#!/bin/sh

version=${2:-39}
name=${1:-fw${version}}
webroot=${3:-${PWD}}
installroot=${4:-/var/lib/machines/${name}}

dnf="dnf --installroot=${installroot} --setopt=cachedir=/var/cache/dnf --releasever=${version} --repo=fedora --repo=updates --setopt=install_weak_deps=False --setopt=keepcache=True"

packages=(
	avahi
	passwd
	fedora-release
	vim-minimal
	util-linux
	systemd
	httpd
	mod_ssl
	mariadb
	mariadb-server
	php-fpm
	php-cli
	php-common
	php-gd
	php-intl
	php-mbstring
	php-mysqlnd
	php-opcache
	php-pdo
	php-pecl-apcu
	php-pecl-zip
	php-process
	php-soap
	php-sodium
	php-xml
	GraphicsMagick
)

if [ "$version" -le "31" ]; then
	echo "Fedora <= v31 is not supported"
	exit;
fi

if [ "$version" -ge "33" ]; then
	packages+=( "systemd-networkd" )
fi

if [ "$version" -ge "35" ]; then
	packages+=( "systemd-resolved" )
fi

sudo machinectl stop $name &>/dev/null && sleep 2

sudo $dnf -y install ${packages[*]}

sudo mkdir -p /etc/systemd/nspawn
echo -ne "[Exec]\nNotifyReady=on\n" | sudo tee /etc/systemd/nspawn/${name}.nspawn > /dev/null
echo -ne "[Files]\nBind=${webroot}:/var/www/html:owneridmap\n" | sudo tee -a /etc/systemd/nspawn/${name}.nspawn > /dev/null

tmpdir=$(mktemp -d "/tmp/${name}-keys.XXX")

mkcert -key-file "$tmpdir/key.pem" -cert-file "$tmpdir/cert.pem" ${name}

sudo chown root:root "$tmpdir/key.pem" "$tmpdir/cert.pem"
sudo mv "$tmpdir/key.pem" "$installroot/etc/pki/tls/private/mkcert-key.pem"
sudo mv "$tmpdir/cert.pem" "$installroot/etc/pki/tls/certs/mkcert-cert.pem"

sudo chown 48:48 "$installroot/var/www/html"

sudo tee "$installroot/etc/httpd/conf.d/ssl.conf" >/dev/null <<\EOF
Listen 443
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateKeyFile /etc/pki/tls/private/mkcert-key.pem
SSLCertificateFile /etc/pki/tls/certs/mkcert-cert.pem
</VirtualHost>
EOF

sudo tee "$installroot/etc/httpd/conf.d/webroot.conf" >/dev/null <<\EOF
<Directory "/var/www/html">
  Options FollowSymLinks
  AllowOverride All
  Require all granted
</Directory>
EOF

sudo machinectl start $name
sudo systemctl -M $name enable systemd-networkd httpd
sudo systemctl -M $name start systemd-networkd
sudo systemctl -M $name start httpd

sudo systemctl -M $name start mariadb

sudo systemctl -M $name enable --now avahi-daemon avahi-cname

sudo mkdir -p $installroot/root
#Enter current password for root (enter for none):
#Switch to unix_socket authentication y
#Change the root password? n
#Remove anonymous users? y
#Disallow root login remotely? y
#Remove test database and access to it? y
#Reload privilege tables now? y
sudo tee "$installroot/root/setup.sh" >/dev/null <<\EOF
#!/bin/sh
ROOT_SQLPASS=$(tr -dc _A-Za-z0-9 < /dev/urandom | head -c16) # Generate a random password
DB_NAME="web"
DB_USER="web"
DB_PASS=$(tr -dc _A-Za-z0-9 < /dev/urandom | head -c16)
DB_HOST="localhost"


cat >/etc/my.cnf.d/charset.cnf <<EOB
[mysqld]
character-set-server = utf8mb4

[client]
default-character-set = utf8mb4
EOB

systemctl restart mariadb

bash -c "echo -e '\ny\nn\ny\ny\ny\ny\n' | mysql_secure_installation"
mysql -Bse "UPDATE mysql.global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD('${ROOT_SQLPASS}')) WHERE User='root'; FLUSH PRIVILEGES;"
echo -e "[client]\nuser=root\npassword=${ROOT_SQLPASS}" > /root/.my.cnf


# TODO
#GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,CREATE TEMPORARY TABLES

mysql <<EOB
CREATE DATABASE $DB_NAME;
GRANT ALL PRIVILEGES
ON $DB_NAME.*
TO $DB_USER@$DB_HOST
IDENTIFIED BY '$DB_PASS';
FLUSH PRIVILEGES;
EOB

MY_CNF=/usr/share/httpd/.my.cnf
cat >$MY_CNF << EOB
[client]
user=$DB_USER
password=$DB_PASS
host=$DB_HOST

[mysql]
database=$DB_NAME
EOB
chmod 600 $MY_CNF
chown apache:apache $MY_CNF

#sed -i -e 's/^#*max_allowed_packet.*/max_allowed_packet=1G/' /etc/mysql/mariadb.conf.d/50-server.cnf
systemctl restart mariadb

sed -i \
  -e 's/^;*date.timezone *=.*/date.timezone = Europe\/Berlin/' \
  -e 's/^;*max_input_vars *=.*/max_input_vars = 3000/' \
  -e 's/^;*max_execution_time *=.*/max_execution_time = 240/' \
  -e 's/^;*memory_limit *=.*/memory_limit = 384M/' \
  -e 's/^;*post_max_size *=.*/post_max_size = 128M/' \
  -e 's/^;*upload_max_filesize *=.*/upload_max_filesize = 128M/' \
  -e 's/^;*opcache.enable_cli *=.*/opcache.enable_cli = 1/' \
  /etc/php.ini
systemctl restart php-fpm

sed -i -e '/^apache:/s/sbin\/nologin/bin\/bash/' /etc/passwd

cat >/etc/systemd/system/avahi-cname.service << EOB
[Unit]
Description=Avahi CNAME publisher
Wants=avahi-daemon.service
After=avahi-daemon.service

[Service]
Type=simple
EnvironmentFile=/root/avahi-hosts
ExecStart=/usr/local/bin/go-avahi-cname cname \$AVAHI_HOSTS

[Install]
WantedBy=multi-user.target
EOB

systemctl enable --now avahi-cname
systemctl enable --now mariadb

EOF
sudo chmod +x "$installroot/root/setup.sh"

cd /tmp/
curl -Ls https://github.com/grishy/go-avahi-cname/releases/download/v2.0.4/go-avahi-cname_v2.0.4_linux_amd64.tar.gz | tar xvzf -

sudo mkdir -p $installroot/root
sudo cp go-avahi-cname "$installroot/usr/local/bin/"
sudo chmod +x "$installroot/usr/local/bin/go-avahi-cname"


echo "AVAHI_HOSTS=example.${name}.local." | sudo tee -a "$installroot/root/avahi-hosts" > /dev/null


sudo machinectl shell $name /root/setup.sh

# needs mymachines in /etc/nsswitch.conf "hosts:" line
xdg-open "https://${name}"

rm -fr "$tmpdir"

#sudo $dnf clean all

sudo du -hs "$installroot"