc/yunohost/.ssowat_cookie_secret
        fi
        chown ynh-portal:root /etc/yunohost/.ssowat_cookie_secret
        chmod 400 /etc/yunohost/.ssowat_cookie_secret
    fi

    ##################
    # Domain folders #
    ##################

    mkdir -p /etc/yunohost/domains
    chown root /etc/yunohost/domains
    chmod 700 /etc/yunohost/domains

    ###############
    # App folders #
    ###############

    mkdir -p /etc/yunohost/apps
    chown root /etc/yunohost/apps
    chmod 700 /etc/yunohost/apps

    #####################
    # Apps data folders #
    #####################

    mkdir -p /home/yunohost.app
    chmod 755 /home/yunohost.app

    ################
    # Certs folder #
    ################

    mkdir -p /etc/yunohost/certs
    chown -R root:ssl-cert /etc/yunohost/certs
    chmod 750 /etc/yunohost/certs
    # We do this with find because there could be a lot of them...
    find /etc/yunohost/certs/ -type f -exec chmod 640 {} \;
    find /etc/yunohost/certs/ -type d -exec chmod 750 {} \;

    ##################
    # Backup folders #
    ##################

    mkdir -p /home/yunohost.backup/archives
    chmod 770 /home/yunohost.backup
    chmod 770 /home/yunohost.backup/archives

    if test -e /etc/yunohost/installed
    then
        # The admins group only exist after the postinstall
        chown root:admins /home/yunohost.backup
        chown root:admins /home/yunohost.backup/archives
    else
        chown root:root /home/yunohost.backup
        chown root:root /home/yunohost.backup/archives
    fi

    ########
    # Misc #
    ########

    mkdir -p /etc/yunohost/hooks.d
    chown root /etc/yunohost/hooks.d
    chmod 700 /etc/yunohost/hooks.d

    mkdir -p /var/cache/yunohost/repo
    chown root:root /var/cache/yunohost
    chmod 700 /var/cache/yunohost

    [ ! -e /var/www/.well-known/ynh-diagnosis/ ] || chmod 775 /var/www/.well-known/ynh-diagnosis/

    if test -e /etc/yunohost/installed
    then
        setfacl -m g:all_users:--- /var/www
        setfacl -m g:all_users:--- /var/log/nginx
        setfacl -m g:all_users:--- /etc/yunohost
        setfacl -m g:all_users:--- /etc/ssowat
    fi
}

do_init_regen() {

    cd /usr/share/yunohost/conf/yunohost

    base_folder_and_perm_init

    # Empty ssowat json persistent conf
    echo "{}" >'/etc/ssowat/conf.json.persistent'
    chmod 644 /etc/ssowat/conf.json.persistent
    chown root:root /etc/ssowat/conf.json.persistent
    echo "{}" >'/etc/ssowat/conf.json'
    chmod 644 /etc/ssowat/conf.json
    chown root:root /etc/ssowat/conf.json

    # Empty service conf
    touch /etc/yunohost/services.yml

    # set default current_host
    [[ -f /etc/yunohost/current_host ]] \
        || echo "yunohost.org" >/etc/yunohost/current_host

    # copy default services and firewall
    [[ -f /etc/yunohost/firewall.yml ]] \
        || cp firewall.yml /etc/yunohost/firewall.yml

    # allow users to access /media directory
    [[ -d /etc/skel/media ]] \
        || (mkdir -p /media && ln -s /media /etc/skel/media)

    # YunoHost services
    cp yunohost-api.service /etc/systemd/system/yunohost-api.service
    cp yunohost-portal-api.service /etc/systemd/system/yunohost-portal-api.service
    cp yunohost-firewall.service /etc/systemd/system/yunohost-firewall.service
    cp yunoprompt.service /etc/systemd/system/yunoprompt.service

    systemctl daemon-reload

    systemctl enable yunohost-api.service --quiet
    systemctl start yunohost-api.service

    systemctl enable yunohost-portal-api.service --quiet
    systemctl start yunohost-portal-api.service

    # Enable yunoprompt (in particular for installs from ISO where we want this to show on first boot instead of asking for a login/password)
    systemctl enable yunoprompt --quiet

    # Yunohost-firewall is enabled only during postinstall, not init, not 100% sure why

    cp dpkg-origins /etc/dpkg/origins/yunohost

    # Change dpkg vendor
    # see https://wiki.debian.org/Derivatives/Guidelines#Vendor
    if readlink -f /etc/dpkg/origins/default | grep -q debian;
    then
        rm -f /etc/dpkg/origins/default
        ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default
    fi
}

do_pre_regen() {
    pending_dir=$1

    cd /usr/share/yunohost/conf/yunohost

    mkdir -p $pending_dir/etc/systemd/system
    mkdir -p $pending_dir/etc/cron.d/
    mkdir -p $pending_dir/etc/cron.daily/

