#/bin/sh

## Required vars
# CPAD_MAIN_DOMAIN
# CPAD_SANDBOX_DOMAIN
#
## Optional vars
# CPAD_API_DOMAIN
# CPAD_FILES_DOMAIN
#
## Both these vars must be set in order for nginx to terminate TLS
# CPAD_TLS_CERT
# CPAD_TLS_KEY
## If dhparam.pem file is absent it will be generated
# CPAD_TLS_DHPARAM
#
# CPAD_TRUSTED_PROXY
# CPAD_REALIP_HEADER
# CPAD_REALIP_RECURSIVE
#
## Testing vars, may be removed later
# CPAD_HTTP2_DISABLE="true"
#

set -e

CPAD_HOME="/cryptpad"

# Since Nginx configuration is copied from the official image we need to
# correct some stuff
# Fix log path
sed -i -e "s@\(error_log\) */.* \(.*;\)@\1 /dev/stderr \2@" \
       -e "s@\(access_log\) */.* \(.*;\)@\1 /dev/stdout \2@" \
       ${CPAD_NGINX_CONF:=/etc/nginx/nginx.conf}

# Remove nginx default enabled conf
if [ -f /etc/nginx/conf.d/default.conf ]; then
  rm /etc/nginx/conf.d/default.conf
fi

# Test if nginx config file already exists (eg: docker swarm config)
# if absent, copy example and apply corrections
if [ ! -f "${CPAD_NGINX_CPAD_CONF:=/etc/nginx/conf.d/cryptpad.conf}" ]; then

  # Copy nginx config example from Cryptpad
  cp $CPAD_HOME/docs/example.nginx.conf $CPAD_NGINX_CPAD_CONF

  # Set domains
  if [ -z "${CPAD_MAIN_DOMAIN:-}" ]; then
    echo "Error: No main domain specified"
    exit 1
  else
    sed -i "s@your-main-domain.com@$CPAD_MAIN_DOMAIN@g" $CPAD_NGINX_CPAD_CONF
  fi

  if [ -z "${CPAD_SANDBOX_DOMAIN:-}" ]; then
    echo "Error: No sandbox domain specified"
    exit 1
  else
    sed -i "s@your-sandbox-domain.com@$CPAD_SANDBOX_DOMAIN@g" $CPAD_NGINX_CPAD_CONF
  fi

  if [ -z "${CPAD_API_DOMAIN}" ]; then
    sed -i "s@api.$CPAD_MAIN_DOMAIN@\$\{main_domain\}@" $CPAD_NGINX_CPAD_CONF
  fi

  if [ -z "${CPAD_FILES_DOMAIN}" ]; then
    sed -i "s@files.$CPAD_MAIN_DOMAIN@\$\{main_domain\}@" $CPAD_NGINX_CPAD_CONF
  fi

  # Change nginx document root
  sed -i "s@\(root\) */.*\([^;]\)@\1 $CPAD_HOME@" $CPAD_NGINX_CPAD_CONF

  # Whether or not Nginx should terminate TLS (defaults to true)
  if [ -n "$CPAD_TLS_CERT" \
    -a -n "$CPAD_TLS_KEY" ]; then

    # If cert is present, set path. If not, exit with error
    if [ -f "$CPAD_TLS_CERT" ]; then
      sed -i "s@\( *ssl_certificate[^_key] *\).*[^;]@\1$CPAD_TLS_CERT@" $CPAD_NGINX_CPAD_CONF
    else
      echo "Error: Missing TLS certificate file"
      exit 1
    fi

    # If key is present, set path. If not, exit with error
    if [ -f "$CPAD_TLS_KEY" ]; then
      sed -i "s@\( *ssl_certificate_key *\).*[^;]@\1$CPAD_TLS_KEY@" $CPAD_NGINX_CPAD_CONF
    else
      echo "Error: Missing TLS key file"
      exit 1
    fi

    # This option is only useful for OCSP stapling which Cryptpad doesn't use
    # so we'll comment it to avoid errors.
    sed -i "s@\(ssl_trusted_certificate\)@#\1@" $CPAD_NGINX_CPAD_CONF

    # If no DH parameters are provided, generate them
    if [ ! -f "${CPAD_TLS_DHPARAM:=/etc/nginx/dhparam.pem}" ]; then
      # Generate DH parameters
      openssl dhparam -out $CPAD_TLS_DHPARAM 4096
    fi

  # If no TLS termination
  else
    # Make Nginx listen on 80 in plaintext
    # and comment out all ssl related options
    sed -i  -e "s@\(^.*\) \+443 ssl\(.*$\)@\1 80\2@" \
            -e "s@[^#]ssl_@ #ssl_@g" $CPAD_NGINX_CPAD_CONF
  fi

  # Should Nginx use http_realip_module
  if [ -n "${CPAD_TRUSTED_PROXY:=}" ]; then
    # Set trusted proxy
    sed -i  -e "/listen/ G" \
    -e "/listen/ a \   \ # Set trusted proxy and header containing real client IP" \
    -e "/listen/ a \   \ set_real_ip_from  $CPAD_TRUSTED_PROXY;" $CPAD_NGINX_CPAD_CONF

    # Set header to get real client IP from
    if [ -n "${CPAD_REALIP_HEADER:-}" ]; then
      sed -i "/set_real_ip_from/ a \   \ real_ip_header    $CPAD_REALIP_HEADER;" $CPAD_NGINX_CPAD_CONF
    fi

    # Should Nginx perform a recursive search to get real client IP
    if [ -n "${CPAD_REALIP_RECURSIVE:-}" ]; then
      sed -i "/set_real_ip_from/ a \   \ real_ip_recursive $CPAD_REALIP_RECURSIVE;" $CPAD_NGINX_CPAD_CONF
    fi
  fi

  # Should nginx use HTTP2 (defaults to false)
  if [ "${CPAD_HTTP2_DISABLE:-false}" = "true" ]; then
    sed -i  -e "s@\(^.*\) \+http2\(.*$\)@\1\2@" $CPAD_NGINX_CPAD_CONF
  fi

  ## WIP
  # If cryptad conf isn't provided
  # if [ ! -f "$CPAD_CONF" ]; then
  #   echo -e "\n\
  #         ############################################### \n\
  #         Warning: No config file provided for cryptpad \n\
  #         We will create a basic one for now but you should rerun this service \n\
  #         by providing a file with your settings \n\
  #         eg: docker run -v /path/to/config.js:/cryptpad/config/config.js \n\
  #         ############################################### \n"
  #
  #   cp $CPAD_HOME/config/config.example.js $CPAD_CONF
  #
  #   # Set domains
  #   sed -i  -e "s@\(httpUnsafeOrigin:\).*[^,]@\1 'https://$CPAD_MAIN_DOMAIN'@" \
  #           -e "s@\(^ *\).*\(httpSafeOrigin:\).*[^,]@\1\2 'https://$CPAD_SANDBOX_DOMAIN'@" $CPAD_CONF
  #
  #   # Set admin email
  #   if [ -z "$CPAD_ADMIN_EMAIL" ]; then
  #     echo "Error: Missing admin email (Did you read the config?)"
  #     exit 1
  #   else
  #     sed -i "s@\(adminEmail:\).*[^,]@\1 '$CPAD_ADMIN_EMAIL'@" $CPAD_CONF
  #   fi
  # fi

fi

cd $CPAD_HOME
npm run build

exec "$@"