#!/bin/bash
#
# Roundcube Service

PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
get_appvars

config_roundcube() {
  echo -ne "\n* Configuring roundcube container.."

  if [ ! -d "/federated/apps/roundcube" ]; then
    mkdir -p /federated/apps/roundcube/data/var/www/html
  fi

cat > /federated/apps/roundcube/docker-compose.yml <<EOF
version: "3.7"
services:
  roundcube:
    image: roundcube/roundcubemail:\${IMAGE_VERSION}
    container_name: roundcube
    hostname: roundcube.$DOMAIN
    domainname: $DOMAIN
    restart: always
    networks:
      federated:
        ipv4_address: 172.99.0.47
    extra_hosts:
      - "authelia.$DOMAIN:$EXTERNALIP"
    env_file:
      - ./.env
    volumes:
      - ./data/var/www/html:/var/www/html
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.roundcube.rule=Host(\`roundcube.$DOMAIN\`,\`webmail.$DOMAIN\`)"
      - "traefik.http.routers.roundcube.entrypoints=websecure"
      - "traefik.http.routers.roundcube.tls.certresolver=letsencrypt"

networks:
  federated:
    external: true
EOF

ROUNDCUBE_SECRET=$(create_password);

cat > /federated/apps/roundcube/.env <<EOF
IMAGE_VERSION="1.6.8-apache"
ROUNDCUBEMAIL_DB_TYPE=mysql
ROUNDCUBEMAIL_DB_HOST=pdnsmysql.$DOMAIN
ROUNDCUBEMAIL_DB_USER=roundcube
ROUNDCUBEMAIL_DB_NAME=roundcube
ROUNDCUBEMAIL_DB_PASSWORD=$ROUNDCUBE_SECRET
ROUNDCUBEMAIL_SKIN=elastic
ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.$DOMAIN
ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.$DOMAIN
ROUNDCUBEMAIL_USERNAME_DOMAIN=$DOMAIN
ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE=4G
EOF
chmod 600 /federated/apps/roundcube/.env

# Create database and user in mysql
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e 'create database roundcube;'" &> /dev/null
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e \"CREATE USER 'roundcube'@'%' IDENTIFIED BY '$ROUNDCUBE_SECRET';\"" &> /dev/null
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e \"grant all privileges on roundcube.* to 'roundcube'@'%';\"" &> /dev/null
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e 'flush privileges;'" &> /dev/null
 
echo -ne "done.\n"
}
start_roundcube() {
  # Start service with command to make sure it's up before proceeding
  start_service "roundcube" "nc -z 172.99.0.47 80 &> /dev/null" "7"

  docker exec pdns pdnsutil add-record $DOMAIN roundcube A 86400 $EXTERNALIP &> /dev/null
  [ $? -ne 0 ] && fail "Couldn't add dns record for roundcube"
  docker exec pdns pdnsutil add-record $DOMAIN webmail A 86400 $EXTERNALIP &> /dev/null
  [ $? -ne 0 ] && fail "Couldn't add dns record for roundcube"

  kill -9 $SPINPID &> /dev/null
  echo -ne "done.\n"
}
email_roundcube() {
  echo -ne "* Sending email to customer.."
  spin &
  SPINPID=$!

cat > /federated/apps/mail/data/root/certs/mailfile <<EOF
<html>
<img src="https://www.federated.computer/wp-content/uploads/2023/11/logo.png" alt="" /><br>
<p>
<h4>Roundcube is now installed on $DOMAIN</h4>
<p>
Dear Customer,<br>
<br>
We'd like to introduce you to "Roundcube", a free and open source webmail solution with a desktop-like user interface. You can find "Roundcube" at <a href="https://roundcube.$DOMAIN">https://roundcube.$DOMAIN</a>
and also on your Dashboard <a href="https://dashboard.$DOMAIN">https://dashboard.$DOMAIN</a> as a new application.
<br>
<br>
This is only one of a number of big changes you'll be seeing from Federated Computer in the coming months to improve and enhance your Federated Core. Thank you for being a customer!
<br>
<br>
Best,
<br>
Federated Computer
<p>
</html>
EOF

  # Send out e-mail from mail container with details
  docker exec mail bash -c "mail -r admin@$DOMAIN -a \"Content-type: text/html\" -s \"Application installed on $DOMAIN\" $EMAIL < /root/certs/mailfile"
  rm /federated/apps/mail/data/root/certs/mailfile

  kill -9 $SPINPID &> /dev/null
  echo -ne "done.\n"
}
uninstall_roundcube() {
  echo -ne "* Uninstalling roundcube container.."
  spin &
  SPINPID=$!

  # First stop the service
  cd /federated/apps/roundcube && docker-compose -f docker-compose.yml -p roundcube down &> /dev/null

  # Delete database and user
  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e 'drop database roundcube;'" &> /dev/null
  docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD -e 'drop user roundcube;'" &> /dev/null

  # Delete the app directory
  rm -rf /federated/apps/roundcube

  # Delete the image
  docker image rm roundcube/roundcubemail:$IMAGE_VERSION &> /dev/null

  # Delete the DNS record
  docker exec pdns pdnsutil delete-rrset $DOMAIN roundcube A
  docker exec pdns pdnsutil delete-rrset $DOMAIN webmail A

  # Uninstall the SSO configuration if it exists in authelia (authelia must exist too)
  if [[ $(grep "### Roundcube" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]]; then
    sed -i '/### Roundcube/,/### /{/### PowerDNS/!{/### /!d}}' /federated/apps/authelia/data/config/idproviders.yml
    sed -i '/### Roundcube/d' /federated/apps/authelia/data/config/idproviders.yml
    /federated/bin/stop authelia
    /federated/bin/start authelia
  fi

  kill -9 $SPINPID &> /dev/null
  echo -ne "done.\n"
}
configsso_roundcube() {
  [ ! -d "/federated/apps/authelia" ] && failcheck "Authelia is not installed. You need this first before continuing."
  [ ! -f "/federated/apps/authelia/data/config/idproviders.yml" ] && failcheck "Authelia idproviders.yml is missing."
  [[ $(grep "### Roundcube" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]] && failcheck "Authelia already has a Roundcube configuration."

