#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

SCRIPTS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
find "$SCRIPTS_DIR/.." -type f -name "*.sh" -exec sed -i 's/\r$//' {} \; || true

log "Pakete installieren …"
export DEBIAN_FRONTEND=noninteractive
apt-get update -y
# Minimal aber vollständig
apt-get -y -o Dpkg::Options::="--force-confdef" \
           -o Dpkg::Options::="--force-confold" install \
  postfix postfix-mysql dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql \
  mariadb-server mariadb-client redis-server rspamd opendkim opendkim-tools opendmarc clamav \
  clamav-daemon nginx php php-fpm php-cli php-mbstring php-xml php-curl php-zip php-mysql \
  php-redis php-gd unzip curl composer git certbot python3-certbot-nginx fail2ban ca-certificates \
  rsyslog sudo openssl monit acl netcat-openbsd

# <<< Apache konsequent entfernen >>>
systemctl disable --now apache2 >/dev/null 2>&1 || true
apt-get -y purge 'apache2*' >/dev/null 2>&1 || true
apt-get -y autoremove >/dev/null 2>&1 || true

log "Systemuser/Dirs …"
id vmail >/dev/null 2>&1 || adduser --system --group --home /var/mail vmail
id "$APP_USER" >/dev/null 2>&1 || adduser --disabled-password --gecos "" "$APP_USER"
# Systemuser/Dirs …
id vmail >/dev/null 2>&1 || adduser --system --group --home /var/mail vmail
id "$APP_USER" >/dev/null 2>&1 || adduser --disabled-password --gecos "" "$APP_USER"

# --- FIX: Gruppen und Berechtigungen für Maildir und Dovecot-Zugriff ---
# vmail soll primär der Gruppe "mail" angehören, zusätzlich dovecot
usermod -g mail -a -G dovecot vmail || true

# App-User in relevante Gruppen
usermod -a -G "$APP_GROUP" "$APP_USER" || true
usermod -a -G mail,dovecot "$APP_USER" || true

# Maildir-Baum für Gruppe mail lesbar
chgrp -R mail /var/mail/vhosts || true
chmod -R g+rx /var/mail/vhosts || true

# ACLs setzen, damit neue Verzeichnisse automatisch passende Rechte bekommen
setfacl -R -m g:mail:rx /var/mail/vhosts || true
setfacl -dR -m g:mail:rx /var/mail/vhosts || true
usermod -a -G "$APP_GROUP" "$APP_USER" || true
install -d -m 0755 -o root -g root /var/www
install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR"

SUDOERS_DKIM="/etc/sudoers.d/mailwolt-dkim"
cat > "${SUDOERS_DKIM}" <<'EOF'
Defaults!/usr/local/sbin/mailwolt-install-dkim !requiretty
Defaults!/usr/local/sbin/mailwolt-remove-dkim  !requiretty
Defaults!/usr/bin/systemctl                    !requiretty
Defaults!/usr/bin/test                         !requiretty

www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim *
www-data ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim *
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl reload opendkim
www-data ALL=(root) NOPASSWD: /usr/bin/test *

mailwolt ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim *
mailwolt ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim *
mailwolt ALL=(root) NOPASSWD: /usr/bin/systemctl reload opendkim
mailwolt ALL=(root) NOPASSWD: /usr/bin/test *
EOF
chown root:root "${SUDOERS_DKIM}"
chmod 440 "${SUDOERS_DKIM}"

if ! visudo -c -f "${SUDOERS_DKIM}" >/dev/null 2>&1; then
  echo "[!] Ungültiger sudoers-Eintrag in ${SUDOERS_DKIM} – entferne Datei."
  rm -f "${SUDOERS_DKIM}"
fi

SUDOERS_DOVEADM="/etc/sudoers.d/mailwolt-doveadm"
cat > "${SUDOERS_DOVEADM}" <<'EOF'
Cmnd_Alias MW_DOVEADM_STATUS = /usr/bin/doveadm -f tab mailbox status -u * messages INBOX, \
                               /usr/bin/doveadm mailbox status -u * messages INBOX
www-data ALL=(vmail) NOPASSWD: MW_DOVEADM_STATUS
mailwolt  ALL=(vmail) NOPASSWD: MW_DOVEADM_STATUS
EOF
chown root:root "${SUDOERS_DOVEADM}"
chmod 440 "${SUDOERS_DOVEADM}"
visudo -c -f "${SUDOERS_DOVEADM}" || rm -f "${SUDOERS_DOVEADM}"

log "MariaDB include-fix …"
mkdir -p /etc/mysql/mariadb.conf.d
[[ -f /etc/mysql/mariadb.cnf ]] || echo '!include /etc/mysql/mariadb.conf.d/*.cnf' > /etc/mysql/mariadb.cnf

log "Redis absichern …"
if [[ -z "${REDIS_PASS:-}" || "${REDIS_PASS}" == "changeme" ]]; then
  REDIS_PASS="$(openssl rand -hex 16)"
  export REDIS_PASS
  log "Neues Redis-Passwort generiert."
fi
# Aktiven Redis-Config-Pfad aus systemd holen (Fallback: Standard)
REDIS_CONF="$(systemctl show -p ExecStart redis-server \
  | sed -n 's/^ExecStart=.*redis-server[[:space:]]\+\([^[:space:]]\+\).*/\1/p')"
REDIS_CONF="${REDIS_CONF:-/etc/redis/redis.conf}"

# Bind + protected-mode hart setzen
sed -i 's/^[[:space:]]*#\?[[:space:]]*bind .*/bind 127.0.0.1/' "$REDIS_CONF"
sed -i 's/^[[:space:]]*#\?[[:space:]]*protected-mode .*/protected-mode yes/' "$REDIS_CONF"

# Vorherige requirepass-Zeilen entfernen (kommentiert/unkommentiert), dann neu schreiben
sed -i '/^[[:space:]]*#\?[[:space:]]*requirepass[[:space:]]\+/d' "$REDIS_CONF"
printf '\nrequirepass %s\n' "${REDIS_PASS}" >> "$REDIS_CONF"

# Dienst aktivieren & neu starten
systemctl enable --now redis-server
systemctl restart redis-server || true

# Passwort für spätere Steps persistieren (damit 80-app.sh es hat)
install -d -m 0755 /etc/mailwolt
echo "REDIS_PASS=${REDIS_PASS}" > /etc/mailwolt/installer.env
chmod 600 /etc/mailwolt/installer.env

# Sanity-Check (kein harter Exit, nur Log)
if redis-cli -a "${REDIS_PASS}" ping 2>/dev/null | grep -q PONG; then
  log "Redis mit Passwort OK."
else
  warn "Redis PING mit Passwort fehlgeschlagen – bitte /etc/redis/redis.conf prüfen."
fi