    # add cron job for diagnosis to be ran at 7h and 19h + a random delay between
    # 0 and 20min, meant to avoid every instances running their diagnosis at
    # exactly the same time, which may overload the diagnosis server.
    cat >$pending_dir/etc/cron.d/yunohost-diagnosis <<EOF
SHELL=/bin/bash
0 7,19 * * * root : YunoHost Automatic Diagnosis; sleep \$((RANDOM\\%1200)); yunohost diagnosis run --email > /dev/null 2>/dev/null || echo "Running the automatic diagnosis failed miserably"
EOF

    # Cron job that upgrade the app list everyday
    cat >$pending_dir/etc/cron.daily/yunohost-fetch-apps-catalog <<EOF
#!/bin/bash
sleep \$((RANDOM%3600)); yunohost tools update apps > /dev/null
EOF

    # Cron job that renew lets encrypt certificates if there's any that needs renewal
    cat >$pending_dir/etc/cron.daily/yunohost-certificate-renew <<EOF
#!/bin/bash
yunohost domain cert renew --email
EOF

    # If we subscribed to a dyndns domain, add the corresponding cron
    # - delay between 0 and 60 secs to spread the check over a 1 min window
    # - do not run the command if some process already has the lock, to avoid queuing hundreds of commands...
    if ls -l /etc/yunohost/dyndns/K*.key 2>/dev/null; then
        cat >$pending_dir/etc/cron.d/yunohost-dyndns <<EOF
SHELL=/bin/bash
# Every 10 minutes,
#   - (sleep random 60 is here to spread requests over a 1-min window)
#   - if ip.yunohost.org answers ping (basic check to validate that we're connected to the internet and yunohost infra aint down)
#   - and if lock ain't already taken by another command
#   - trigger yunohost dyndns update
*/10 * * * * root : YunoHost DynDNS update; sleep \$((RANDOM\\%60)); ! ping -q -W5 -c1 ip.yunohost.org >/dev/null 2>&1 || test -e /var/run/moulinette_yunohost.lock || yunohost dyndns update >> /dev/null
EOF
    else
        # (Delete cron if no dyndns domain found)
        touch $pending_dir/etc/cron.d/yunohost-dyndns
    fi

    # Skip ntp if inside a container (inspired from the conf of systemd-timesyncd)
    if systemctl | grep -q 'ntp.service'
    then
        mkdir -p ${pending_dir}/etc/systemd/system/ntp.service.d/
        cat >${pending_dir}/etc/systemd/system/ntp.service.d/ynh-override.conf <<EOF
[Unit]
ConditionCapability=CAP_SYS_TIME
ConditionVirtualization=!container
EOF
    fi

    # Make nftable conflict with yunohost-firewall
    mkdir -p ${pending_dir}/etc/systemd/system/nftables.service.d/
    cat >${pending_dir}/etc/systemd/system/nftables.service.d/ynh-override.conf <<EOF
[Unit]
# yunohost-firewall and nftables conflict with each other
Conflicts=yunohost-firewall.service
ConditionFileIsExecutable=!/etc/init.d/yunohost-firewall
ConditionPathExists=!/etc/systemd/system/multi-user.target.wants/yunohost-firewall.service
EOF

    # Don't suspend computer on LidSwitch
    mkdir -p ${pending_dir}/etc/systemd/logind.conf.d/
    cat >${pending_dir}/etc/systemd/logind.conf.d/ynh-override.conf <<EOF
[Login]
HandleLidSwitch=ignore
HandleLidSwitchDocked=ignore
HandleLidSwitchExternalPower=ignore
EOF

    cp yunohost-api.service ${pending_dir}/etc/systemd/system/yunohost-api.service
    cp yunohost-portal-api.service ${pending_dir}/etc/systemd/system/yunohost-portal-api.service
    cp yunohost-firewall.service ${pending_dir}/etc/systemd/system/yunohost-firewall.service
    cp yunoprompt.service ${pending_dir}/etc/systemd/system/yunoprompt.service
    cp proc-hidepid.service ${pending_dir}/etc/systemd/system/proc-hidepid.service

    mkdir -p ${pending_dir}/etc/dpkg/origins/
    cp dpkg-origins ${pending_dir}/etc/dpkg/origins/yunohost

