#!/bin/sh

# Copyright 2022 Felix Freeman <libsys@hacktivista.org>
#
# This file is part of "Tienda hacktivista.com" and licensed under the terms of
# the Hacktivista General Public License version 0.1 or (at your option) any
# later version. You should have received a copy of this license along with the
# software. If not, see <https://hacktivista.org/licenses/>.

# This is an automated setup for the services on a Debian 11 machine.
#
# Environment variables:
# - RACK_ENV: `development` or anything else, which means production.
# - EXT_IP: Address to which bind the domain.
# - ENVIAME_QUOTE_API_KEY: https://enviame.io Quote API key.
# - HAWESE_ENDPOINT: https://git.hackware.cl/hawese-payment endpoint.
# - HACKTIVISTA_COM_NOTIFICATION_EMAILS: Comma-separated emails to which send subscription and purchase notifications, first one is also used for certbot.
# - SMTP_HOST: SMTP host to connect.
# - SMTP_PORT: SMTP port, optional (default: 25).
# - SMTP_SECURITY: `tls` or `starttls`, otherwise no encryption, optional.
# - SMTP_USER: SMTP user, optional.
# - SMTP_PASSWORD: SMTP password, optional.
# - SMTP_FROM: In the format `Name <user@mail>` or `user@mail`.
#
# You can also set the IDENTIFIER env var to use a different system username
# and HACKTIVISTA_COM_DOMAIN to use a different nginx domain name.

if [ "$(id -u)" -ne 0 ]; then
	echo 'Only can be run as root.'
	exit 1
elif [ "$(cat /etc/issue.net 2>/dev/null)" != "Debian GNU/Linux 11" ]; then
	echo 'This script cowardly refuses to try this outside of Debian 11.'
	echo "\"I'm sorry\", it says, watery-eyed."
	exit 2
fi

IDENTIFIER="${IDENTIFIER:-hacktivista_com}"

apt update && apt install -y nginx mariadb-server ruby-full ruby-bundler pwgen gcc libc6-dev make libmariadb-dev emacs-nox

db_username=$IDENTIFIER
db_database=$IDENTIFIER
db_password="$(pwgen -sc 64 1)"

cat << MYSQL | mysql
CREATE DATABASE $db_database;
CREATE USER '$db_username'@'localhost' IDENTIFIED BY '$db_password';
GRANT ALL PRIVILEGES ON $db_database.* TO '$db_username'@'localhost';
FLUSH PRIVILEGES;
MYSQL

export RACK_ENV=${RACK_ENV:-development}
useradd -m -s /bin/sh -k none -d "/opt/$IDENTIFIER" "$IDENTIFIER"

alias sudou="sudo -iu \$IDENTIFIER"
sudou mkdir -p "/opt/$IDENTIFIER"
cd "/opt/$IDENTIFIER" || exit
if [ -z "$(ls -A)" ]; then
	apt install git
	sudou git clone https://git.hacktivista.org/hacktivista.com .
fi

if [ -z "$HACKTIVISTA_COM_DOMAIN" ]; then
	HACKTIVISTA_COM_DOMAIN=$(test "$RACK_ENV" = 'development' && echo 'dev.hacktivista.com' || echo 'hacktivista.com')
fi

HACKTIVISTA_COM_PAYMENT_AUTH_TOKEN="$(pwgen 64 1)"

cat << SH | sudou tee -a "/opt/$IDENTIFIER/.env" 1>/dev/null
RACK_ENV=$RACK_ENV
ENVIAME_QUOTE_API_KEY='$ENVIAME_QUOTE_API_KEY'
HAWESE_ENDPOINT='$HAWESE_ENDPOINT'
HACKTIVISTA_COM_PAYMENT_AUTH_TOKEN='$HACKTIVISTA_COM_PAYMENT_AUTH_TOKEN'
HACKTIVISTA_COM_ENDPOINT='https://$HACKTIVISTA_COM_DOMAIN'
HACKTIVISTA_COM_DATABASE_URL='mysql2://$db_username:$db_password@localhost/$db_database'
HACKTIVISTA_COM_NOTIFICATION_EMAILS='$HACKTIVISTA_COM_NOTIFICATION_EMAILS'
SMTP_HOST='$SMTP_HOST'
SMTP_FROM='$SMTP_FROM'
SH

