#!/bin/bash
# SPDX-License-Identifier: Apache-2.0

set -e
KOJI_WEB_FQDN=$1
DEBUG=
SILENT="-s"
QUIET="-q"
for param in $2 ; do
  if [ $param ] ; then
    case $param in
	    debug )
		    DEBUG="debug" ;;
    esac
  else
	  break
  fi
done

if [ $DEBUG ] ; then
    set -xe
    SILENT=
    QUIET="-v"
fi

# load required parameters
SCRIPT_DIR="$(dirname "$(realpath "$0")")"
if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then
    echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"
    exit 1
fi
source "$SCRIPT_DIR"/koji-parameters.sh

if [[ "$KOJI_WEB_FQDN" != "$(hostname -f)" ]] ; then
    if [[ $DEBUG ]] ; then echo "Deploying remotely to $KOJI_WEB_FQDN" ; fi
    # deploy remotely to $KOJI_WEB_FQDN
    # We make all the changes required on the hub and then re-run this script on $KOJI_WEB_FQDN

    # check that I can conmnect
    if [ ! $(nc -z $KOJI_WEB_FQDN 22 2>&1 | grep succeeded) ] ; then
        echo "I cannot connect to $KOJI_WEB_FQDN! Is it online? "
        echo "Options:"
        echo "- turn on the server"
        echo "- add this server into the /etc/hosts file on this server"
        exit 1
    fi    
    # update hub config files to point at web server
    sed -i 's,KojiWebURL.*,KojiWebURL = http://$KOJI_WEB_FQDN/koji,g' /etc/koji-hub/hub.conf
    sed -i 's,weburl.*,weburl = http://$KOJI_WEB_FQDN/koji,g' /etc/koji.conf
    # check if nfs has been installed on the hub (only need to install once) 
    if [[ -z $(dnf list installed | grep nfs-server) ]] ; then
        # add nfs share for koji files direcory to hub
        curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-server.sh > $SCRIPT_DIR/koji-deploy-nfs-server.sh
        chmod o+x $SCRIPT_DIR/koji-deploy-nfs-server.sh
        koji-deploy-nfs-server.sh $DEBUG
    fi

    # add web server to nfs exports line for /mnt/koji
    sed -i '/^\/mnt\/koji/ s/$/ $KOJI_WEB_FQDN(ro,no_root_squash)/g' /etc/exports
    # generate a hub ssh key if there isn't one already (for scp & ssh to web server)
    if [ ! -f /root/.ssh/id-rsa ] ; then
        # create a ssh key on build server
        mkdir -p ~/.ssh
        ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ""
    fi
    # copy the server key into authorized keys on the web server
    ssh-copy-id -i ~/.ssh/id_rsa.pub $KOJI_WEB_FQDN
    # find the IP of the web server
    WEB_IP=$(ssh root@$KOJI_WEB_FQDN "hostname -I")
    # add web server into allowed access to db
    cat >> "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF
host     koji        koji        $WEB_IP/32       scram-sha-256
EOF
    systemctl reload postgresql
    # copy across the ssl keys
    ssh $QUIET root@$KOJI_WEB_FQDN mkdir -p $KOJI_PKI_DIR/private
    scp $QUIET $KOJI_PKI_DIR/kojiweb.pem root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/.
    scp $QUIET $KOJI_PKI_DIR/kojihub.pem root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/.
    scp $QUIET $KOJI_PKI_DIR/private/kojihub.key root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/private/.
    scp $QUIET $KOJI_PKI_DIR/koji_ca_cert.crt root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/.
    # copy across the parameter files (we built them on the hub)
    ssh $QUIET root@$KOJI_WEB_FQDN mkdir -p $SCRIPT_DIR
    scp $QUIET $SCRIPT_DIR/koji-parameters.sh root@$KOJI_WEB_FQDN:$SCRIPT_DIR/koji-parameters.sh
    # pull down the required scripts
    ssh $QUIET root@$KOJI_WEB_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-client.sh > $SCRIPT_DIR/koji-deploy-nfs-client.sh"
    ssh $QUIET root@$KOJI_WEB_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-web.sh > $SCRIPT_DIR/koji-deploy-web.sh"
    # make them executeable
    ssh $QUIET root@$KOJI_WEB_FQDN "chmod o+x $SCRIPT_DIR/*"
    
