#!/bin/sh

: ${davical_username:='s-davical'}
: ${davical_dbname:='davical'}
: ${davical_dbhost:="$postgres_host"}
: ${davical_admin_email:="$root_mail_alias"}
: ${davical_access_role:='dav-access'}
: ${davical_repo:='https://gitlab.com/davical-project/davical.git'}
: ${davical_branch:='master'}
: ${davical_awl_repo:='https://gitlab.com/davical-project/awl.git'}
: ${davical_awl_branch:='master'}
: ${davical_admins:=''}

davical_dn="uid=${davical_username},${robots_basedn}"
davical_repo_dir=/usr/local/www/davical
davical_awl_repo_dir=/usr/local/share/awl
davical_webroot="${davical_repo_dir}/htdocs"
davical_https_cert="${nginx_conf_dir}/davical.crt"
davical_https_key="${nginx_conf_dir}/davical.key"
davical_https_cacert="${nginx_conf_dir}/davical.ca.crt"
davical_keytab="${keytab_dir}/davical.keytab"
davical_client_keytab="${keytab_dir}/davical.client.keytab"
davical_fpm_socket=/var/run/fpm-davical.sock

davical_psql(){
  postgres_run --host="$davical_dbhost" --dbname="$davical_dbname" "$@"
}

# Install required packages.
pkg install -y \
  git-lite \
  nginx \
  php${php_version} \
  php${php_version}-calendar \
  php${php_version}-curl \
  php${php_version}-gettext \
  php${php_version}-iconv \
  php${php_version}-ldap \
  php${php_version}-opcache \
  php${php_version}-pdo_pgsql \
  php${php_version}-pgsql \
  php${php_version}-session \
  php${php_version}-xml \
  p5-DBD-Pg \
  p5-DBI \
  p5-YAML

# Install davical from git.
[ -d "$davical_repo_dir" ]     || git clone "$davical_repo"     "$davical_repo_dir"
[ -d "$davical_awl_repo_dir" ] || git clone "$davical_awl_repo" "$davical_awl_repo_dir"

# Update git repos.
git -C "$davical_repo_dir"     pull --ff-only
git -C "$davical_repo_dir"     switch "$davical_branch"
git -C "$davical_awl_repo_dir" pull --ff-only
git -C "$davical_awl_repo_dir" switch "$davical_awl_branch"

# Create davical principal and keytab.
ldap_add "$davical_dn" <<EOF
objectClass: account
uid: ${davical_username}
EOF
add_principal -nokey -x "dn=${davical_dn}" "$davical_username"

ktadd -k "$davical_client_keytab" "$davical_username"
chgrp "$nginx_user" "$davical_client_keytab"
chmod 640 "$davical_client_keytab"

nginx_uid=$(id -u "$nginx_user")
install_directory -o "$nginx_user" -m 0700 "/var/krb5/user/${nginx_uid}"
ln -snfv "$davical_client_keytab" "/var/krb5/user/${nginx_uid}/client.keytab"

# Create HTTP principal and keytab.
add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}"

ktadd -k "$davical_keytab" "HTTP/${fqdn}"
chgrp "$nginx_user" "$davical_keytab"
chmod 640 "$davical_keytab"

ln -snfv "$davical_keytab" "/var/krb5/user/${nginx_uid}/keytab"

# Generate davical configuration.
install_template -m 0644 \
  "${davical_repo_dir}/config/config.php" \
  "${davical_repo_dir}/config/administration.yml"

# Create postgres user and database.
postgres_create_role "$davical_dbhost" "$davical_username"
postgres_create_database "$davical_dbhost" "$davical_dbname"

# Initialize davical database.
if ! davical_psql -c 'SELECT 1 FROM awl_db_revision'; then
  davical_psql \
    -f "${davical_awl_repo_dir}/dba/awl-tables.sql" \
    -f "${davical_awl_repo_dir}/dba/schema-management.sql" \
    -f "${davical_repo_dir}/dba/davical.sql"

  PGPASSWORD="$boxconf_password" PGSSLMODE=require \
    "${davical_repo_dir}/dba/update-davical-database" --debug --nopatch

  davical_psql -f "${davical_repo_dir}/dba/base-data.sql"

  PGPASSWORD="$boxconf_password" PGSSLMODE=require \
    "${davical_repo_dir}/dba/update-davical-database" --debug

  davical_psql -c "delete from usr where username = 'admin'"
fi

if [ -n "$davical_admins" ]; then
  # Note: This won't work until each admin in $davical_admins has logged in
  #       at least once.
  davical_psql -c \
    "INSERT INTO role_member (user_no, role_no)
     SELECT user_no, (SELECT role_no FROM roles WHERE role_name  = 'Admin')
     FROM usr
     WHERE username in ('$(join "','" $davical_admins)')
     ON CONFLICT DO NOTHING"
fi

# Copy TLS certificate for nginx.
install_certificate     nginx "$davical_https_cert"
install_certificate_key nginx "$davical_https_key"

# Generate nginx configuration.
install_file -m 0644 "${nginx_conf_dir}/fastcgi_params"
install_template -m 0644 \
  "${nginx_conf_dir}/nginx.conf" \
  "${nginx_conf_dir}/vhosts.conf"
install_file -m 0644 /etc/newsyslog.conf.d/nginx.conf

# Generate php-fpm configuration.
install_file -m 0644 \
  /usr/local/etc/php.ini \
  /usr/local/etc/php-fpm.conf
install_template -m 0644 \
  /usr/local/etc/php-fpm.d/davical.conf
> /usr/local/etc/php-fpm.d/www.conf

# Enable and start daemons.
sysrc -v \
  nginx_enable=YES \
  php_fpm_enable=YES
service nginx restart
service php_fpm restart

# Sync groups from LDAP.
su -m "$nginx_user" -c "${davical_repo_dir}/scripts/cron-sync-ldap.php ${fqdn}"

# Create cron job for keeping LDAP groups up-to-date.
install_template -m 0644 /etc/cron.d/davical

# Create access role.
ldap_add "cn=${davical_access_role},${roles_basedn}" <<EOF
objectClass: groupOfMembers
cn: ${davical_access_role}
EOF