#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

MAIL_SSL_DIR="/etc/ssl/mail"
MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"

log "Dovecot konfigurieren…"

cat > /etc/dovecot/dovecot.conf <<'CONF'
!include_try /etc/dovecot/conf.d/*.conf
CONF

cat > /etc/dovecot/conf.d/10-mail.conf <<'CONF'
protocols = imap pop3 lmtp
mail_location = maildir:/var/mail/vhosts/%d/%n

namespace inbox {
  inbox = yes
}

mail_privileged_group = mail
CONF

cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF'
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include_try auth-sql.conf.ext
CONF

cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
driver = mysql
connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
default_pass_scheme = BLF-CRYPT
password_query = SELECT email AS user, password_hash AS password FROM mail_users WHERE email = '%u' AND is_active = 1 LIMIT 1;
CONF
chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext; chmod 640 /etc/dovecot/dovecot-sql.conf.ext

cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF'
passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
CONF
chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext; chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext

cat > /etc/dovecot/conf.d/10-master.conf <<'CONF'
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}
service imap-login {
  inet_listener imap  { port = 143 }
  inet_listener imaps { port = 993; ssl = yes }
}
service pop3-login {
  inet_listener pop3  { port = 110 }
  inet_listener pop3s { port = 995; ssl = yes }
}
CONF

DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf"
grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF"
if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then
  sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF"
else
  echo "ssl_cert = <${MAIL_CERT}" >> "$DOVECOT_SSL_CONF"
fi
if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then
  sed -i "s|^\s*ssl_key\s*=.*|ssl_key  = <${MAIL_KEY}|" "$DOVECOT_SSL_CONF"
else
  echo "ssl_key  = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF"
fi

mkdir -p /var/spool/postfix/private
chown postfix:postfix /var/spool/postfix /var/spool/postfix/private
chmod 0755 /var/spool/postfix /var/spool/postfix/private

systemctl enable dovecot >/dev/null 2>&1 || true