    # Remove legacy hackish/clumsy nodejs autoupdate which ends up filling up space with ambiguous upgrades >_>
    touch "/etc/cron.daily/node_update"
}

do_post_regen() {
    regen_conf_files=$1

    # Re-mkdir / apply permission to all basic folders etc
    base_folder_and_perm_init

    # Legacy log tree structure
    if [ ! -e /var/log/yunohost/operations ]
    then
        mkdir -p /var/log/yunohost/operations
    fi
    if [ -d /var/log/yunohost/categories/operation ] && [ ! -L /var/log/yunohost/categories/operation ]
    then
        # (we use find -type f instead of mv /folder/* to make sure to also move hidden files which are not included in globs by default)
        find /var/log/yunohost/categories/operation/ -type f -print0 | xargs -0 -I {} mv {} /var/log/yunohost/operations/
        # Attempt to delete the old dir (because we want it to be a symlink) or just rename it if it can't be removed (not empty) for some reason
        rmdir /var/log/yunohost/categories/operation || mv /var/log/yunohost/categories/operation /var/log/yunohost/categories/operation.old
        ln -s /var/log/yunohost/operations /var/log/yunohost/categories/operation
    fi

    # Make sure conf files why may be created by apps are owned and writable only by root
    find /etc/systemd/system/*.service -type f | xargs -r chown root:root
    find /etc/systemd/system/*.service -type f | xargs -r chmod 0644

    if ls -l /etc/php/*/fpm/pool.d/*.conf 2>/dev/null
    then
        chown root:root /etc/php/*/fpm/pool.d/*.conf
        chmod 644 /etc/php/*/fpm/pool.d/*.conf
    fi

    find /etc/cron.*/yunohost-* -type f -exec chmod 755 {} \;
    find /etc/cron.d/yunohost-* -type f -exec chmod 644 {} \;
    find /etc/cron.*/yunohost-* -type f -exec chown root:root {} \;


    for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username'); do
        [ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER
    done

    # Misc configuration / state files
    chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null | grep -vw mdns.yml)
    chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)

    # Create ssh.app and sftp.app groups if they don't exist yet
    grep -q '^ssh.app:' /etc/group || groupadd ssh.app
    grep -q '^sftp.app:' /etc/group || groupadd sftp.app

    # Propagates changes in systemd service config overrides
    if systemctl | grep -q 'ntp.service'
    then
        [[ ! "$regen_conf_files" =~ "ntp.service.d/ynh-override.conf" ]] || {
            systemctl daemon-reload
            systemctl restart ntp
        }
    fi

    [[ ! "$regen_conf_files" =~ "nftables.service.d/ynh-override.conf" ]] || systemctl daemon-reload
    [[ ! "$regen_conf_files" =~ "login.conf.d/ynh-override.conf" ]] ||  {
        systemctl daemon-reload
        systemctl restart systemd-logind
    }
    [[ ! "$regen_conf_files" =~ "yunohost-firewall.service" ]] || systemctl daemon-reload
    [[ ! "$regen_conf_files" =~ "yunohost-api.service" ]] || systemctl daemon-reload
    [[ ! "$regen_conf_files" =~ "yunohost-portal-api.service" ]] || systemctl daemon-reload

    if [[ "$regen_conf_files" =~ "yunoprompt.service" ]]; then
        systemctl daemon-reload
        action=$([[ -e /etc/systemd/system/yunoprompt.service ]] && echo 'enable' || echo 'disable')
        systemctl $action yunoprompt --quiet --now
    fi
    if [[ "$regen_conf_files" =~ "proc-hidepid.service" ]]; then
        systemctl daemon-reload
        action=$([[ -e /etc/systemd/system/proc-hidepid.service ]] && echo 'enable' || echo 'disable')
        systemctl $action proc-hidepid --quiet --now
    fi

    systemctl enable yunohost-portal-api.service --quiet
    systemctl is-active yunohost-portal-api --quiet || systemctl start yunohost-portal-api.service

    # Change dpkg vendor
    # see https://wiki.debian.org/Derivatives/Guidelines#Vendor
    if readlink -f /etc/dpkg/origins/default | grep -q debian;
    then
        rm -f /etc/dpkg/origins/default
        ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default
    fi

    if test -e /etc/yunohost/installed && test -e /etc/profile.d/check_yunohost_is_installed.sh
    then
        rm /etc/profile.d/check_yunohost_is_installed.sh
    fi
}

do_$1_regen ${@:2}