  ROUNDCUBE_CLIENT_SECRET=$(create_password);
  ROUNDCUBE_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $ROUNDCUBE_CLIENT_SECRET | awk '{ print $2 }')

cat >> /federated/apps/authelia/data/config/idproviders.yml <<EOF
     ### Roundcube
      - client_id: 'roundcube'
        client_name: 'Roundcube'
        client_secret: $ROUNDCUBE_CLIENT_SECRET_HASH
        consent_mode: 'implicit'
        public: false
        authorization_policy: 'one_factor'
        redirect_uris:
          - https://roundcube.$DOMAIN/index.php/login/oauth
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
EOF

  # Restart Authelia for changes to take the above configuration
  /federated/bin/stop authelia
  /federated/bin/start authelia

  # Add in extra hosts config
  [[ ! $(grep extra_hosts /federated/apps/roundcube/docker-compose.yml 2>/dev/null) ]] && sed -i "/restart: always/a  \    extra_hosts:\n\      - \"authelia.$DOMAIN:$EXTERNALIP\"" /federated/apps/roundcube/docker-compose.yml
  [[ ! $(grep extra_hosts /federated/apps/mail/docker-compose.yml 2>/dev/null) ]] && sed -i "/restart: always/a  \    extra_hosts:\n\      - \"authelia.$DOMAIN:$EXTERNALIP\"" /federated/apps/mail/docker-compose.yml

sed -i "/?php/a \    \$config['oauth_provider'] = 'generic'; \n\
    \$config['oauth_provider_name'] = 'Authelia'; \n\
    \$config['oauth_client_id'] = 'roundcube'; \n\
    \$config['oauth_client_secret'] = '$ROUNDCUBE_CLIENT_SECRET'; \n\
    \$config['oauth_auth_uri'] = 'https://authelia.$DOMAIN/api/oidc/authorization'; \n\
    \$config['oauth_token_uri'] = 'https://authelia.$DOMAIN/api/oidc/token'; \n\
    \$config['oauth_identity_uri'] = 'https://authelia.$DOMAIN/api/oidc/userinfo'; \n\
    \$config['oauth_identity_fields'] = ['email']; \n\
    \$config['oauth_verify_peer'] = false; \n\
    \$config['use_https'] = true; \n\
    \$config['oauth_scope'] = 'email openid profile'; \n\
    \$config['oauth_login_redirect'] = false;"  /federated/apps/roundcube/data/var/www/html/config/config.inc.php

# Disable Spamassasin, enable Rspamd, and insert OAUTH2 configuration in mail server
sed -i "s/ENABLE_SPAMASSASSIN=.*/ENABLE_SPAMASSASSIN=0/g" /federated/apps/mail/.env
sed -i "s/ENABLE_SPAMASSASSIN_KAM=.*/#ENABLE_SPAMASSASSIN_KAM=0/g" /federated/apps/mail/.env
sed -i "s/SPAMASSASSIN_SPAM_TO_INBOX=.*/#SPAMASSASSIN_SPAM_TO_INBOX=0/g" /federated/apps/mail/.env
sed -i "s/ENABLE_AMAVIS=.*/ENABLE_AMAVIS=0/g" /federated/apps/mail/.env
sed -i "s/ENABLE_CLAMAV=.*/ENABLE_CLAMAV=1/g" /federated/apps/mail/.env
sed -i "s/ENABLE_POSTGREY=.*/ENABLE_POSTGREY=0/g" /federated/apps/mail/.env
sed -i "/ENABLE_POSTGREY=0/a  \ENABLE_RSPAMD=1\nRSPAMD_GREYLISTING=1\nENABLE_AMAVIS=0" /federated/apps/mail/.env
sed -i "/LOG_LEVEL=debug/a  \ENABLE_OAUTH2=1\nOAUTH2_INTROSPECTION_URL=https://roundcube:$ROUNDCUBE_CLIENT_SECRET@authelia.$DOMAIN/api/oidc/introspection\nOAUTH2_USERNAME_ATTRIBUTE=username\nOAUTH2_INTROSPECTION_MODE=post" /federated/apps/mail/.env

cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
EOF

#[[ ! -d "/federated/apps/mail/data/etc/dovecot/conf.d" ]] && mkdir /federated/apps/mail/data/etc/dovecot/conf.d
cat > /federated/apps/mail/data/etc/dovecot/conf.d/95-roundcube.conf <<'EOF'
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
EOF

[[ ! $(grep 95-roundcube.conf /federated/apps/mail/docker-compose.yml 2>/dev/null) ]] && sed -i "/volumes:/a  \      - ./data/etc/dovecot/conf.d/95-roundcube.conf:/etc/dovecot/conf.d/95-roundcube.conf" /federated/apps/mail/docker-compose.yml

  /federated/bin/stop roundcube
  /federated/bin/start roundcube
  /federated/bin/stop mail
  /federated/bin/start mail
}