#!/bin/bash
set -euo pipefail

SKATO_ANSIBLE_ROOT=$(dirname "$0")
SKATO_ANSIBLE_ROOT=$(dirname "$SKATO_ANSIBLE_ROOT")
export SKATO_ANSIBLE_ROOT
printf "root=%s\n" "$SKATO_ANSIBLE_ROOT" > "./config" # INI format
export SKATO_BOOTSTRAP_ROLE="${SKATO_ANSIBLE_ROOT}/roles/bootstrap"
export SKANSIBLE_SECRETS="${SKATO_ANSIBLE_ROOT}/.secrets"

if [[ -f "./ansible_aliases" ]]; then
    source ./ansible_aliases
fi

# Relative directory paths for role templates/files
export SKANSIBLE_ARIA="aria2"
export SKANSIBLE_PROFTPD="proftpd"
export SKANSIBLE_PROFTPD_CONFS="${SKANSIBLE_PROFTPD}/conf.d"
# @NOTE below 4 filepaths have filenames that must correspond to 
# the filenames in role ProFTPd templates'/files' Display settings 
export SKANSIBLE_PROFTPD_CONFS_WELCOME="${SKANSIBLE_PROFTPD}/conf.d/WELCOME.txt"
export SKANSIBLE_PROFTPD_CONFS_BANNER="${SKANSIBLE_PROFTPD}/conf.d/BANNER.txt"
export SKANSIBLE_PROFTPD_CONFS_SUCCESS="${SKANSIBLE_PROFTPD}/conf.d/SUCCESS.txt"
export SKANSIBLE_PROFTPD_CONFS_EXIT="${SKANSIBLE_PROFTPD}/conf.d/BYE.txt"
export SKANSIBLE_SSHD_CONFS="sshd_config.d"
export SKANSIBLE_SYSTEMD="systemd"
export SKANSIBLE_SYSTEMD_USER_UNITS="${SKANSIBLE_SYSTEMD}/user"
export SKANSIBLE_FAIL2BAN="fail2ban"
export SKANSIBLE_FAIL2BAN_JAILS="${SKANSIBLE_FAIL2BAN}/jail.d"
export SKANSIBLE_FAIL2BAN_FILTERS="${SKANSIBLE_FAIL2BAN}/filter.d"
export SKANSIBLE_GITCONFIG_CONFS="gitconfig.d"
# @NOTE files in here must have extension "key" with IDs in  
# "gpg_keys" inventory variable list as basenames.
export SKANSIBLE_GPG="gnupg"
# @NOTE files in path below must have extensions "key" (private), 
# "crt" (signed), or "pem" (public) with inventory host FQDN as basename
export SKANSIBLE_SSL="ca-certificates"

set-root () {
    if [[ $# -eq 0 ]]; then
        SKATO_ANSIBLE_ROOT=$(awk -F "=" '/root/ {print $2}' "./config")
        export SKATO_ANSIBLE_ROOT
    elif [[ -z "$1" ]]; then
        SKATO_ANSIBLE_ROOT="$1"
        export SKATO_ANSIBLE_ROOT
        sed -i 's|^(root=).*||g' "./config"
        sed -i "1 i\root=${SKATO_ANSIBLE_ROOT}" "./config"
    fi
}

gxy () {
    ansible-galaxy "$@"
}

vult () {
    ansible-vault "$@"
}

play () {
    ansible-playbook "$@"
}

import-gpg () {
    for id in "$@";
    do
        gpg --export-secret-keys "$id" > "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_GPG}/${id}.key"
    done
}

import-ssl () {
    for domain in "$@";
    do
        cp "/usr/local/share/ca-certificates/${domain}.key" "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_SSL}/${domain}.key"
        cp "/usr/local/share/ca-certificates/${domain}.pem" "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_SSL}/${domain}.pem"
        cp "/usr/local/share/ca-certificates/${domain}.crt" "${SKATO_BOOTSTRAP_ROLE}/files/${SKANSIBLE_SSL}/${domain}.crt"
    done
}