    # connect to nfs share
    ssh $QUIET root@$KOJI_WEB_FQDN $SCRIPT_DIR/koji-deploy-nfs-client.sh $DEBUG
    # ssh into the new web server to do the local configuration
    ssh $QUIET root@$KOJI_WEB_FQDN $SCRIPT_DIR/koji-deploy-web.sh $KOJI_WEB_FQDN $DEBUG
    exit 0
fi

# This is the local deploy part
if [[ $DEBUG ]] ; then echo "Deploying locally to $KOJI_WEB_FQDN" ; fi
# Install all the required packages (some live in the epel repo, so we may need to install that too)
if [[ -z $(dnf list installed | grep epel-release) ]] ; then
    dnf config-manager --set-enabled powertools $QUIET
	dnf install -y epel-release $QUIET
fi
dnf install -y mod_ssl koji-web $QUIET

# install locally
# create secret
SECRET="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 32)"
mkdir -p /etc/kojiweb
cat > /etc/kojiweb/web.conf <<- EOF
[web]
SiteName = koji
KojiHubURL = $KOJI_URL/kojihub
KojiFilesURL = $KOJI_URL/kojifiles
WebCert = $KOJI_PKI_DIR/kojiweb.pem
ClientCA = $KOJI_PKI_DIR/koji_ca_cert.crt
KojiHubCA = $KOJI_PKI_DIR/koji_ca_cert.crt
LoginTimeout = 72
Secret = "$SECRET"
LibPath = /usr/share/koji-web/lib
LiteralFooter = True
EOF

if [[ ! -d /etc/httpd/conf.d ]] ; then mkdir -p /etc/httpd/conf.d ; fi
cat > /etc/httpd/conf.d/kojiweb.conf <<- EOF
Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
<Directory "/usr/share/koji-web/scripts">
    Options ExecCGI
    SetHandler wsgi-script
    Require all granted
</Directory>
Alias /koji-static "/usr/share/koji-web/static"
<Directory "/usr/share/koji-web/static">
    Options None
    AllowOverride None
    Require all granted
</Directory>
<Location /koji/login>
    SSLOptions +StdEnvVars
</Location>
EOF


# if NOT on the hub, setup the standard httpd settings
if [[ $KOJI_WEB_FQDN != $KOJI_HUB_FQDN ]] ; then

    ## Apache ssl Configuration File
    cat > /etc/httpd/conf.d/ssl.conf <<- EOF
ServerName $KOJI_WEB_FQDN

Listen 443 https

#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#SSLSessionCache         shmcb:/run/httpd/sslcache(512000)

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

<VirtualHost _default_:443>
    ErrorLog /var/log/httpd/ssl_error_log
    TransferLog /var/log/httpd/ssl_access_log
    LogLevel warn

    SSLEngine on
    SSLHonorCipherOrder on
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM

    SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem
    SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key
    SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt
    SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt
    SSLVerifyClient require
    SSLVerifyDepth 10

    <FilesMatch "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
EOF

    # SELinux changes to allow httpd network access
    setsebool -P httpd_can_network_connect 1

    mkdir -p /etc/httpd/conf.modules.d
    cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF
WSGISocketPrefix /run/httpd/wsgi
EOF
    cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
EOF

    # allow httpd access through firewall
    firewall-cmd --permanent --add-service=http
    firewall-cmd --permanent --add-service=https
    firewall-cmd --reload

    # enable and start the httpd service
    systemctl enable --now httpd

else
# we need to restart the httpd service
    systemctl restart httpd
fi