#!/bin/bash

if [ $# -ne 3 ]
then
	echo "$0 <DOMAIN> <IP> <ADMIN_PASSWORD>"
	echo "(Re-)Configure Libre Workspace and m23 for working together"
	exit 23
fi

# Main domain where the Libre Workspace runs on
DOMAIN="$1"

# IP address of Libre Workspace
IP="$2"

# Password of the Libre Workspace administrator
ADMIN_PASSWORD="$3"



# Make the domain resolvable on the server

	# Remove a (maybe) existing DNS entry
#	sed -i "/^$IP m23\.$DOMAIN/d" /etc/hosts

	# Add the DNS entry
#	echo "$IP m23.$DOMAIN" >> /etc/hosts



# Configure Caddy as reverse proxy for m23

	# Remove a (maybe) existing Caddy entry
	sed -i '/^###m23begin/,/^###m23end/d' /etc/caddy/Caddyfile
	
	# Add the Caddy entry
	echo "###m23begin
m23.$DOMAIN {
    #tls internal
    reverse_proxy localhost:2380 {
        header_up X-Real-IP {remote_host}
    }
}
###m23end" >> /etc/caddy/Caddyfile

	# If domain is "int.de" uncomment the tls internal line for internal https
	if [ "$DOMAIN" = "int.de" ]; then
		sed -i 's/#tls internal/tls internal/g' /etc/caddy/Caddyfile
	fi

	# Apply the settings
	systemctl restart caddy



# Use Caddy's SSL certificate

	# Check Caddy's SSL
	wget https://m23.$DOMAIN -O /dev/null -q
	echo "https://m23.$DOMAIN status: $?" &>> /tmp/configLibreWorkspace.log

	# Get the full path to the SSL certificate
	
	caddy trust
	update-ca-certificates
	pem="$(ls /etc/ssl/certs/Caddy_Local_Authority_*)"
	
	echo "pem: $pem" &>> /tmp/configLibreWorkspace.log

	# Calculate hash
	openssl x509 -in "$pem" -subject_hash_old -noout > /m23/data+scripts/packages/baseSys/ca.hash
	cp "$pem" /m23/data+scripts/packages/baseSys/ca.crt

	# Fix access
	chown www-data:www-data /m23/data+scripts/packages/baseSys/ca.crt /m23/data+scripts/packages/baseSys/ca.hash
	chmod 644 /m23/data+scripts/packages/baseSys/ca.crt /m23/data+scripts/packages/baseSys/ca.hash

# Generate certificate via m23's script as it would be generated by m23@web
# 	if [ ! -d "/m23/data+scripts/packages/baseSys/m23.$DOMAIN" ]
# 	then
# 		# Build the CA and a certificate
# 		/m23/bin/mkCert.sh m23.$DOMAIN
# 
# 		# Move the certificate and hash file for the client into the "normal" deploy directory
# 		mv "/m23/data+scripts/packages/baseSys/m23.$DOMAIN"/* /m23/data+scripts/packages/baseSys
# 
# 		# Move the CA and private key file for the server into the "normal" Apache directory
# 		mv "/etc/apache/m23/m23.$DOMAIN"/* /etc/apache/m23
# 
# 		# Fix access
# 		chown www-data:www-data /m23/data+scripts/packages/baseSys/ca.crt /m23/data+scripts/packages/baseSys/ca.hash
# 		chown caddy:caddy /etc/apache/m23/server.crt /etc/apache/m23/server.key
# 		chmod 644 /m23/data+scripts/packages/baseSys/ca.crt /m23/data+scripts/packages/baseSys/ca.hash
# 
# 	fi


# There is a foraign DHCP server
	# Overwrite the detection of the m23 server's IP by the domain name
		#echo -n "m23.$DOMAIN" > /m23/etc/address.override
	
	# Save the "original" server IP for later use
		#echo -n "$IP" > /m23/etc/ip.override


# m23 is the DHCP server
	echo -n "$IP" > /m23/etc/address.override

# Store m23's subdomain
	echo -n "m23.$DOMAIN" > /m23/etc/domain.override

# Get the broadcast address for the IP
	LC_ALL=C /sbin/ifconfig | grep broadcast | grep "$IP" | sed 's/.*broadcast //' | sed 's/[^0-9.]//g' > /m23/etc/broadcast.override

# Get the netmask address for the IP
	LC_ALL=C /sbin/ifconfig | grep netmask | grep "$IP" | sed -e 's/.*netmask //' -e 's/ .*//' > /m23/etc/netmask.override



# Allow access to Samba's DNS
	ufw allow 53



# Allow access to tftp
	ufw allow tftp



# Allow access to Apt-Cacher-ng
	ufw allow 2323



# Allow Kerberos and LDAP (for join realm)
	ufw allow kerberos
	ufw allow ldap
	ufw allow kdc
	ufw allow kerberos-adm
	ufw allow 749 # kerberos-adm (different port)
	ufw allow kpasswd
	ufw allow 198 # Kerberos
	ufw allow 88 # Kerberos
	ufw allow 198 # Kerberos
	ufw allow 464 # Kerberos
	ufw allow 3629 # LDAPS-GC






# Create the Administrator account same as in Libre Workspace
	if [ $(/m23/bin/m23cli.php listm23Admins | grep Administrator -c) -eq 0 ]
	then
		/m23/bin/m23cli.php addm23Admin Administrator "$ADMIN_PASSWORD"
		echo addm23Admin Administrator &>> /tmp/configLibreWorkspace.log
	fi



# Remove the default god account, if Administrator account is present
	if [ $(/m23/bin/m23cli.php listm23Admins | grep Administrator -c) -gt 0 ] && [ $(/m23/bin/m23cli.php listm23Admins | grep god -c) -gt 0 ]
	then
		echo delm23Admin Administrator &>> /tmp/configLibreWorkspace.log
		/m23/bin/m23cli.php delm23Admin god &>> /tmp/configLibreWorkspace.log
	fi



# Make sure tFTP server is started
	systemctl enable tftpd-hpa.service


# Generate an API key and store it
	if [ ! -f /m23/etc/lw.apikey ]
	then
		libre-workspace-add-api-key 'm23' 'linux_client,administrator' '0' | tail -1 | sed 's/.*: //' > /m23/etc/lw.apikey
	fi