#!/usr/bin/env bash
# Exit on any error
set -e

# Fill in the following variables
appname=${appname}				# google
proxyurl=${proxyurl}			# http://webapps.kvm
proxyport=${proxyport}			# 4000
domain=${domain}				# www.google.com
mailver=${mailver}				# latest/stable

# Abort if variables are missing
for var in appname proxyurl proxyport domain
do
    if [ -z ${!var} ]
    then
        echo "Variable ${var} does not exist, aborting..."
        exit 1
    fi
done

# Check for subdomain
if [ $(echo ${domain} | awk -F . '{print $3}') ]
then
    _subdomain=$(echo ${domain} | awk -F . '{print $1}')
    _domain="$(echo ${domain} | awk -F . '{print $2}').$(echo ${domain} | awk -F . '{print $3}')"
else
    echo "Invalid \${domain} variable, exiting"
    exit 1
fi

# Figure out nginx conf directory
if grep -q 'include.*conf.d' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/conf.d
elif grep -q 'include.*sites-available' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/sites-available
    sudo ln -s -f /etc/nginx/sites-available/${appname}.conf /etc/nginx/sites-enabled/
else
    echo "Missing nginx directory, exiting..."
    exit 1
fi

# Virtual proxy
cat <<- 'proxy' | \
sed -e "s|{{domain}}|${domain}|" \
    -e "s|{{proxyurl}}|${proxyurl}|" \
    -e "s|{{proxyport}}|${proxyport}|" \
    -e "s|{{appname}}|${appname}|" | sudo tee ${nginxdir}/${appname}.conf >/dev/null
server {
    server_name {{domain}};

    location / {
        proxy_pass {{proxyurl}}:{{proxyport}};
        error_log  /var/log/nginx/{{appname}}_error.log;
        access_log /var/log/nginx/{{appname}}_access.log;

        # proxy_params;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;

        proxy_set_header Early-Data $ssl_early_data;
        proxy_buffering off;
        proxy_request_buffering off;

        proxy_next_upstream error timeout invalid_header http_500;
        proxy_next_upstream_timeout 3s;
        proxy_next_upstream_tries 2;

        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_cache_bypass  $http_upgrade;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # http_upgrade
    # Security
    server_tokens off;
    add_header X-Frame-Options                   "SAMEORIGIN"               always;
    add_header X-Content-Type-Options            "nosniff"                  always;
    add_header X-XSS-Protection                  "1; mode=block"            always;
    add_header Referrer-Policy                   "no-referrer"              always;
    add_header X-Permitted-Cross-Domain-Policies "none"                     always;
    add_header X-Robots-Tag                      "noindex, nofollow"        always;

    # http2
    http2 on;

    # http3
    add_header Alt-Svc 'h3=":443"; ma=86400';
    quic_retry on;
    quic_gso on;
    http3_stream_buffer_size 512k;
    http3 on;

    # Certbot defaults
    add_header Strict-Transport-Security "max-age=31536000" always;
}

proxy

# Run certbot
sudo certbot --nginx --non-interactive --agree-tos --no-eff-email -m eff@${_domain} -d ${domain} \
    --hsts --no-redirect --renew-hook 'docker exec myvemail /bin/ash -c "dovecot reload; postfix reload"'

# Add http2 and http3 directives
sudo sed -e '/listen 80/d' \
    -e '/listen 443/a\
    listen 443 quic;\
    listen [::]:443 ssl;\
    listen [::]:443 quic;\n' -i ${nginxdir}/${appname}.conf
sudo tee -a ${nginxdir}/${appname}.conf >/dev/null <<- 'redirect'
server {
    listen 80;
    server_name {{domain}};
    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }
}
redirect
sudo systemctl reload nginx.service

# SSL
[ -d ./data/ssl/ ] || install --directory ./data/ssl/
sudo ln -s -f /etc/letsencrypt/live/${domain}/fullchain.pem ./data/ssl/tls.pem
sudo ln -s -f /etc/letsencrypt/live/${domain}/privkey.pem ./data/ssl/tls.key
[ -f ./data/ssl/dh.pem ] || touch ./data/ssl/dh.pem

# Postwhite
[ -f ./data/postwhite ] || touch ./data/postwhite

# Environment file
sed -e "s/{{MYVEMAIL_SUBDOMAIN}}/${_subdomain}/" \
    -e "s/{{MYVEMAIL_DOMAIN}}/${_domain}/" \
    -e "s/{{MYVEMAIL_PORT}}/${proxyport}/" \
    -e "s/{{MYVEMAIL_VERSION}}/${mailver:-latest}/" \
    -e "s/{{MYVEMAIL_ROUNDCUBE_DBPASS}}/$(openssl rand -hex 32)/" \
    -e "s/{{MYVEMAIL_POSTFIXADMIN_DBPASS}}/$(openssl rand -hex 32)/" \
    -i ./.env

# Cleanup
rm -r ${0} ./build/ -f

# Myvemail initial setup
docker compose pull
docker compose run --rm -it myvemail setup

# Startup
if [ -d ./data/sql/mysql/ ] && [ -d ./data/sql/postfixadmin/ ]
then
    docker compose up --detach
    [ -s ./data/ssl/dh.pem ] || openssl dhparam -out ./data/ssl/dh.pem 4096 &
    docker compose logs --follow
fi