#!/usr/bin/with-contenv bash
# shellcheck shell=bash

CONFIG_PATH="/config/crowdsec/"
LIB_PATH="/usr/local/lua/crowdsec/"
DATA_PATH="/var/lib/crowdsec/lua/"

if [[ ! -e "/crowdsec-nginx-bouncer.tgz" ]]; then
    # Crowdsec bouncer already configured
    exit 0
fi

echo "**** Configuring CrowdSec nginx Bouncer ****"

# If API keys are missing, disable mod and exit
if [[ -z $CROWDSEC_API_KEY ]] || [[ -z $CROWDSEC_LAPI_URL ]]; then
    echo "**** Missing API key or CrowdSec LAPI URL, cannot configure bouncer ****"
    exit 1
fi

echo "\
    gettext \
    lua5.1 \
    lua5.1-cjson \
    lua-resty-http \
    lua-resty-string \
    lua-sec \
    nginx-mod-http-lua" >> /mod-repo-packages-to-install.list

# Extract nginx bouncer
mkdir -p /tmp/crowdsec

tar xf \
    /crowdsec-nginx-bouncer.tgz -C \
    /tmp/crowdsec --strip-components=1

mkdir -p "${CONFIG_PATH}"
if [[ ! -f "${CONFIG_PATH}crowdsec-nginx-bouncer.conf" ]]; then \
    cp /tmp/crowdsec/lua-mod/config_example.conf "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
fi

# Inject API keys into config file
sed -i -r "s|API_KEY=.*$|API_KEY=${CROWDSEC_API_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
sed -i -r "s|API_URL=.*$|API_URL=${CROWDSEC_LAPI_URL}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"

# Sed in ReCaptcha settings
sed -i -r "s|SECRET_KEY=.*$|SECRET_KEY=${CROWDSEC_SECRET_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
sed -i -r "s|SITE_KEY=.*$|SITE_KEY=${CROWDSEC_SITE_KEY}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
sed -i -r "s|CAPTCHA_PROVIDER=.*$|CAPTCHA_PROVIDER=${CROWDSEC_CAPTCHA_PROVIDER}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"

# Sed in CROWDSEC_MODE and UPDATE_FREQUENCY, if defined in the env, defaults to live and 10s
sed -i -r "s|MODE=.*$|MODE=${CROWDSEC_MODE:-live}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
sed -i -r "s|UPDATE_FREQUENCY=.*$|UPDATE_FREQUENCY=${CROWDSEC_UPDATE_FREQUENCY:-10}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"

if grep -q "^APPSEC_URL=" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"; then
    sed -i -r "s|APPSEC_URL=.*$|APPSEC_URL=${CROWDSEC_APPSEC_URL}|" "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
else
    echo "APPSEC_URL=${CROWDSEC_APPSEC_URL}" >> "${CONFIG_PATH}crowdsec-nginx-bouncer.conf"
fi

# Change config path
sed -i "s|/etc/crowdsec/bouncers/|${CONFIG_PATH}|" /tmp/crowdsec/nginx/crowdsec_nginx.conf

# Copy files
mkdir -p ${DATA_PATH}/templates/
cp -r /tmp/crowdsec/lua-mod/templates/* ${DATA_PATH}/templates/

mkdir -p ${LIB_PATH}plugins/crowdsec
cp -r /tmp/crowdsec/lua-mod/lib/* ${LIB_PATH}

cp /tmp/crowdsec/nginx/crowdsec_nginx.conf /etc/nginx/http.d

# Sed in crowdsec include
if ! grep -q '[^#]include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf' && ! grep -q '[^#]include /etc/nginx/conf.d/\*.conf;' '/config/nginx/nginx.conf'; then
    if grep -q '#include /etc/nginx/http.d/\*.conf;' '/config/nginx/nginx.conf'; then
        # Enable http.d include
        sed -i 's|#include /etc/nginx/http.d/\*.conf;|include /etc/nginx/http.d/\*.conf;|' /config/nginx/nginx.conf
    else
        # Warn about missing http.d include
        echo "
        ┌──────────────────────────────────────────────────────────────────┐
        │    Warning: Your nginx.conf is missing required settings         │
        │    Please add:                                                   │
        │        include /etc/nginx/http.d/*.conf;                         │
        │    to the http{} block and restart the container.                │
        │                                                                  │
        │    The CrowdSec bouncer will not function until this is done.    │
        └──────────────────────────────────────────────────────────────────┘
        "
    fi
fi

# Clean up
rm -rf \
    /tmp/crowdsec \
    /crowdsec-nginx-bouncer.tgz

if [[ -n ${CROWDSEC_VERSION} ]]; then
    echo "
    ┌─────────────────────────────────────────────────────────────────────────┐
    │                             !! ATTENTION !!                             │
    │                                                                         │
    │                        This mod will ignore the                         │
    │                  CROWDSEC_VERSION environment variable                  │
    │                                                                         │
    │                  Versioning is now handled by mod tags                  │
    │ See https://hub.docker.com/r/linuxserver/mods/tags?name=swag-crowdsec-v │
    │                     For a list of all available tags                    │
    └─────────────────────────────────────────────────────────────────────────┘"
fi

echo "**** Successfully configured CrowdSec nginx Bouncer ${CROWDSEC_VERSION} ****"
