#!/bin/sh
#
# Alpine Linux installer for Namingo Open Source Registry
#
# This script assumes it is run as root.
#

# --- Utility functions ---

prompt_for_input() {
    read -p "$1: " response
    echo "$response"
}

prompt_for_password() {
    read -s -p "$1: " password
    echo "$password"
}

# Ensure a setting is present (or appended) in a php.ini file
set_php_ini_value() {
    local ini_file=$1
    local key=$2
    local value=$3

    if grep -qE "^\s*;?\s*${key}\s*=" "$ini_file"; then
        sed -i "s|^\s*;*\s*${key}\s*=.*|${key} = ${value}|" "$ini_file"
    else
        echo "${key} = ${value}" >> "$ini_file"
    fi
}

create_openrc_service() {
    local svc_name="$1"
    local cmd_args="$2"
    local init_file="/etc/init.d/${svc_name}"
    cat > "$init_file" <<EOL
#!/sbin/openrc-run
command="/usr/bin/php"
command_args="${cmd_args}"
pidfile="/run/${svc_name}.pid"
name="${svc_name}"
EOL
    chmod +x "$init_file"
    rc-update add "${svc_name}" default
}

# --- Check that we are running on Alpine Linux ---

if [ -e /etc/os-release ]; then
    . /etc/os-release
else
    echo "Cannot detect OS. Exiting."
    exit 1
fi

if [ "$NAME" != "Alpine Linux" ]; then
    echo "This installer only supports Alpine Linux."
    exit 1
fi

# --- Minimum requirements check ---

MIN_RAM_MB=2000
MIN_DISK_GB=10

# (Assumes that the "free" and "df" commands are available.)
AVAILABLE_RAM_MB=$(free -m | awk '/^Mem:/{print $2}')
AVAILABLE_DISK_GB=$(df -BG / | awk 'NR==2 {print $4}' | sed 's/G//')

if [ "$AVAILABLE_RAM_MB" -lt "$MIN_RAM_MB" ]; then
    echo "Error: At least 2GB of RAM is required. Only ${AVAILABLE_RAM_MB}MB available."
    exit 1
fi

if [ "$AVAILABLE_DISK_GB" -lt "$MIN_DISK_GB" ]; then
    echo "Error: At least 10GB free disk space is required. Only ${AVAILABLE_DISK_GB}GB available."
    exit 1
fi

echo "System meets the minimum requirements. Proceeding with installation..."

# --- Prompt for installation details ---

REGISTRY_DOMAIN=$(prompt_for_input "Enter main domain for registry")
YOUR_IPV4_ADDRESS=$(prompt_for_input "Enter your IPv4 address")
YOUR_IPV6_ADDRESS=$(prompt_for_input "Enter your IPv6 address (leave blank if not available)")
YOUR_EMAIL=$(prompt_for_input "Enter your email for TLS")
DB_USER=$(prompt_for_input "Enter database user")
DB_PASSWORD=$(prompt_for_password "Enter database password")
echo ""  # newline after password input
PANEL_EMAIL=$(prompt_for_input "Enter panel admin email")
PANEL_PASSWORD=$(prompt_for_password "Enter panel admin password")
echo ""  # newline after password input
current_user=$(whoami)

# --- Package installation via apk ---

echo "Updating package lists and installing required packages..."
apk update

# Install common packages. (readline gnupg missing)
apk add \
  bash curl caddy gettext icu-data-full git php83-phar gnupg net-tools pv redis unzip wget whois ufw tzdata \
  php83 php83-fpm php83-common php83-curl php83-fileinfo php83-pdo php83-pdo_mysql php83-ctype nano php83-iconv php83-dom php83-gd php83-ftp php83-gmp php83-bcmath php83-mysqli \
  php83-pecl-igbinary php83-imap php83-intl php83-mbstring php83-opcache php83-pecl-redis \
  php83-soap php83-xml \
  php83-pecl-ds php83-pecl-swoole php83-pecl-uuid \
  mariadb mariadb-client

# (Optional) Create the www-data user if it does not exist.
if ! id www-data > /dev/null 2>&1; then
    adduser -D -g "www-data" www-data
fi

# --- Set timezone to UTC ---
echo "Setting timezone to UTC..."
ln -sf /usr/share/zoneinfo/UTC /etc/localtime
echo "UTC" > /etc/timezone

# --- PHP configuration ---
phpIniCli="/etc/php83/php.ini"
phpIniFpm="/etc/php83/php.ini"
phpIniOpcache="/etc/php83/conf.d/10_opcache.ini"