# Optional env vars
if [ -n "$SMTP_SECURITY" ]; then echo "SMTP_SECURITY='$SMTP_SECURITY'" >> "/opt/$IDENTIFIER/.env"; fi
if [ -n "$SMTP_PORT" ]; then echo "SMTP_PORT='$SMTP_PORT'" >> "/opt/$IDENTIFIER/.env"; fi
if [ -n "$SMTP_USER" ]; then echo "SMTP_USER='$SMTP_USER'" >> "/opt/$IDENTIFIER/.env"; fi
if [ -n "$SMTP_PASSWORD" ]; then echo "SMTP_PASSWORD='$SMTP_PASSWORD'" >> "/opt/$IDENTIFIER/.env"; fi

cat <<- SH | sudou tee -a "/opt/$IDENTIFIER/.profile" 1>/dev/null
set -a
. "/opt/$IDENTIFIER/.env"
set +a
SH

sudou bundle config set --local path .bundle/vendor
sudou bundle config set --local cache_path .bundle/cache
test "$RACK_ENV" != 'development' && sudou bundle config set --local deployment true
sudou bundle install
sudou bundle exec rake migrate

cat << SYSTEMD > "/etc/systemd/system/$IDENTIFIER.service"
[Unit]
Description=Tienda hacktivista.com
After=syslog.target network.target

[Service]
Type=simple
User=$IDENTIFIER
Group=$IDENTIFIER
WorkingDirectory=/opt/$IDENTIFIER
EnvironmentFile=/opt/$IDENTIFIER/.env
ExecStart=/usr/bin/bundle exec rackup

SyslogIdentifier=$IDENTIFIER

[Install]
WantedBy=default.target
SYSTEMD

systemctl enable --now "$IDENTIFIER"

if [ "$RACK_ENV" != 'development' ]; then
    apt install -y python3-certbot-nginx
	certbot certonly --nginx --agree-tos --email "${HACKTIVISTA_COM_NOTIFICATION_EMAILS%,*}" --no-eff-email -d $HACKTIVISTA_COM_DOMAIN
fi

cat << NGINX > /etc/nginx/conf.d/$HACKTIVISTA_COM_DOMAIN.conf
server {
	listen $EXT_IP:80;
	server_name $HACKTIVISTA_COM_DOMAIN;

	location / { return 301 https://\$host\$request_uri; }
}

server {
	listen $EXT_IP:443 ssl http2;
	server_name $HACKTIVISTA_COM_DOMAIN;

	access_log /var/log/nginx/$HACKTIVISTA_COM_DOMAIN.access.log;
	error_log  /var/log/nginx/$HACKTIVISTA_COM_DOMAIN.error.log;

NGINX

if [ "$RACK_ENV" = 'development' ]; then
	openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/ssl/private/$HACKTIVISTA_COM_DOMAIN.key -out /etc/ssl/certs/$HACKTIVISTA_COM_DOMAIN.crt -sha256 -days 3650 -subj "/CN=$HACKTIVISTA_COM_DOMAIN"
	cat << NGINX >> /etc/nginx/conf.d/$HACKTIVISTA_COM_DOMAIN.conf
	ssl_certificate /etc/ssl/certs/$HACKTIVISTA_COM_DOMAIN.crt;
	ssl_certificate_key /etc/ssl/private/$HACKTIVISTA_COM_DOMAIN.key;
NGINX

	apt install -y ssl-cert
	printf "\tinclude /etc/nginx/snippets/snakeoil.conf;\n" >> /etc/nginx/conf.d/$HACKTIVISTA_COM_DOMAIN.conf
else
	cat << NGINX >> /etc/nginx/conf.d/$HACKTIVISTA_COM_DOMAIN.conf
	# Certbot certificates
	ssl_certificate /etc/letsencrypt/live/$HACKTIVISTA_COM_DOMAIN/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/$HACKTIVISTA_COM_DOMAIN/privkey.pem;
NGINX
fi

cat << NGINX >> /etc/nginx/conf.d/$HACKTIVISTA_COM_DOMAIN.conf

	root /opt/$IDENTIFIER/public;

	location ~* ^.+\.(jpg|png|svg|woff2|LICENSE)\$ {
		expires max;
		try_files \$uri =404;
	}

	location / {
		proxy_set_header Host \$http_host;
		proxy_set_header X-Real-IP \$remote_addr;
		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto \$scheme;
		proxy_intercept_errors on;
		recursive_error_pages on;

		proxy_pass http://127.0.0.1:9292/;
		error_page 404 = @static;
	}

	location @static {
		expires -1;
		try_files \$uri \$uri.html \$uri/ =404;
	}
}
NGINX

systemctl reload nginx

cat << EOF
All done! consider running

sudo -iu $IDENTIFIER -- bundle exec rake update_stock
sudo -iu $IDENTIFIER -- bundle exec rake build_static
chown -R $IDENTIFIER:www-data /opt/$IDENTIFIER/public

Remember to set PAYMENT_HACKTIVISTA_COM_ENDPOINT on Hawese, and use the following string as PAYMENT_HACKTIVISTA_COM_AUTH_TOKEN: $HACKTIVISTA_COM_PAYMENT_AUTH_TOKEN
EOF