#!/bin/bash

PURPLE='\033[35m'
ORANGE='\033[33m'
BOLD='\033[1m'
RESET='\033[0m'

install_pkg() {
    pkg="$1"
    if ! command -v "$pkg" &> /dev/null; then
        apt install -y "$pkg"
        echo -e "${PURPLE}${BOLD}${pkg} installed${RESET}"
    fi
}

get_username() {
    if [[ -z "$username" ]]; then
        username=$(getent passwd 1000 | cut -d: -f1)
    fi
}

echo -e "${PURPLE}${BOLD}Deployment Debian + Caddy + Directus + Nuxt${RESET}"

if [ "$EUID" -ne 0 ]; then
  echo "Please run as root"
  exit
fi

#
# USER
#
echo -e "${PURPLE}${BOLD}Create a user ? (y/N) ${RESET}"
read answer
if [[ "$answer" == "y" ]]; then
    echo -e "${PURPLE}${BOLD}Create user${RESET}"

    read -p "Enter username: " username

    if id "$username" &>/dev/null; then
        echo "User '$username' already exists."
        exit 1
    fi

    echo -e "${ORANGE}${BOLD}Generate and store the password somewhere safe${RESET}"
    read -s -p "Enter password: " password
    echo
    useradd -m "$username"
    chsh -s /bin/bash $username
    echo "$username:$password" | chpasswd

    usermod -aG sudo $username

    echo -e "${PURPLE}${BOLD}User '$username' created with password successfully.${RESET}"
fi

#
# SSH
#
echo -e "${PURPLE}${BOLD}Setup SSH ? (y/N) ${RESET}"
read answer
if [[ "$answer" == "y" ]]; then
    echo -e "${PURPLE}${BOLD}Setup SSH${RESET}"

    touch /etc/ssh/sshd_config.d/custom.conf
    echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/custom.conf
    echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config.d/custom.conf
    systemctl reload ssh
fi

#
# FIREWALL AND FAIL2BAN
#
echo -e "${PURPLE}${BOLD}Setup Firewall and Fail2ban ? (y/N) ${RESET}"
read answer
if [[ "$answer" == "y" ]]; then
    echo -e "${PURPLE}${BOLD}Setup Firewall and Fail2ban${RESET}"
    apt install -y ufw fail2ban
    systemctl enable fail2ban
    ufw allow ssh
    ufw allow http
    ufw allow https
fi

#
# TODO : ZABBIX AND URBACKUP
#

echo -e "${PURPLE}${BOLD}TODO : Zabbix and Urbackup${RESET}"

#
# CADDY
#
echo -e "${PURPLE}${BOLD}Install Caddy webserver ? (y/N) ${RESET}"
read answer
if [[ "$answer" == "y" ]]; then
    echo -e "${PURPLE}${BOLD}Install Caddy Webserver${RESET}"
    apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
    curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
    curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
    apt update
    apt install -y caddy
    > /etc/caddy/Caddyfile
fi

#
# MARIADB
#

echo -e "${PURPLE}${BOLD}Install MariaDB ? (y/N) ${RESET}"
read answer
if [[ "$answer" == "y" ]]; then
    apt install -y mariadb-server
    echo -e "${ORANGE}${BOLD}Generate and store the password somewhere safe${RESET}"
    echo -e "${PURPLE}${BOLD}Enter the MariaDB root password : ${RESET}"
    read -s db_root_password
    echo
    install_pkg expect
    SECURE_MYSQL=$(expect -c "
        set timeout 3
        spawn mysql_secure_installation
        expect \"Enter current password for root (enter for none):\"
        send \"\r\"
        expect \"Switch to unix_socket authentication \\[Y/n\\]\"
        send \"n\r\"
        expect \"Change the root password? \\[Y/n\\]\"
        send \"y\r\"
        expect \"New password:\"
        send \"$db_root_password\r\"
        expect \"Re-enter new password:\"
        send \"$db_root_password\r\"
        expect \"Remove anonymous users?\"
        send \"y\r\"
        expect \"Disallow root login remotely?\"
        send \"y\r\"
        expect \"Remove test database and access to it?\"
        send \"y\r\"
        expect \"Reload privilege tables now?\"
        send \"y\r\"
        expect eof
    ")
    echo "${SECURE_MYSQL}"
    # https://gist.github.com/coderua/5592d95970038944d099
fi