# Update PHP configuration
for ini in "$phpIniCli" "$phpIniFpm"; do
    set_php_ini_value "$ini" "opcache.enable" "1"
    set_php_ini_value "$ini" "opcache.enable_cli" "1"
    set_php_ini_value "$ini" "opcache.jit_buffer_size" "100M"
    set_php_ini_value "$ini" "opcache.jit" "1255"
    set_php_ini_value "$ini" "session.cookie_secure" "1"
    set_php_ini_value "$ini" "session.cookie_httponly" "1"
    set_php_ini_value "$ini" "session.cookie_samesite" "\"Strict\""
    set_php_ini_value "$ini" "session.cookie_domain" "\"${REGISTRY_DOMAIN},cp.${REGISTRY_DOMAIN},whois.${REGISTRY_DOMAIN}\""
    set_php_ini_value "$ini" "memory_limit" "2G"
done

# Update opcache configuration
if [ -f "$phpIniOpcache" ]; then
    set_php_ini_value "$phpIniOpcache" "opcache.jit" "1255"
    set_php_ini_value "$phpIniOpcache" "opcache.jit_buffer_size" "100M"
fi

# Restart PHP-FPM and add to default runlevel
echo "Restarting PHP-FPM..."
rc-service php-fpm83 restart
rc-update add php-fpm83 default

# --- MariaDB setup ---
echo "Setting up MariaDB..."
# Initialize the MariaDB data directory
if [ ! -d /var/lib/mysql/mysql ]; then
    mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
fi

# Start MariaDB and add to default runlevel
rc-service mariadb start
rc-update add mariadb default

echo "Please follow the prompts for secure installation of MariaDB."
#mysql_secure_installation

# Create database user and grant privileges
DB_COMMAND="mariadb"
$DB_COMMAND -u root -e "CREATE USER IF NOT EXISTS '$DB_USER'@'localhost' IDENTIFIED BY '$DB_PASSWORD';"
$DB_COMMAND -u root -e "GRANT ALL PRIVILEGES ON registry.* TO '$DB_USER'@'localhost';"
$DB_COMMAND -u root -e "GRANT ALL PRIVILEGES ON registryTransaction.* TO '$DB_USER'@'localhost';"
$DB_COMMAND -u root -e "GRANT ALL PRIVILEGES ON registryAudit.* TO '$DB_USER'@'localhost';"
$DB_COMMAND -u root -e "FLUSH PRIVILEGES;"

# --- Adminer installation ---
echo "Installing Adminer..."
mkdir -p /usr/share/adminer
wget "https://www.adminer.org/latest.php" -O /usr/share/adminer/latest.php
ln -sf /usr/share/adminer/latest.php /usr/share/adminer/adminer.php

# --- Clone registry source code ---
echo "Cloning registry source code..."
git clone --branch v1.0.20 --single-branch https://github.com/getnamingo/registry /opt/registry

# --- Firewall configuration using ufw ---
echo "Configuring firewall rules..."
ufw allow 22/tcp
ufw allow 22/udp
ufw allow 43/tcp
ufw allow 80/tcp
ufw allow 80/udp
ufw allow 443/tcp
ufw allow 443/udp
ufw allow 700/tcp
ufw allow 700/udp
ufw allow 1043/tcp
ufw allow 1043/udp
ufw allow 53/tcp
ufw allow 53/udp

echo "Enabling firewall..."
ufw --force enable

# --- Helper: Generate bind line for Caddy ---
generate_bind_line() {
    local ipv4=$1
    local ipv6=$2
    local bind_line="bind ${ipv4}"
    if [ -n "$ipv6" ]; then
        bind_line="${bind_line} ${ipv6}"
    fi
    echo "$bind_line"
}

BIND_LINE=$(generate_bind_line "$YOUR_IPV4_ADDRESS" "$YOUR_IPV6_ADDRESS")

# --- Caddy configuration ---
echo "Configuring Caddy..."
cat > /etc/caddy/Caddyfile <<EOF
rdap.${REGISTRY_DOMAIN} {
    ${BIND_LINE}
    reverse_proxy localhost:7500
    encode zstd gzip
    file_server
    tls ${YOUR_EMAIL}
    header -Server
    log {
        output file /var/log/namingo/web-rdap.log {
            roll_size 10MB
            roll_keep 5
            roll_keep_days 14
        }
        format json
    }
    header * {
        Referrer-Policy "no-referrer"
        Strict-Transport-Security "max-age=31536000;"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        X-XSS-Protection "1; mode=block"
        Content-Security-Policy "default-src 'none'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; img-src https:; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; form-action 'self'; worker-src 'none'; frame-src 'none';"
        Feature-Policy "accelerometer 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self'; usb 'none';"
        Permissions-Policy "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=()"
        # CORS Headers
        Access-Control-Allow-Origin *
        Access-Control-Allow-Methods "GET, OPTIONS"
        Access-Control-Allow-Headers "Content-Type"
    }
}

