#!/bin/bash
#
# Authelia Service

PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
get_appvars

config_authelia() {
  echo -ne "\n* Configuring /federated/apps/authelia container.."

  if [ ! -d "/federated/apps/authelia" ]; then
    mkdir -p /federated/apps/authelia/data/config
    mkdir -p /federated/apps/authelia/data/secrets
  fi

cat > /federated/apps/authelia/docker-compose.yml <<EOF
version: '3.7'

services:
  authelia:
    image: authelia/authelia:\${IMAGE_VERSION}
    container_name: authelia
    hostname: authelia.$DOMAIN
    restart: always
    networks:
      core:
        ipv4_address: 192.168.0.42
    env_file:
      - ./.env
    volumes:
      - ./data/config:/config
      - ./data/secrets:/secrets
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.rule=Host(\`authelia.$DOMAIN\`)"
      - "traefik.http.routers.authelia.entrypoints=websecure"
      - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
      - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.$DOMAIN:9091/api/authz/forward-auth"
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"

networks:
  core:
    external: true
EOF

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/JWT_SECRET 
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/SESSION_SECRET 
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/STORAGE_ENCRYPTION_KEY
echo "$LDAP_SECRET" > /federated/apps/authelia/data/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
echo "$ADMINPASS" > /federated/apps/authelia/data/secrets/NOTIFIER_SMTP_PASSWORD
openssl genrsa -out /federated/apps/authelia/data/secrets/private.pem 4096
openssl rsa -in /federated/apps/authelia/data/secrets/private.pem -outform PEM -pubout -out /federated/apps/authelia/data/secrets/public.pem
POWERDNS_CLIENT_SECRET=$(create_password);
POWERDNS_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $POWERDNS_CLIENT_SECRET | awk '{ print $2 }')
[[ -d "/federated/apps/pdnsmysql/data/var/lib/mysql/pdnsadmin" ]] && POWERDNS_DB="pdnsadmin" || POWERDNS_DB="pdns"
NEXTCLOUD_CLIENT_SECRET=$(create_password);
NEXTCLOUD_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $NEXTCLOUD_CLIENT_SECRET | awk '{ print $2 }')

cat > /federated/apps/authelia/.env <<EOF
IMAGE_VERSION=4.38.8
X_AUTHELIA_CONFIG_FILTERS=template
X_AUTHELIA_CONFIG=/config/configuration.yml,/config/idproviders.yml
AUTHELIA_TOTP_ISSUER=$DOMAIN
AUTHELIA_WEBAUTHN_DISPLAY_NAME=home
AUTHELIA_NOTIFIER_SMTP_ADDRESS=submission://mail.$DOMAIN:587
AUTHELIA_NOTIFIER_SMTP_USERNAME=$SMTPUSER
AUTHELIA_NOTIFIER_SMTP_SENDER="Authelia <authelia@$DOMAIN>"
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS=ldaps://ldap.$DOMAIN
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN=dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER=cn=admin,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/secrets/JWT_SECRET
AUTHELIA_SESSION_SECRET_FILE=/secrets/SESSION_SECRET
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/secrets/STORAGE_ENCRYPTION_KEY
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/secrets/NOTIFIER_SMTP_PASSWORD
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
EOF
chmod 600 /federated/apps/authelia/.env

cat > /federated/apps/authelia/data/config/configuration.yml <<EOF
---
theme: auto
default_2fa_method: totp
server:
  address: tcp://0.0.0.0:9091/
log:
  level: info
totp:
  disable: false
  issuer: 'authelia.$DOMAIN'
  algorithm: sha1
  digits: 6
  period: 45
  skew: 1
  secret_size: 32
webauthn:
  disable: false
  timeout: 60s
  attestation_conveyance_preference: indirect
  user_verification: preferred
authentication_backend:
  password_reset:
    disable: false
  refresh_interval: 5m
  ldap:
    implementation: custom
    timeout: 5s
    start_tls: false
    attributes:
      username: mail
      display_name: uid
      group_name: gidNumber
      mail: mail
    additional_users_dn: ou=people
    users_filter: "(&({username_attribute}={input})(objectClass=person))"
    additional_groups_dn: ou=groups
    groups_filter: "(member={dn})"
password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: false
access_control:
  default_policy: one_factor
session:
  name: 'authelia_session'
  same_site: 'lax'
  inactivity: '5m'
  expiration: '1h'
  remember_me: '1M'
  cookies:
    - domain: '$DOMAIN'
      authelia_url: 'https://authelia.$DOMAIN'
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m
storage:
  local:
    path: /config/db.sqlite3
notifier:
  disable_startup_check: false
EOF

cat > /federated/apps/authelia/data/config/idproviders.yml <<EOF
identity_providers:
  oidc:
    jwks:
      - key: {{ secret "/secrets/private.pem" | mindent 10 "|" | msquote }}
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      ### PowerDNS
      - client_id: 'powerdns'
        client_name: 'PowerDNS Admin'
        client_secret: $POWERDNS_CLIENT_SECRET_HASH
        consent_mode: 'implicit'
        public: false
        authorization_policy: 'one_factor'
        redirect_uris:
          - 'https://powerdns.$DOMAIN/oidc/authorized'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        userinfo_signed_response_alg: 'none'
EOF

