#!/bin/bash

# Exit on any error
set -e

# Function to log messages
log_message() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
}

# Check if script is run as root
if [ "$EUID" -ne 0 ]; then 
    echo "Please run as root"
    exit 1
fi

# Update system
log_message "Updating system packages..."
apt-get update && apt-get upgrade -y

# Install essential packages
log_message "Installing essential packages..."
apt-get install -y \
    ca-certificates \
    curl \
    gnupg \
    ufw \
    fail2ban \
    git \
    sudo

# Install Docker
log_message "Installing Docker..."
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc

# Add Docker repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  tee /etc/apt/sources.list.d/docker.list > /dev/null

apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

# Create docker user and set up permissions
log_message "Creating docker user and setting up permissions..."
useradd -m -s /bin/bash dockeruser
usermod -aG docker dockeruser
echo "dockeruser ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/docker-compose" | sudo tee /etc/sudoers.d/dockeruser

# Configure UFW
log_message "Configuring firewall..."
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 80/tcp
ufw allow 110/tcp
ufw allow 143/tcp
ufw allow 443/tcp
ufw allow 465/tcp
ufw allow 587/tcp
ufw allow 993/tcp
ufw allow 995/tcp
ufw allow 4190/tcp
ufw --force enable

# Configure fail2ban for SSH
log_message "Configuring fail2ban for SSH protection..."
cat > /etc/fail2ban/jail.local << EOL
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 3
banaction = ufw
backend = systemd

ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
maxretry = 3
bantime = 1d
findtime = 10m
EOL

# Reload systemd daemon
systemctl daemon-reload

# Restart fail2ban
systemctl restart fail2ban

# Restart fail2ban
systemctl restart fail2ban

# Set up Mailcow directory and permissions
log_message "Setting up Mailcow directory..."
mkdir -p /opt/mailcow-dockerized
chown dockeruser:dockeruser /opt/mailcow-dockerized

# Function to get FQDN input
get_fqdn() {
    local fqdn
    while true; do
        read -p "Please enter your Fully Qualified Domain Name (FQDN) (e.g., mail.example.com): " fqdn
        if [[ $fqdn =~ ^[a-zA-Z0-9][a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then
            echo "$fqdn"
            return 0
        else
            echo "Invalid FQDN format. Please try again."
        fi
    done
}

# Get timezone
get_timezone() {
    local timezone
    while true; do
        read -p "Please enter your timezone (e.g., Europe/Berlin) [default: UTC]: " timezone
        timezone=${timezone:-UTC}
        if [ -f "/usr/share/zoneinfo/$timezone" ]; then
            echo "$timezone"
            return 0
        else
            echo "Invalid timezone. Please try again."
        fi
    done
}

# Function to configure mailcow
configure_mailcow() {
    local fqdn=$1
    local timezone=$2
    
    # Create temporary config file
    cat > /tmp/mailcow_config << EOL
MAILCOW_HOSTNAME=${fqdn}
TIMEZONE=${timezone}
EOL
    
    # Ask for additional configuration
    read -p "Do you want to customize additional mailcow configuration? (y/N): " customize
    if [[ $customize =~ ^[Yy]$ ]]; then
        nano /tmp/mailcow_config
    fi
    
    return 0
}

# Switch to dockeruser and install Mailcow
log_message "Installing Mailcow as dockeruser..."

# Get configuration parameters
FQDN=$(get_fqdn)
TIMEZONE=$(get_timezone)

# Store configuration for dockeruser
echo "FQDN=$FQDN" > /tmp/mailcow_vars
echo "TIMEZONE=$TIMEZONE" >> /tmp/mailcow_vars

configure_mailcow "$FQDN" "$TIMEZONE"

su - dockeruser << 'EOF'
# Source the configuration variables
source /tmp/mailcow_vars

# Clone and set up mailcow
cd /opt
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized

# Use the prepared configuration
cat /tmp/mailcow_config > mailcow.conf

# Generate config with the provided FQDN
printf "%s\n" "$FQDN" | ./generate_config.sh

# Offer to edit the full configuration
read -p "Would you like to review and edit the full mailcow configuration? (y/N): " edit_conf
if [[ $edit_conf =~ ^[Yy]$ ]]; then
    nano mailcow.conf
fi

# Start Mailcow
docker compose pull
docker compose up -d
EOF

# Clean up temporary files
rm -f /tmp/mailcow_vars /tmp/mailcow_config

# Final security checks
log_message "Performing final security checks..."
su - dockeruser -c "cd /opt/mailcow-dockerized && docker compose ps"
ufw status
systemctl status fail2ban

log_message "Installation complete! Please check the logs above for any errors."
log_message "Remember to:"
log_message "1. Change the default passwords"
log_message "2. Configure your DNS records"
log_message "3. Set up SSL certificates"
log_message "4. Regular backup your configuration"

# Print access information
echo "================================================================"
echo "Mailcow web interface: https://$(hostname)"
echo "Docker user: dockeruser"
echo "Mailcow location: /opt/mailcow-dockerized"
echo "Firewall status:"
ufw status numbered
echo "================================================================"