#!/bin/bash

set -e

. /usr/share/yunohost/helpers

do_pre_regen() {
    pending_dir=$1

    # If the (legacy) 'from_script' flag is here,
    # we won't touch anything in the ssh config.
    [[ ! -f /etc/yunohost/from_script ]] || return 0

    cd /usr/share/yunohost/templates/ssh

    # do not listen to IPv6 if unavailable
    [[ -f /proc/net/if_inet6 ]] && ipv6_enabled=true || ipv6_enabled=false

    ssh_keys=$(ls /etc/ssh/ssh_host_{ed25519,rsa,ecdsa}_key 2>/dev/null || true)

    # Support legacy setting (this setting might be disabled by a user during a migration)
    if [[ "$(yunohost settings get 'service.ssh.allow_deprecated_dsa_hostkey')" == "True" ]]; then
        ssh_keys="$ssh_keys $(ls /etc/ssh/ssh_host_dsa_key 2>/dev/null || true)"
    fi

    # Support different strategy for security configurations
    export compatibility="$(yunohost settings get 'security.ssh.compatibility')"
    export port="$(yunohost settings get 'security.ssh.port')"
    export ssh_keys
    export ipv6_enabled
    ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
}

do_post_regen() {
    regen_conf_files=$1

    # If the (legacy) 'from_script' flag is here,
    # we won't touch anything in the ssh config.
    [[ ! -f /etc/yunohost/from_script ]] || return 0

    # If no file changed, there's nothing to do
    [[ -n "$regen_conf_files" ]] || return 0

    # Enforce permissions for /etc/ssh/sshd_config
    chown root:root "/etc/ssh/sshd_config"
    chmod 644 "/etc/ssh/sshd_config"

    systemctl restart ssh
}

FORCE=${2:-0}
DRY_RUN=${3:-0}

case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
esac

exit 0