# Insert PowerDNS configuration because we need an initial
# config for Authelia to run
PDNS_MYSQL_COMMAND1="insert into setting (name, value) values (\"oidc_oauth_enabled\", \"True\");insert into setting (name, value) values (\"oidc_oauth_key\", \"powerdns\");"
PDNS_MYSQL_COMMAND2="insert into setting (name, value) values (\"oidc_oauth_scope\", \"openid profile groups email\");insert into setting (name, value) values (\"oidc_oauth_api_url\", \"https://authelia.$DOMAIN/api/oidc/userinfo\");"
PDNS_MYSQL_COMMAND3="insert into setting (name, value) values (\"oidc_oauth_auto_configure\", \"True\");insert into setting (name, value) values (\"oidc_oauth_metadata_url\", \"https://authelia.$DOMAIN/.well-known/openid-configuration\");"
PDNS_MYSQL_COMMAND4="insert into setting (name, value) values (\"oidc_oauth_token_url\", \"\");insert into setting (name, value) values (\"oidc_oauth_authorize_url\", \"\");"
PDNS_MYSQL_COMMAND5="insert into setting (name, value) values (\"oidc_oauth_logout_url\", \"https://authelia.$DOMAIN/logout\");insert into setting (name, value) values (\"oidc_oauth_username\", \"preferred_username\");"
PDNS_MYSQL_COMMAND6="insert into setting (name, value) values (\"oidc_oauth_email\", \"email\");insert into setting (name, value) values (\"oidc_oauth_firstname\", \"preferred_username\");"
PDNS_MYSQL_COMMAND7="insert into setting (name, value) values (\"oidc_oauth_last_name\", \"name\");insert into setting (name, value) values (\"oidc_oauth_account_name_property\", \"preferred_username\");"
PDNS_MYSQL_COMMAND8="insert into setting (name, value) values (\"oidc_oauth_account_description_property\", \"name\");insert into setting (name, value) values (\"oidc_oauth_secret\", \"$POWERDNS_CLIENT_SECRET\");"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND1;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND2;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND3;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND4;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND5;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND6;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND7;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND8;'"
 
echo -ne "done."
}
start_authelia() {
  # Start service with command to make sure it's up before proceeding
  start_service "authelia" "nc -z 192.168.0.42 9091 &> /dev/null" "7"

  docker exec pdns pdnsutil add-record $DOMAIN authelia A 86400 $EXTERNALIP &> /dev/null
  [ $? -ne 0 ] && fail "Couldn't add dns record for authelia"

  # If extra_hosts doesn't exist then insert extra_host configuration in pdnsadmin
  [[ ! $(grep extra_hosts /federated/apps/pdnsadmin/docker-compose.yml 2>/dev/null) ]] && sed -i "/192.168.0.12/a  \    extra_hosts:\n\      - \"authelia.$DOMAIN:$EXTERNALIP\"" /federated/apps/pdnsadmin/docker-compose.yml

  # Stop and start pdnsadmin for internal dns externalhosts to work
  /federated/bin/stop pdnsadmin
  /federated/bin/start pdnsadmin

  echo -ne "done."
}
uninstall_authelia() {
  echo -ne "* Uninstalling authelia container.."
  spin &
  SPINPID=$!

  # First stop the service
  cd /federated/apps/authelia && docker-compose -f docker-compose.yml -p authelia down &> /dev/null

  # Delete the entries in the settings table
  [[ -d "/federated/apps/pdnsmysql/data/var/lib/mysql/pdnsadmin" ]] && POWERDNS_DB="pdnsadmin" || POWERDNS_DB="pdns"
  docker exec pdnsmysql mysql -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e "delete from setting where name like '%oidc_oauth%';"

  # Delete the app directory
  rm -rf /federated/apps/authelia

  # Delete the image
  docker image rm authelia/authelia:$IMAGE_VERSION &> /dev/null

  # Delete the DNS record
  docker exec pdns pdnsutil delete-rrset $DOMAIN authelia A

  kill -9 $SPINPID &> /dev/null
  echo -ne "done.\n"
}