#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

log "OpenDMARC installieren/konfigurieren …"

# Flags laden
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
OPENDMARC_ENABLE="${OPENDMARC_ENABLE:-1}"

# Paket sicherstellen
if ! dpkg -s opendmarc >/dev/null 2>&1; then
  apt-get update -qq
  apt-get install -y opendmarc
fi

# Config-Verzeichnisse
install -d -m 0755 /etc/opendmarc
install -d -m 0755 /run/opendmarc

# IgnoreHosts
cat >/etc/opendmarc/ignore.hosts <<'EOF'
127.0.0.1
::1
localhost
EOF
chmod 0644 /etc/opendmarc/ignore.hosts

# Hauptkonfiguration
cat >/etc/opendmarc.conf <<'EOF'
AuthservID          mailwolt
TrustedAuthservIDs  mailwolt
IgnoreHosts         /etc/opendmarc/ignore.hosts
Syslog              true
SoftwareHeader      true
Socket              local:/run/opendmarc/opendmarc.sock
RejectFailures      false
EOF
chmod 0644 /etc/opendmarc.conf

# systemd Drop-in für RuntimeDirectory (robust nach Reboot)
install -d -m 0755 /etc/systemd/system/opendmarc.service.d
cat >/etc/systemd/system/opendmarc.service.d/override.conf <<'EOF'
[Service]
RuntimeDirectory=opendmarc
RuntimeDirectoryMode=0755
EOF

systemctl daemon-reload

# Dienst nach Flag
if [[ "$OPENDMARC_ENABLE" = "1" ]]; then
  systemctl enable --now opendmarc
else
  systemctl disable --now opendmarc || true
fi

# Postfix-Milter-Kette konsistent setzen (Rspamd + OpenDKIM + optional OpenDMARC)
touch /run/mailwolt.need-apply-milters || true

log "[✓] OpenDMARC (ENABLE=${OPENDMARC_ENABLE}) bereit."