#!/usr/bin/env bash
# Exit on any error
set -e

# Fill in the following variables
appname=${appname}				# google
proxyurl=${proxyurl}			# http://webapps.kvm
proxyport=${proxyport}			# 4000
domain=${domain}				# www.google.com
mailver=${mailver}				# latest/stable

# Abort if variables are missing
for var in appname proxyurl proxyport domain
do
    if [ -z ${!var} ]
    then
        echo "Variable ${var} does not exist, aborting..."
        exit 1
    fi
done

# Check for subdomain
if [ $(echo ${domain} | awk -F . '{print $3}') ]
then
    _subdomain=$(echo ${domain} | awk -F . '{print $1}')
    _domain="$(echo ${domain} | awk -F . '{print $2}').$(echo ${domain} | awk -F . '{print $3}')"
else
    echo "Invalid \${domain} variable, exiting"
    exit 1
fi

# Figure out nginx conf directory
if grep -q 'include.*conf.d' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/conf.d
elif grep -q 'include.*sites-available' /etc/nginx/nginx.conf
then
    nginxdir=/etc/nginx/sites-available
    sudo ln -s -f /etc/nginx/sites-available/${appname}.conf /etc/nginx/sites-enabled/
else
    echo "Missing nginx directory, exiting..."
    exit 1
fi

# Virtual proxy
cat <<- 'proxy' | \
sed -e "s|{{domain}}|${domain}|" \
    -e "s|{{proxyurl}}|${proxyurl}|" \
    -e "s|{{proxyport}}|${proxyport}|" \
    -e "s|{{appname}}|${appname}|" | sudo tee ${nginxdir}/${appname}.conf >/dev/null
server {
    server_name {{domain}};

    location / {
        proxy_pass {{proxyurl}}:{{proxyport}};
        error_log  /var/log/nginx/{{appname}}_error.log;
        access_log /var/log/nginx/{{appname}}_access.log;

        # proxy_params;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;

        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_cache_bypass  $http_upgrade;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # http_upgrade
    # Security
    server_tokens off;
    add_header X-Frame-Options                   "SAMEORIGIN"        	always;
    add_header X-Content-Type-Options            "nosniff"           	always;
    add_header X-XSS-Protection                  "1; mode=block"     	always;
    add_header Referrer-Policy                   "strict-origin"       	always;
    add_header X-Permitted-Cross-Domain-Policies "none"              	always;
    add_header X-Robots-Tag                      "noindex, nofollow" 	always;
    # add_header Content-Security-Policy 	    "default-src 'self';" 	always;

    # http2
    http2 on;

    # http3
    listen 443 quic;
    add_header Alt-Svc 'h3=":443"; ma=86400';
    quic_retry on;
    http3 on;

    # Certbot defaults
    listen 443 ssl;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
}
proxy

# Run certbot
if sudo nginx -t
then
    sudo certbot --nginx --non-interactive --agree-tos --no-eff-email -m eff@${_domain} -d ${domain} \
        --staple-ocsp --hsts --no-redirect --renew-hook 'docker exec --interactive --tty myvemail /bin/ash -c "dovecot reload; postfix reload"'
else
    exit 1
fi

# SSL
[ -d ./data/ssl/ ] || install --directory ./data/ssl/
sudo ln -s -f /etc/letsencrypt/live/${domain}/fullchain.pem ./data/ssl/tls.pem
sudo ln -s -f /etc/letsencrypt/live/${domain}/privkey.pem ./data/ssl/tls.key
[ -f ./data/ssl/dh.pem ] || openssl dhparam -out ./data/ssl/dh.pem 4096

# Postwhite
[ -f ./data/postwhite ] || touch ./data/postwhite

# Environment file
[ -f ./.env ] || \
cat >./.env <<- gen-env
# Required
# Mail domain
MYVEMAIL_SUBDOMAIN=${_subdomain}
MYVEMAIL_DOMAIN=${_domain}

# Webmail port
MYVEMAIL_PORT=${proxyport}

# Optional
# Version: latest or stable (defaults to latest)
MYVEMAIL_VERSION=${mailver:-latest}

# Additional mail domains separated by commas
MYVEMAIL_ADDMX=

# Backup mail servers separated by commas
MYVEMAIL_BACKUPMX=

# Whitelist SPF
MYVEMAIL_WHITELIST_HELO=

# Whitelist domains separated by commas (eg. website.tld,web.website.tld)
MYVEMAIL_WHITELIST_DOMAINS=

# Whitelist invididual email addresses (eg. email@website.tld,email2@website2.tld2)
MYVEMAIL_WHITELIST_EMAILS=

# Blacklist domains separated by commas (eg. website.tld,web.website.tld)
MYVEMAIL_BLACKLIST_DOMAINS=

# Blacklist invididual email addresses (eg. email@website.tld,email2@website2.tld2)
MYVEMAIL_BLACKLIST_EMAILS=

# Volumes
MYVEMAIL_VOLUME_MARIADB=
MYVEMAIL_VOLUME_SSL=
MYVEMAIL_VOLUME_DATA=
MYVEMAIL_VOLUME_MAIL=
MYVEMAIL_VOLUME_LOGS=
MYVEMAIL_VOLUME_DKIM=
MYVEMAIL_VOLUME_POSTWHITE=

# MariaDB
# Roundcube
MYVEMAIL_ROUNDCUBE_DBNAME=roundcube
MYVEMAIL_ROUNDCUBE_DBUSER=roundcube
MYVEMAIL_ROUNDCUBE_DBPASS=$(openssl rand -hex 32)
# Postfixadmin
MYVEMAIL_POSTFIXADMIN_DBNAME=postfixadmin
MYVEMAIL_POSTFIXADMIN_DBUSER=postfixadmin
MYVEMAIL_POSTFIXADMIN_DBPASS=$(openssl rand -hex 32)
gen-env

# Cleanup
rm -r ${0} ./build/ -f

# Myvemail initial setup
docker compose pull
docker compose run --rm -it myvemail setup

# Startup
if [ -d ./data/sql/mysql/ ] && [ -d ./data/sql/postfixadmin/ ]
then
    docker compose up --detach
    docker compose logs --follow
fi