whois.${REGISTRY_DOMAIN} {
    ${BIND_LINE}
    root * /var/www/whois
    encode zstd gzip
    php_fastcgi 127.0.0.1:9000
    file_server
    tls ${YOUR_EMAIL}
    header -Server
    log {
        output file /var/log/namingo/web-whois.log {
            roll_size 10MB
            roll_keep 5
            roll_keep_days 14
        }
        format json
    }
    header * {
        Referrer-Policy "no-referrer"
        Strict-Transport-Security "max-age=31536000;"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        X-XSS-Protection "1; mode=block"
        Content-Security-Policy "default-src 'none'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; img-src https:; font-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; script-src 'none'; form-action 'self'; worker-src 'none'; frame-src 'none';"
        Feature-Policy "accelerometer 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self'; usb 'none';"
        Permissions-Policy "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=()"
    }
}

cp.${REGISTRY_DOMAIN} {
    ${BIND_LINE}
    root * /var/www/cp/public
    php_fastcgi 127.0.0.1:9000
    encode zstd gzip
    file_server
    tls ${YOUR_EMAIL}
    header -Server
    log {
        output file /var/log/namingo/web-cp.log {
            roll_size 10MB
            roll_keep 5
            roll_keep_days 14
        }
        format json
    }
    # Adminer Configuration
    route /adminer.php* {
        root * /usr/share/adminer
        php_fastcgi 127.0.0.1:9000
    }
    header * {
        Referrer-Policy "same-origin"
        Strict-Transport-Security "max-age=31536000;"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        X-XSS-Protection "1; mode=block"
        Content-Security-Policy "default-src 'none'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; img-src https:; font-src 'self'; style-src 'self' 'unsafe-inline' https://rsms.me; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/xlsx/0.18.5/; form-action 'self'; worker-src 'none'; frame-src 'none';"
        Feature-Policy "accelerometer 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self'; usb 'none';"
        Permissions-Policy "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=()"
    }
}
EOF

# Create log directory and adjust permissions
mkdir -p /var/log/namingo
chown -R caddy:caddy /var/log/namingo
touch /var/log/namingo/web-cp.log
chown caddy:caddy /var/log/namingo/web-cp.log
touch /var/log/namingo/web-whois.log
chown caddy:caddy /var/log/namingo/web-whois.log
touch /var/log/namingo/web-rdap.log
chown caddy:caddy /var/log/namingo/web-rdap.log

# Restart Caddy and add to default runlevel
rc-service caddy restart
rc-update add caddy default

# --- Install Control Panel ---
echo "Installing Control Panel..."
mkdir -p /var/www
cp -r /opt/registry/cp /var/www
mv /var/www/cp/env-sample /var/www/cp/.env

echo "Updating control panel configuration..."
sed -i "s|https://cp.example.com|https://cp.${REGISTRY_DOMAIN}|g" /var/www/cp/.env
sed -i "s|example.com|${REGISTRY_DOMAIN}|g" /var/www/cp/.env
sed -i "s/DB_USERNAME=root/DB_USERNAME=${DB_USER}/g" /var/www/cp/.env
sed -i "s/DB_PASSWORD=/DB_PASSWORD=${DB_PASSWORD}/g" /var/www/cp/.env

# --- Install Composer ---
echo "Installing Composer..."
curl -sS https://getcomposer.org/installer -o composer-setup.php
EXPECTED_SIGNATURE="$(wget -q -O - https://composer.github.io/installer.sig)"
ACTUAL_SIGNATURE="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"

if [ "$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE" ]; then
    >&2 echo 'ERROR: Invalid installer signature'
    rm composer-setup.php
    exit 1
fi

php composer-setup.php --quiet
rm composer-setup.php
mv composer.phar /usr/local/bin/composer
echo "Composer installed."

# Install PHP dependencies for the control panel
cd /var/www/cp
COMPOSER_ALLOW_SUPERUSER=1 composer install --no-interaction --quiet

# --- Import the registry database ---
echo "Importing registry database..."
$DB_COMMAND -u "${DB_USER}" -p"${DB_PASSWORD}" < /opt/registry/database/registry.mariadb.sql
echo "SQL import completed."

