#!/sbin/openrc-run
# SPDX-License-Identifier: MIT

pidfile="/run/abos-web.pid"

name="abos-web"
command="/usr/bin/$name"
command_background="yes"

depend() {
	need net
}

generate_tls_key() {
	local cert=/etc/atmark/abos_web/tls/cert.pem \
		key=/etc/atmark/abos_web/tls/key.pem \
		keep_old=""
	if ! [ -e "$cert" ]; then
		einfo "ABOS Web certificate missing, generating certificate..."
	elif [ "$(date +%s)" -lt 1707171804 ]; then
		# date it too old, NTP was not obtained -- skip checking date
		return
	elif ! openssl verify -CAfile "$cert" "$cert" >/dev/null 2>&1; then
		einfo "ABOS Web certificate is not valid, regenerating it"
		# keep old key for debug
		mv "$cert" "$cert.old"
		mv "$key" "$key.old"
		keep_old=1
	else
		# certificate is present & valid
		return
	fi

	mkdir -p /etc/atmark/abos_web/tls || return
	# accept a handful of avahi addresses
	local altnames="DNS.1:armadillo.local" i
	for i in $(seq 2 16); do
		altnames="$altnames, DNS.$i:armadillo-$i.local"
	done
	# and localhost and containers 'host' aliases:
	altnames="$altnames, DNS.17:localhost"
	altnames="$altnames, DNS.18:host.containers.internal"
	# .. as well as their IP
	altnames="$altnames, IP.1:127.0.0.1, IP.2:::1, IP.3:10.88.0.1"
	openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -x509 \
			-nodes -days 3650 -subj '/CN=armadillo.local' \
			-addext "subjectAltName = $altnames" -batch \
			-out "$cert" -keyout "$key" \
		|| return
	persist_file "$cert" "$key" ${keep_old:+"$cert.old" "$key.old"}
}

declare_avahi_service() {
	# this file stays in ram, so we do not advertise abos-web
	# if we do not start it
	if [ -d /etc/avahi/services ]; then
		cat > /etc/avahi/services/abos-web.service <<'EOF'
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
  <name replace-wildcards="yes">%h abos-web</name>
  <service>
    <type>_https._tcp</type>
    <port>58080</port>
  </service>
</service-group>
EOF
	fi
}

create_migrate_var_lib() {
	checkpath --directory --owner abos-web-admin --mode 0755 /var/lib/abos-web

	# create a symlink from /etc/atmark/abos_web/tokens for backwards compatibility
	if [ ! -L /etc/atmark/abos_web/tokens ]; then
		checkpath --directory --owner abos-web-admin --mode 0700 /var/lib/abos-web/tokens
		if [ -d /etc/atmark/abos_web/tokens ]; then
			# use cp to merge directories if target already existed...
			cp -a /etc/atmark/abos_web/tokens/. /var/lib/abos-web/tokens || return
			chown -R abos-web-admin: /var/lib/abos-web/tokens
			rm -rf /etc/atmark/abos_web/tokens || return
		fi
		ln -s /var/lib/abos-web/tokens /etc/atmark/abos_web/tokens || return
		persist_file -r /var/lib/abos-web/tokens /etc/atmark/abos_web/tokens || return
	fi
}

start() {
	# refuse to start if password has not been set
	if [ -z "$ABOSWEB_ALLOW_EMPTY_LOGIN" ] \
	    && abos-ctrl status --onetime-cert 2>/dev/null \
	    && ! awk -F':' '$1 == "abos-web-admin" {
	    			found=1
				exit ($2 ~ /^!/)
			}
			END { if (!found) { exit 1 }}' /etc/shadow; then
		einfo "Skipping abos-web start without password on installed system"
		return 0
	fi
	# prepare tls self-signed certificate pair if none found
	generate_tls_key
	declare_avahi_service
	if ! create_migrate_var_lib; then
		eend $? "Could not populate /var/lib/abos-web"
		return
	fi

	export ABOSWEB_VARIANT

	default_start
}

stop_pre() {
	# remove avahi announce
	rm -f /etc/avahi/services/abos-web.service
}