import () {
    case "$1" in
        ssl) shift; import-ssl "$@";;
        gpg) shift; import-gpg "$@";;
        *) exit 1;;
    esac
}

mksecret () {
    true
}

decrypt () {
    while getopts "mv:i:d:" flag; do
        case "$flag" in
            m) METHOD=$OPTARG;;
            v) VAULT_ID=$OPTARG;;
            i) INPUT_FILE=$OPTARG;;
            d) OUTPUT_PATH=$OPTARG;;
            *) exit 1;;
        esac
    done

    if ! [[ "$VAULT_ID" == *"@"* ]]; then
        ID_TAG="$VAULT_ID"

        if [[ "$METHOD" == "prompt" ]]; then
            VAULT_ID="${VAULT_ID}@prompt"
        elif [[ "$METHOD" == "file" ]]; then
            if [[ -z "$INPUT_FILE" ]]; then
                exit 1
            else
                VAULT_ID="${VAULT_ID}@${INPUT_FILE}"
            fi
        else
            exit 1
        fi
    fi

    if [[ -z "$OUTPUT_PATH" ]]; then
        OUTPUT_FILE="${SKANSIBLE_SECRETS}/${ID_TAG}.txt"
    else
        mkdir -p "${SKANSIBLE_SECRETS}/${OUTPUT_PATH}"
        OUTPUT_FILE="${SKANSIBLE_SECRETS}/${OUTPUT_PATH}/${ID_TAG}.txt"
    fi

    ansible-vault decrypt --vault-id "$VAULT_ID" --output "$OUTPUT_FILE" "$INPUT_FILE"
}

encrypt () {
    while getopts "mv:d:pn:" flag; do
        case "$flag" in
            m) METHOD="$OPTARG";;
            v) VAULT_ID="$OPTARG";;
            d) PASS_PATH="$OPTARG";;
            p) read -rp "Provide intended password: " PASSWORD;;
            n) VAR_NAME="$OPTARG";;
            *) exit 1;;
        esac
    done

    while [[ -z "$PASSWORD" ]]; do
        printf "Password missing. \nPlease specify a password. \n"
        read -rp "Provide intended password: " PASSWORD
    done

    if ! [[ "$VAULT_ID" == *"@"* ]]; then
        ID_TAG="${VAULT_ID}"

        if [[ "$METHOD" ==  "prompt" ]]; then
            VAULT_ID="${VAULT_ID}@prompt"
        elif [[ "$METHOD" == "file" ]]; then
            if [[ -z "$PASS_PATH" ]]; then
                PASS_FILE="${SKANSIBLE_SECRETS}/${VAULT_ID}.txt"
            else
                mkdir -p "${SKANSIBLE_SECRETS}/${PASS_PATH}"
                PASS_FILE="${SKANSIBLE_SECRETS}/${PASS_PATH}/${VAULT_ID}.txt"
            fi
            printf "%s\n" "$PASSWORD" > "$PASS_FILE"
            VAULT_ID="${VAULT_ID}@${PASS_FILE}"
        fi
    fi

    printf "Make sure to copy following output to appropriate YAML location.\n"
    if [[ -z "$VAR_NAME" ]]; then
        ansible-vault encrypt_string --name "$VAR_NAME" --stdin-name "$VAR_NAME" --vault-id "$VAULT_ID" --output - "$PASSWORD"
    else
        ansible-vault encrypt_string --stdin-name "$ID_TAG" --vault-id "$VAULT_ID" --output - "$PASSWORD"
    fi
}

# source ./extensions.d/edit.sh

case "$1" in
    set-root) shift; set-root "$1";;
    gxy) shift; gxy "$@";;
    vult) shift; vult "$@";;
    play) shift; play "$@";;
    import) shift; import "$@";;
    decrypt) shift; decrypt "$@";;
    encrypt) shift; encrypt "$@";;
    *) exit 1;;
esac