#
# DIRECTUS DB
#

echo -e "${PURPLE}${BOLD}Setup Directus database ? (y/N) ${RESET}"
read answer
if [[ "$answer" == "y" ]]; then
    echo -e "${ORANGE}${BOLD}Generate and store the password somewhere safe${RESET}"
    echo -e "${PURPLE}${BOLD}Enter the MariaDB Directus password : ${RESET}"
    read -s db_directus_password
    echo
    if [[ -z "$db_root_password" ]]; then
        echo -e "${PURPLE}${BOLD}Enter the MariaDB root password : ${RESET}"
        read -s db_root_password
        echo
    fi
    install_pkg expect
    CREATE_DIRECTUS_DB=$(expect -c "
        spawn mariadb -u root -p
        expect \"Enter password:\"
        send \"$db_root_password\r\"
        expect \"mysql>\"
        send \"CREATE USER 'directus'@'localhost' IDENTIFIED BY '${db_directus_password}';\r\"
        send \"CREATE DATABASE directus;\r\"
        send \"GRANT ALL PRIVILEGES ON directus.* TO 'directus'@'localhost' IDENTIFIED BY '${db_directus_password}';\r\"
        send \"FLUSH PRIVILEGES;\r\"
        expect \"mysql>\"
        send \"quit;\r\"
        expect eof
    ")
    echo "${CREATE_DIRECTUS_DB}" >& /dev/null
    echo -e "${PURPLE}${BOLD}Directus database created${RESET}"
fi

#
# NODE
#

echo -e "${PURPLE}${BOLD}Install Node ? (y/N) ${RESET}"
read answer
if [[ "$answer" == "y" ]]; then
    get_username
    su -c 'curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash &&\
    export NVM_DIR="$HOME/.nvm" &&\
    [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" &&\
    [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion" &&\
    nvm install v18' $username 
    ln -sf /home/$username/.nvm/versions/node/v18.19.1/bin/node /usr/bin/node
    ln -sf /home/$username/.nvm/versions/node/v18.19.1/bin/npm /usr/bin/npm
    ln -sf /home/$username/.nvm/versions/node/v18.19.1/bin/npx /usr/bin/npx
    echo -e "${PURPLE}${BOLD}Node installed${RESET}";
fi

#
# SET THE URL
#

echo -e "${PURPLE}${BOLD}Enter the domain name of the website${RESET}"
read domain_name
ip=$(hostname -I)
if [[ "${ip: -1}" == " " ]]; then
    ip="${ip%?}"
fi
echo -e "${PURPLE}${BOLD}Configure the ${domain_name} DNS ZONE as the following${RESET}"
echo -e "${PURPLE}Domain : ${domain_name} | Type : A | Target : ${ip}${RESET}"
echo -e "${PURPLE}Domain : cms.${domain_name} | Type : A | Target : ${ip}${RESET}"
echo -e "${PURPLE}Domain : www.${domain_name} | Type : A | Target : ${ip}${RESET}"
echo -e "${PURPLE}${BOLD}Press any key when done${RESET}"
read

