#!/bin/bash

readonly EXPANDED_CONF="$MIAOU_CONFIGDIR/miaou.expanded.yaml"

TARGET=$(yq '.target' "$EXPANDED_CONF")
readonly TARGET

function check() {
    container_exists "$CONTAINER" || return 1
    container_running "$CONTAINER" || return 2
    check_reverseproxy || return 4
    check_banner || return 5
    check_certbot || return 6

    PREFIX="recipe:dmz:check" echo "container <$CONTAINER> approved successfully!"
    return 0
}

function check_reverseproxy() {
    lxc exec "$CONTAINER" -- bash <<EOF
        set -Eeuo pipefail
        dpkg -l nginx | grep -q ^ii
        systemctl is-active --quiet nginx
        nginx -tq
EOF
}

function check_certbot() {
    lxc exec "$CONTAINER" -- bash <<EOF
        set -Eeuo pipefail
        dpkg -l certbot  | grep -q ^ii
        dpkg -l python3-certbot-nginx  | grep -q ^ii
EOF
}

function check_banner() {
    if [[ $TARGET != "prod" ]]; then
        lxc exec "$CONTAINER" -- bash <<EOF
            set -Eeuo pipefail
            test -f /etc/nginx/snippets/banner_$TARGET.conf
EOF
    fi
}

function install() {
    PREFIX="recipe:dmz:install"
    : $PREFIX

    echowarn "about to deploy new container <$CONTAINER> ..."

    if ! container_exists "$CONTAINER"; then
        echowarn "about to create new container <$CONTAINER> ..."
        lxc-miaou-create "$CONTAINER"
        echo OK
    fi

    if ! container_running "$CONTAINER"; then
        echowarn "about to start asleep container <$CONTAINER> ..."
        lxc start "$CONTAINER"
        echo OK
    fi

    credential_email=$(load_yaml_from_expanded credential.email)
    lxc exec "$CONTAINER" -- bash <<EOF
        set -Eeuo pipefail
        apt-get update && apt-get dist-upgrade -y
        apt-get install -y nginx ssl-cert libnginx-mod-http-subs-filter certbot python3-certbot-nginx

        echo "registering with your default credential email <$credential_email>"
        certbot register --agree-tos --email $credential_email --no-eff-email || echo "already resgistered!"

        rm /etc/nginx/sites-{enabled,available}/default -f
        systemctl enable nginx

        nginx -tq || rm /etc/nginx/sites-enabled/hosts
        systemctl start nginx
EOF

    if [[ "$TARGET" != "prod" ]]; then
        echo "copying Nginx banner to container <$CONTAINER> ... "
        lxc file push --uid 0 --gid 0 "$MIAOU_BASEDIR/templates/nginx/snippets/banner_$TARGET.conf" "$CONTAINER/etc/nginx/snippets/banner_$TARGET.conf"
        echo "copying files over container <$CONTAINER> ... OK"
    else
        echo "no Nginx banner on PROD!"
    fi

    echo "populate nftables entries into yaml"
    local wan_interface dmz_ip
    wan_interface=$(ip route show default | cut -d ' ' -f5)
    dmz_ip=$(host "$CONTAINER.lxd" | cut -d ' ' -f4)
    yq ".nftables.wan_interface=\"$wan_interface\"" "$EXPANDED_CONF" -i
    yq ".nftables.dmz_ip=\"$dmz_ip\"" "$EXPANDED_CONF" -i

    local nftables_reloading=false
    if [[ "$TARGET" != "dev" ]]; then
        mkdir -p "$MIAOU_CONFIGDIR/nftables.rules.d"
        echo "nat http/s port to dmz"
        tera -t "$MIAOU_BASEDIR/templates/nftables/nat.table.j2" "$EXPANDED_CONF" -o "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" &>/dev/null
        sudo cp "$MIAOU_CONFIGDIR/nftables.rules.d/nat.table" /etc/nftables.rules.d/nat.table
        nftables_reloading=true
    else
        if [[ -f /etc/nftables.rules.d/nat.table ]]; then
            sudo_required "remove previous nat.table"
            sudo rm -f /etc/nftables.rules.d/nat.table
            nftables_reloading=true
        fi
    fi
    if [[ "$nftables_reloading" == true ]]; then
        sudo_required "reload nftables"
        sudo systemctl reload nftables.service
    fi

}

# MAIN
. "$MIAOU_BASEDIR/lib/init.sh"

arg1_required "$@"
readonly CONTAINER="$1"

check || (
    install
    check
)