#!/bin/bash

set -e

mkdir -p /var/www
chmod 711 /var/www

mkdir -p /var/www/acme-challenge
chmod 711 /var/www/acme-challenge

mkdir -p /etc/modsecurity.d/owasp/
touch /etc/modsecurity.d/owasp/crs-setup.conf
touch /etc/modsecurity.d/modsec.conf

mkdir -p /var/local/enhance/apache/vhosts
chmod 700 /var/local/enhance/apache
chmod 700 /var/local/enhance/apache/vhosts

mkdir -p /var/local/enhance/apache/vhost_includes
chmod 700 /var/local/enhance/apache/vhost_includes

mkdir -p /var/local/enhance/nginx/vhost_includes
chmod 700 /var/local/enhance/nginx/vhost_includes

# allow forwarding in ufw
ufw default allow FORWARD

ufw allow ssh
ufw allow 50000/tcp
ufw allow http
ufw allow https
# For QUIC
ufw allow 443/udp
ufw allow ftp
ufw allow ftps
ufw allow imap
ufw allow imaps
ufw allow pop3
ufw allow pop3s
ufw allow 53/tcp
ufw allow 53/udp
ufw allow 587/tcp
ufw allow 25/tcp
ufw allow 465/tcp
ufw allow 3306

# filerd
ufw allow 50003
ufw allow 50004

# passive ftp
ufw allow 30000:31000/tcp

# control panel on IP
ufw allow 2087

echo "y" | ufw enable

# in case something else externally disabled ufw on boot
systemctl enable ufw || true

systemctl unmask appd || true
systemctl enable appd

systemctl unmask srs_milter || true
systemctl unmask orchd || true

echo "Downloading wp-cli with curl"
curl --connect-timeout 5 --max-time 200 -o /usr/bin/wp-cli https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar || true
chmod +x /usr/bin/wp-cli || true

rm /usr/bin/wp || true
ln -s /usr/bin/wp-cli /usr/bin/wp || true

if [ ! -f /usr/bin/php ]; then
    ln -s /opt/ecp-php81/bin/php /usr/bin/php || true
fi

if [ ! -d /usr/local/ioncube ]; then
    echo "Downloading ioncube loader"
    mkdir -p /usr/local/ioncube
    curl --connect-timeout 5 --max-time 200 -o /tmp/ioncube.tar.gz https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz || true
    tar --strip-components=1 -C /usr/local/ioncube -xf /tmp/ioncube.tar.gz || true
fi

if ! COMPOSER_ALLOW_SUPERUSER=1 /usr/bin/composer --help >/dev/null 2>&1; then
    echo "Downloading PHP composer"
    curl --connect-timeout 5 --max-time 200 -o /usr/bin/composer https://getcomposer.org/download/latest-stable/composer.phar || true
    chmod +x /usr/bin/composer || true
fi

echo "Installing wp-cli SSO package"
/usr/bin/install-wp-cli-login.sh || true

mkdir -p /etc/pure-ftpd/auth

if [ ! -f /etc/pure-ftpd/auth/PureDB ]; then
    ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/PureDB || true
fi

echo 1 > /etc/pure-ftpd/conf/TLS

PURE_FTPD_CERT_PATH="/etc/ssl/private/pure-ftpd.pem"

# Check if the certificate already exists
if [ ! -f "$PURE_FTPD_CERT_PATH" ]; then
    # Generate the self-signed certificate and key in one PEM file
    openssl req -x509 -nodes -newkey rsa:2048 -keyout "$PURE_FTPD_CERT_PATH" -out "$PURE_FTPD_CERT_PATH" -days 3650 \
        -subj "/C=US/ST=pure-ftpd/L=pure-ftpd/O=pure-ftpd/OU=pure-ftpd/CN=pure-ftpd"
    echo "Self-signed certificate generated for pure-ftpd at $PURE_FTPD_CERT_PATH"
else
    echo "Certificate already exists at $PURE_FTPD_CERT_PATH"
fi

