#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

log "Rspamd + OpenDKIM einrichten …"

# ---------------------------
# Variablen / Defaults
# ---------------------------
# Installer-Variablen laden, falls vorhanden
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u

BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
DKIM_GENERATE="${DKIM_GENERATE:-0}"             # 1 = Key erzeugen, falls fehlt
RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"

# ---------------------------
# Rspamd: Controller + Milter
# ---------------------------
install -d -m 0755 /etc/rspamd/local.d

# Controller-Passwort gehasht schreiben
if command -v rspamadm >/dev/null 2>&1; then
  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
else
  # Fallback: falls rspamadm noch nicht verfügbar ist (sollte selten sein)
  # schreibe Klartext, damit Rspamd danach startbar ist; Hashen kann im nächsten Lauf erfolgen.
  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
fi

cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
password = "${RSPAMD_HASH}";
bind_socket = "127.0.0.1:11334";
CONF

# Normal-Worker (Milter-Port für Postfix)
cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
bind_socket = "127.0.0.1:11332";
CONF

# Authentication-Results Header schreiben (praktisch zum Debuggen)
cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
use = ["authentication-results"];
header = "Authentication-Results";
CONF

systemctl enable --now rspamd || true

# ---------------------------
# OpenDKIM Grund-Setup
# ---------------------------
install -d -m 0755 /etc/opendkim
install -d -m 0750 /etc/opendkim/keys
chown -R opendkim:opendkim /etc/opendkim
chmod 750 /etc/opendkim/keys

# TrustedHosts (wer signieren darf)
cat >/etc/opendkim/TrustedHosts <<'CONF'
127.0.0.1
::1
localhost
CONF
chown opendkim:opendkim /etc/opendkim/TrustedHosts
chmod 640 /etc/opendkim/TrustedHosts

# Key-/Signing-Tabellen vorbereiten
KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"

install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"

# Falls gewünscht: fehlenden Key erzeugen
if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
  if command -v opendkim-genkey >/dev/null 2>&1; then
    opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
    # opendkim legt .private und .txt an (Selector.*)
    chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
    chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
  fi
fi

# KeyTable (Selector → Keydatei)
cat >/etc/opendkim/KeyTable <<CONF
${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
CONF
chown opendkim:opendkim /etc/opendkim/KeyTable
chmod 640 /etc/opendkim/KeyTable

# SigningTable (welche From:-Domains werden womit signiert)
cat >/etc/opendkim/SigningTable <<CONF
*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
CONF
chown opendkim:opendkim /etc/opendkim/SigningTable
chmod 640 /etc/opendkim/SigningTable

# Hauptkonfiguration
cat >/etc/opendkim.conf <<'CONF'
Syslog            yes
UMask             002
Mode              sv
Socket            inet:8891@127.0.0.1
Canonicalization  relaxed/simple

# Nicht blockieren, wenn mal was fehlt
On-BadSignature   accept
On-Default        accept
On-KeyNotFound    accept
On-NoSignature    accept

LogWhy            yes
OversignHeaders   From

# Tabellen/Listen
KeyTable          /etc/opendkim/KeyTable
SigningTable      refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts       /etc/opendkim/TrustedHosts

UserID            opendkim:opendkim
AutoRestart       yes
AutoRestartRate   10/1h
Background        yes
DNSTimeout        5
SignatureAlgorithm rsa-sha256
CONF

systemctl enable --now opendkim || true
systemctl restart opendkim || true
systemctl restart rspamd   || true

# ---------------------------
# Postfix: Milter-Anbindung prüfen/setzen (nur ergänzen, nicht zerstören)
# ---------------------------
# Diese Werte setzt dein Postfix-Skript normalerweise bereits.
# Hier nur als Absicherung, falls noch leer.
need_set() {
  local key="$1"
  local cur
  cur="$(postconf -h "$key" 2>/dev/null || true)"
  [[ -z "$cur" ]]
}

if need_set smtpd_milters; then
  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
fi
if need_set non_smtpd_milters; then
  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
fi

systemctl reload postfix || true

# ---------------------------
# Hinweise (einmalig, nicht kritisch)
# ---------------------------
if [[ ! -s "${KEY_PRIV}" ]]; then
  echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
  echo "    - Wenn deine App die Keys verwaltet, lege die Private-Key-Datei genau dort ab"
  echo "      (Owner: opendkim:opendkim, Mode: 600) und passe ggf. DKIM_SELECTOR/BASIS_DOMAIN an."
  echo "    - Oder setze DKIM_GENERATE=1 und starte dieses Skript erneut, um einen Key zu erzeugen."
fi

echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."

##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Rspamd + OpenDKIM …"
#
#cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF'
#password = "admin";
#bind_socket = "127.0.0.1:11334";
#CONF
#systemctl enable --now rspamd || true
#
#cat > /etc/opendkim.conf <<'CONF'
#Syslog           yes
#UMask            002
#Mode             sv
#Socket           inet:8891@127.0.0.1
#Canonicalization relaxed/simple
#On-BadSignature  accept
#On-Default       accept
#On-KeyNotFound   accept
#On-NoSignature   accept
#LogWhy           yes
#OversignHeaders  From
#CONF
#systemctl enable --now opendkim || true