#
# DIRECTUS
#

echo -e "${PURPLE}${BOLD}Install Directus ? (y/N) ${RESET}"
read answer
if [[ "$answer" == "y" ]]; then
    install_pkg tmux
    get_username

    if [[ -z "$db_directus_password" ]]; then
        echo -e "${PURPLE}${BOLD}Enter the MariaDB Directus password : ${RESET}"
        read -s db_directus_password
        echo
    fi

    echo -e "${ORANGE}${BOLD}Generate and store the credentials somewhere safe${RESET}"
    echo -e "${PURPLE}${BOLD}Enter the Directus admin email : ${RESET}"
    read directus_admin_email
    echo -e "${PURPLE}${BOLD}Enter the Directus admin password : ${RESET}"
    read -s directus_admin_password

    cms_folder="cms_${domain_name}"
    env_file="${cms_folder}/.env"
    port=8055

    key=$(head -c 16 /dev/urandom | od -An -tx1 | tr -d ' \n')
    secret=$(head -c 16 /dev/urandom | od -An -tx1 | tr -d ' \n')

    su -c "cd &&\
    mkdir ${cms_folder} &&\
    mkdir ${cms_folder}/uploads &&\
    echo \"HOST='${ip}'\" >> ${env_file} &&\
    echo \"PORT=${port}\" >> ${env_file} &&\
    echo \"PUBLIC_URL='https://cms.${domain_name}'\" >> ${env_file} &&\
    echo \"DB_CLIENT='mysql'\" >> ${env_file} &&\
    echo \"DB_HOST='127.0.0.1'\" >> ${env_file} &&\
    echo \"DB_PORT='3306'\" >> ${env_file} &&\
    echo \"DB_DATABASE='directus'\" >> ${env_file} &&\
    echo \"DB_USER='directus'\" >> ${env_file} &&\
    echo \"DB_PASSWORD='${db_directus_password}'\" >> ${env_file} &&\
    echo \"SECRET='${secret}'\" >> ${env_file} &&\
    echo \"KEY='${key}'\" >> ${env_file} &&\
    cd ${cms_folder} &&\
    npm init -y &&\
    npx directus bootstrap --skipAdminInit" $username

    session="directus"
    su -c "tmux new-session -d -s ${session} &&\
    tmux send-keys -t ${session} \"cd /home/${username}/${cms_folder} && npx directus start\" C-m" $username

    su -c "cd /home/${username}/${cms_folder} &&\
    npx directus roles create --role Administrator --admin true &&\
    npx directus roles create --role Website &&\
    npx directus roles create --role User" $username

    admin_role_uuid=$(echo $(mariadb -u directus -p${db_directus_password} \
    -e "SELECT id FROM directus.directus_roles WHERE name='Administrator'") | awk '{print $2}')
    website_role_uuid=$(echo $(mariadb -u directus -p${db_directus_password} \
    -e "SELECT id FROM directus.directus_roles WHERE name='Website'") | awk '{print $2}')
    user_role_uuid=$(echo $(mariadb -u directus -p${db_directus_password} \
    -e "SELECT id FROM directus.directus_roles WHERE name='User'") | awk '{print $2}')
    

    su -c "cd /home/${username}/${cms_folder} &&\
    npx directus users create --email \"${directus_admin_email}\" \
    --password \"${directus_admin_password}\" --role \"${admin_role_uuid}\" &&\
    npx directus users create --email \"website@${domain_name}\" --password 'website' --role \"${website_role_uuid}\"" $username

    website_token=$(head -c 16 /dev/urandom | od -An -tx1 | tr -d ' \n')
    mariadb -u directus -p${db_directus_password} -e "UPDATE directus.directus_roles SET icon='robot' WHERE name='Website'";
    mariadb -u directus -p${db_directus_password} -e "UPDATE directus.directus_roles SET app_access='0' WHERE name='Website'";
    mariadb -u directus -p${db_directus_password} -e "UPDATE directus.directus_users SET token='${website_token}' WHERE email='website'";

    caddyfile="/etc/caddy/Caddyfile"
    echo "cms.${domain_name} {" >> $caddyfile
    echo "reverse_proxy ${ip}:${port}" >> $caddyfile
    echo "}" >> $caddyfile
    caddy fmt $caddyfile -w
    caddy reload -c $caddyfile
fi

# TODO
# REMOVE EXPECT AT THE END IF IT IS INSTALLED
# CREATE AN ASSETS FOLDER WITH THE DIRECTUS ENV
# LOGING DE TOUT