touch /etc/pure-ftpd/pureftpd.pdb

rm -f /etc/pure-ftpd/auth/70pam /etc/pure-ftpd/auth/65unix

chmod 700 /etc/pure-ftpd

if ! getent passwd screenshot > /dev/null; then
    adduser --system $quiet --home /home/screenshot --shell /bin/bash --group --gecos "screenshot user" screenshot
fi

if ! getent passwd wpcache > /dev/null; then
    adduser --system $quiet --home /var/wpcache --shell /sbin/nologin --group --gecos "wp cache user" wpcache
    chmod 755 /var/wpcache
fi

mkdir -p /var/local/enhance/screenshots
chmod 700 /var/local/enhance/screenshots

mkdir -p /var/local/enhance/dns
chmod 700 /var/local/enhance/dns

mkdir -p /var/nginx_cache

# Automatically added by cargo-deb
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	# This will only remove masks created by d-s-h on package removal.
	deb-systemd-helper unmask appcd.service >/dev/null || true

	# was-enabled defaults to true, so new installations run enable.
	if deb-systemd-helper --quiet was-enabled appcd.service; then
		# Enables the unit on first installation, creates new
		# symlinks on upgrades if the unit file has changed.
		deb-systemd-helper enable appcd.service >/dev/null || true
	else
		# Update the statefile to add new symlinks (if any), which need to be
		# cleaned up on purge. Also remove old symlinks.
		deb-systemd-helper update-state appcd.service >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by cargo-deb
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	# This will only remove masks created by d-s-h on package removal.
	deb-systemd-helper unmask appd.service >/dev/null || true

	# was-enabled defaults to true, so new installations run enable.
	if deb-systemd-helper --quiet was-enabled appd.service; then
		# Enables the unit on first installation, creates new
		# symlinks on upgrades if the unit file has changed.
		deb-systemd-helper enable appd.service >/dev/null || true
	else
		# Update the statefile to add new symlinks (if any), which need to be
		# cleaned up on purge. Also remove old symlinks.
		deb-systemd-helper update-state appd.service >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by cargo-deb
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	# This will only remove masks created by d-s-h on package removal.
	deb-systemd-helper unmask screenshotd.service >/dev/null || true

	# was-enabled defaults to true, so new installations run enable.
	if deb-systemd-helper --quiet was-enabled screenshotd.service; then
		# Enables the unit on first installation, creates new
		# symlinks on upgrades if the unit file has changed.
		deb-systemd-helper enable screenshotd.service >/dev/null || true
	else
		# Update the statefile to add new symlinks (if any), which need to be
		# cleaned up on purge. Also remove old symlinks.
		deb-systemd-helper update-state screenshotd.service >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by cargo-deb
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	# This will only remove masks created by d-s-h on package removal.
	deb-systemd-helper unmask srs_milter.service >/dev/null || true

	# was-enabled defaults to true, so new installations run enable.
	if deb-systemd-helper --quiet was-enabled srs_milter.service; then
		# Enables the unit on first installation, creates new
		# symlinks on upgrades if the unit file has changed.
		deb-systemd-helper enable srs_milter.service >/dev/null || true
	else
		# Update the statefile to add new symlinks (if any), which need to be
		# cleaned up on purge. Also remove old symlinks.
		deb-systemd-helper update-state srs_milter.service >/dev/null || true
	fi
fi
# End automatically added section
# Automatically added by cargo-deb
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
	if [ -d /run/systemd/system ]; then
		systemctl --system daemon-reload >/dev/null || true
		if [ -n "$2" ]; then
			_dh_action=restart
		else
			_dh_action=start
		fi
		deb-systemd-invoke $_dh_action appcd.service appd.service screenshotd.service srs_milter.service >/dev/null || true
	fi
fi
# End automatically added section

exit 0