#!/bin/bash

set -e

# shellcheck disable=SC1091
. /etc/lsb-release

# shellcheck disable=SC1091
. /usr/lib/eole/ihm.sh

# shellcheck disable=SC1091
. /usr/lib/eole/utils.sh

#eolead.sh fournit CONTAINER_NAME, IP et ROOTFS
# shellcheck disable=SC1091
. /usr/lib/eole/eolead.sh

CACHE_DIR=/var/cache/lxc/${DISTRIB_CODENAME}
PARTIAL_DIR=${CACHE_DIR}/partial-amd64
SSH_EXEC="ssh -t -q -o LogLevel=ERROR -o StrictHostKeyChecking=no root@$CONTAINER_IP"

REALM=$(CreoleGet ad_domain)
EOLE_MIRROR=$(CreoleGet serveur_maj | head -n 1)
DNS=$(CreoleGet adresse_ip_dns | head -n 1)
NTP=$(CreoleGet serveur_ntp)
CONTAINER_ETH0=$(CreoleGet ad_public_address)
EOLE_PROXY_ADDRESS=$(CreoleGet proxy_client_adresse '')
EOLE_PROXY_PORT=$(CreoleGet proxy_client_port '')
APT_PROXY_RES=$(apt-config shell APT_PROXY Acquire::http::Proxy)
eval "${APT_PROXY_RES}"

# Do not use agent for connections in the container
unset SSH_AUTH_SOCK

echo
EchoBleu "Génération du conteneur $CONTAINER_NAME"

export DEBIAN_FRONTEND=noninteractive

# Use proxy from APT if not defined
if [ -z "${http_proxy}" ]
then
    if [ -n "${EOLE_PROXY_ADDRESS}" ]
    then
	export http_proxy="http://${EOLE_PROXY_ADDRESS}:${EOLE_PROXY_PORT}"
	export https_proxy="${http_proxy}"
    elif [ -n "${APT_PROXY}" ]
    then
	export http_proxy=${APT_PROXY}
	export https_proxy=${APT_PROXY}
    fi
fi

mkdir -p "${PARTIAL_DIR}"/etc/apt/apt.conf.d
#We need Apt::Pipeline and No:Cache
cp /etc/apt/apt-eole.conf "${PARTIAL_DIR}"/etc/apt/apt.conf
if [ -n "${http_proxy}" ]
then
    cat > "${PARTIAL_DIR}"/etc/apt/apt.conf.d/02eoleproxy <<EOF
Acquire::http::Proxy "${http_proxy}";
Acquire::https::Proxy "${http_proxy}";
EOF
fi

# Réseau des conteneurs en 192.0.2.0/24
cat > /etc/default/lxc-net <<EOF
USE_LXC_BRIDGE="true"
LXC_BRIDGE="br0"
LXC_ADDR="192.0.2.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="192.0.2.0/24"
EOF

systemctl stop lxc-net
ip link del lxcbr0 2>/dev/null || true
sed -i 's/lxc.network.link.*/lxc.network.link = br0/' /etc/lxc/default.conf
systemctl start lxc-net

lxc-create -n "$CONTAINER_NAME" -t ubuntu -- -r "$DISTRIB_CODENAME" -u "$DISTRIB_ID" -S ~root/.ssh/id_rsa.pub --mirror "http://$EOLE_MIRROR/ubuntu"

# Workaround us keyboard set by lxc-create (#24385)
service keyboard-setup restart

echo
EchoBleu "Configuration du conteneur $CONTAINER_NAME"

# Configure keyboard
cp /etc/default/keyboard "${CONTAINER_ROOTFS}"/etc/default/keyboard

# addc container in the master timezone #24933
cp /etc/timezone "${CONTAINER_ROOTFS}"/etc/timezone
ln -nsf "$(readlink /etc/localtime)" "${CONTAINER_ROOTFS}"/etc/localtime

[ ! -f /root/.ssh/id_rsa.pub ] && ssh-keygen -f /root/.ssh/id_rsa -N ''
mkdir -p "$CONTAINER_ROOTFS"/root/.ssh/
cp /root/.ssh/id_rsa.pub "$CONTAINER_ROOTFS"/root/.ssh/authorized_keys
chmod -R 600 "$CONTAINER_ROOTFS"/root/.ssh/

rm -f "$CONTAINER_ROOTFS"/etc/network/interfaces

chroot "$CONTAINER_ROOTFS" apt-get purge -y resolvconf ubuntu-advantage-pro
[ -L "$CONTAINER_ROOTFS"/etc/resolv.conf ] && rm -f "$CONTAINER_ROOTFS"/etc/resolv.conf

CreoleCat -dt addc.resolv.conf

# No dhcp interface in container
sed -ie 's/\(    eth0:\) {dhcp4: true}/\1{dhcp4: false}/' "${CONTAINER_ROOTFS}"/etc/netplan/10-lxc.yaml

CreoleCat -dt addc.lxc.config

cat > "$CONTAINER_ROOTFS"/etc/nsswitch.conf <<EOF
passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
EOF

mkdir -p "$CONTAINER_ROOTFS"/etc/eole
CreoleCat -dt samba4-vars-addc.conf

mkdir -p "$CONTAINER_ROOTFS"/usr/lib/eole
cp /usr/lib/eole/ihm.sh "$CONTAINER_ROOTFS/usr/lib/eole/ihm.sh"
cp /usr/bin/tcpcheck "$CONTAINER_ROOTFS/usr/bin/tcpcheck"
sed -i 's/python$/python3/' "$CONTAINER_ROOTFS/usr/bin/tcpcheck"