# --- Install Web WHOIS ---
echo "Installing Web WHOIS..."
mkdir -p /var/www/whois
cd /opt/registry/whois/web
cp -r * /var/www/whois
cd /var/www/whois
COMPOSER_ALLOW_SUPERUSER=1 composer require gregwar/captcha --no-interaction --quiet
mv /var/www/whois/config.php.dist /var/www/whois/config.php
sed -i "s|'whois_url' => '.*'|'whois_url' => 'whois.${REGISTRY_DOMAIN}'|" /var/www/whois/config.php
sed -i "s|'rdap_url' => '.*'|'rdap_url' => 'rdap.${REGISTRY_DOMAIN}'|" /var/www/whois/config.php

echo "Installing WHOIS Server..."
cd /opt/registry/whois/port43
COMPOSER_ALLOW_SUPERUSER=1 composer install --no-interaction --quiet
mv /opt/registry/whois/port43/config.php.dist /opt/registry/whois/port43/config.php
sed -i "s|'db_username' => 'your_username'|'db_username' => '$DB_USER'|g" /opt/registry/whois/port43/config.php
sed -i "s|'db_password' => 'your_password'|'db_password' => '$DB_PASSWORD'|g" /opt/registry/whois/port43/config.php
create_openrc_service "whois" "/opt/registry/whois/port43/start_whois.php"

echo "Installing RDAP Server..."
cd /opt/registry/rdap
COMPOSER_ALLOW_SUPERUSER=1 composer install --no-interaction --quiet
mv /opt/registry/rdap/config.php.dist /opt/registry/rdap/config.php
sed -i "s|'db_username' => 'your_username'|'db_username' => '$DB_USER'|g" /opt/registry/rdap/config.php
sed -i "s|'db_password' => 'your_password'|'db_password' => '$DB_PASSWORD'|g" /opt/registry/rdap/config.php
create_openrc_service "rdap" "/opt/registry/rdap/start_rdap.php"

echo "Installing EPP Server..."
cd /opt/registry/epp
COMPOSER_ALLOW_SUPERUSER=1 composer install --no-interaction --quiet
mv /opt/registry/epp/config.php.dist /opt/registry/epp/config.php
sed -i "s|'db_username' => 'your_username'|'db_username' => '$DB_USER'|g" /opt/registry/epp/config.php
sed -i "s|'db_password' => 'your_password'|'db_password' => '$DB_PASSWORD'|g" /opt/registry/epp/config.php
create_openrc_service "epp" "/opt/registry/epp/start_epp.php"

echo "Installing DAS Server..."
cd /opt/registry/das
COMPOSER_ALLOW_SUPERUSER=1 composer install --no-interaction --quiet
mv /opt/registry/das/config.php.dist /opt/registry/das/config.php
sed -i "s|'db_username' => 'your_username'|'db_username' => '$DB_USER'|g" /opt/registry/das/config.php
sed -i "s|'db_password' => 'your_password'|'db_password' => '$DB_PASSWORD'|g" /opt/registry/das/config.php
create_openrc_service "das" "/opt/registry/das/start_das.php"

echo "Installing Automation Scripts..."
cd /opt/registry/automation
COMPOSER_ALLOW_SUPERUSER=1 composer install --no-interaction --quiet
mv /opt/registry/automation/config.php.dist /opt/registry/automation/config.php
sed -i "s|'db_username' => 'your_username'|'db_username' => '$DB_USER'|g" /opt/registry/automation/config.php
sed -i "s|'db_password' => 'your_password'|'db_password' => '$DB_PASSWORD'|g" /opt/registry/automation/config.php

create_openrc_service "msg_producer" "/opt/registry/automation/msg_producer.php"
create_openrc_service "msg_worker" "/opt/registry/automation/msg_worker.php"

rc-update add redis default
rc-service redis start

# --- Configure control panel admin ---
echo "Configuring control panel admin..."
sed -i "s|\$email = 'admin@example.com';|\$email = '${PANEL_EMAIL}';|g" /var/www/cp/bin/create_admin_user.php
sed -i "s|\$newPW = 'admin_password';|\$newPW = '${PANEL_PASSWORD}';|g" /var/www/cp/bin/create_admin_user.php
php /var/www/cp/bin/create_admin_user.php

echo "Downloading initial data and setting up cache..."
php /var/www/cp/bin/file_cache.php
chown caddy:caddy /var/www/cp/cache

echo -e "Installation complete!\n"
echo -e "Next steps:\n"
echo -e "1. Configure each component by editing their respective configuration files."
echo -e "2. Once configuration is complete, start each service with the following command:\n   rc-service SERVICE_NAME start\n   Replace 'SERVICE_NAME' with the specific service (whois, rdap, epp, das) as needed."
echo -e "3. To initiate the automation system, please refer to the configuration manual.\n"
echo -e "For more detailed information, please consult the accompanying documentation or support resources."