ConfigureSourcesList "$EOLE_MIRROR"

echo
EchoBleu "Démarrage du conteneur $CONTAINER_NAME"
lxc-start -n "$CONTAINER_NAME" -d

# attente RUNNING au sens LXC (!= systemd)
if lxc-wait -n addc -s RUNNING
then
    EchoBleu "Le conteneur $CONTAINER_NAME a démarré"
else
    if [ $? -eq 2 ]
    then
        EchoBleu "Le conteneur $CONTAINER_NAME est déjà démarré"
    else
        EchoRouge "Le conteneur $CONTAINER_NAME n'a pas démarré"
        exit 1
    fi
fi

echo "Attente Addc" >/var/log/samba/create_addc.log
try=0
max_try=10
while [ ${try} -le ${max_try} ]; do
    if [ ${try} -eq ${max_try} ]; then
        EchoRouge "Impossible de contacter le conteneur via ssh"
        (
          echo "addc: /bin/journalctl --no-pager "
          echo "-----------------------------------------------------"
          lxc-attach -n addc -- /bin/journalctl --no-pager || /bin/true
          echo "-----------------------------------------------------"
        ) >>/var/log/samba/create_addc.log 2>&1
        exit 1
    fi
    sleep 5
    echo "-----------------------------------------------------" >>/var/log/samba/create_addc.log
    lxc-attach -n addc -- /bin/ps fax >>/var/log/samba/create_addc.log 2>&1 || /bin/true
    IS_RUNNING="$(lxc-attach -n addc -- /bin/systemctl is-system-running || /bin/true)"
    if [ "$IS_RUNNING" == running ]
    then
        if tcpcheck 1 "$CONTAINER_IP":22 >/dev/null
        then
            break
        else
            echo "Conteneur addc en attente de démarrage SSH"
        fi
    else
        echo "Conteneur addc en cours de démarrage : $IS_RUNNING"
    fi
    try=$((try+1))
done
echo -n "Serveur démarré : "
lxc-attach -n addc -- /bin/cat /etc/hostname

echo
EchoBleu "Finalisation du conteneur $CONTAINER_NAME"

cat > "$CONTAINER_ROOTFS"/usr/sbin/policy-rc.d <<EOF
#!/bin/sh
exit 101
EOF
chmod a+x "$CONTAINER_ROOTFS"/usr/sbin/policy-rc.d

lxc-attach -n addc -- /usr/sbin/userdel -r Ubuntu 2>/dev/null
lxc-attach -n addc -- /usr/bin/apt-get update
lxc-attach -n addc --set-var DEBIAN_FRONTEND=noninteractive -- /usr/bin/apt-get install eole-ad-pkg -y
lxc-attach -n addc -- /usr/bin/apt-get clean

if [ ! -f "$CONTAINER_ROOTFS"/var/lib/samba/ntp_signd ]
then
    $SSH_EXEC "install -d /var/lib/samba/ntp_signd"
    $SSH_EXEC "chown root:ntp /var/lib/samba/ntp_signd"
    $SSH_EXEC "chmod 0750 /var/lib/samba/ntp_signd"
fi

cat > "$CONTAINER_ROOTFS"/etc/krb5.conf <<EOF
[libdefaults]
default_realm = ${REALM^^}
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
${REALM^^} = {
kdc = $CONTAINER_ETH0
}

[domain_realms]
.${REALM} = ${REALM^^}
${REALM} = ${REALM^^}
EOF

# fichier : "$CONTAINER_ROOTFS"/etc/samba/smb.conf
CreoleCat -dt smb-addc.conf
sed -i -e "s,^\(\s*tls cafile =\).*,\1 /var/lib/samba/private/tls/ca.pem," $CONTAINER_ROOTFS/etc/samba/smb.conf

cat > "$CONTAINER_ROOTFS"/etc/ntp.conf <<EOF
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd/

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable

# Specify one or more NTP servers.
# You do need to talk to an NTP server or two (or three).
$(CreoleGet serveur_ntp | sed "s/^\(.*\)$/server \1 iburst/")

# Fallback pool
pool europe.pool.ntp.org

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited mssntp

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
EOF


echo
EchoBleu "Configuration du service samba-ad-dc"
$SSH_EXEC "systemctl mask smbd"
$SSH_EXEC "systemctl mask nmbd"
$SSH_EXEC "systemctl mask winbind"
$SSH_EXEC "systemctl unmask samba-ad-dc"
$SSH_EXEC "systemctl enable samba-ad-dc"

rm "$CONTAINER_ROOTFS"/usr/sbin/policy-rc.d

$SSH_EXEC ". /usr/lib/eole/samba4.sh && . /etc/eole/samba4-vars.conf && samba_instance"

cp "$CONTAINER_ROOTFS"/etc/krb5.conf "$CONTAINER_ROOTFS"/var/lib/samba/private/krb5.conf

[ ! -e /var/log/samba-ad-dc ] && ln -ns "$CONTAINER_ROOTFS"/var/log/samba /var/log/samba-ad-dc

# clean container cache
rm -rf "${CACHE_DIR}"

echo
