#!/bin/bash

# Resume Email Server Setup - Certificate and Final Steps
# Run this after DNS records are configured

set -euo pipefail

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

# Get configuration from existing files or prompt
get_config() {
    # Try to get hostname from existing Postfix config
    if [[ -f "/etc/postfix/main.cf" ]]; then
        HOSTNAME=$(grep "^myhostname" /etc/postfix/main.cf | cut -d= -f2 | tr -d ' ' || echo "")
        DOMAIN=$(grep "^mydomain" /etc/postfix/main.cf | cut -d= -f2 | tr -d ' ' || echo "")
    fi
    
    # If not found, prompt user
    if [[ -z "${HOSTNAME:-}" ]]; then
        read -p "Enter your hostname (e.g., mail.terrible.dev): " HOSTNAME
    fi
    
    if [[ -z "${DOMAIN:-}" ]]; then
        read -p "Enter your domain (e.g., terrible.dev): " DOMAIN
    fi
    
    if [[ -z "${ADMIN_EMAIL:-}" ]]; then
        read -p "Enter admin email: " ADMIN_EMAIL
    fi
    
    echo "Using:"
    echo "  Hostname: $HOSTNAME"
    echo "  Domain: $DOMAIN"
    echo "  Admin Email: $ADMIN_EMAIL"
    echo
}

info() {
    echo -e "${BLUE}INFO: $1${NC}"
}

success() {
    echo -e "${GREEN}SUCCESS: $1${NC}"
}

warning() {
    echo -e "${YELLOW}WARNING: $1${NC}"
}

error() {
    echo -e "${RED}ERROR: $1${NC}" >&2
    exit 1
}

# Test DNS resolution
test_dns() {
    info "Testing DNS resolution for $HOSTNAME..."
    
    if dig +short A "$HOSTNAME" | grep -q .; then
        IP=$(dig +short A "$HOSTNAME" | head -1)
        success "DNS resolution successful: $HOSTNAME -> $IP"
        return 0
    else
        error "DNS resolution failed for $HOSTNAME. Please check your DNS records."
        return 1
    fi
}

# Get SSL certificates
get_ssl_certificates() {
    info "Obtaining Let's Encrypt certificates..."
    
    # Stop services that might be using port 80
    systemctl stop apache2 2>/dev/null || true
    systemctl stop nginx 2>/dev/null || true
    
    # Get certificate
    if certbot certonly --standalone -d "$HOSTNAME" --email "$ADMIN_EMAIL" --agree-tos --non-interactive; then
        success "SSL certificates obtained successfully"
    else
        error "Failed to obtain SSL certificate. Check DNS and firewall."
    fi
    
    # Set up auto-renewal
    (crontab -l 2>/dev/null; echo "0 12 * * * /usr/bin/certbot renew --quiet") | crontab -
    
    success "SSL auto-renewal configured"
}

# Update configurations with SSL certificates
update_ssl_configs() {
    info "Updating configurations with SSL certificates..."
    
    # Update Dovecot SSL config
    if [[ -f "/etc/dovecot/conf.d/10-ssl.conf" ]]; then
        cat > /etc/dovecot/conf.d/10-ssl.conf << EOF
ssl = required
ssl_cert = </etc/letsencrypt/live/$HOSTNAME/fullchain.pem
ssl_key = </etc/letsencrypt/live/$HOSTNAME/privkey.pem
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = yes
ssl_dh = </etc/dovecot/dh.pem
EOF
    fi
    
    # Update Apache SSL config
    if [[ -f "/etc/apache2/sites-available/postfixadmin.conf" ]]; then
        # Update certificate paths in Apache config
        sed -i "s|/etc/letsencrypt/live/.*/fullchain.pem|/etc/letsencrypt/live/$HOSTNAME/fullchain.pem|g" /etc/apache2/sites-available/postfixadmin.conf
        sed -i "s|/etc/letsencrypt/live/.*/privkey.pem|/etc/letsencrypt/live/$HOSTNAME/privkey.pem|g" /etc/apache2/sites-available/postfixadmin.conf
    fi
    
    success "SSL configurations updated"
}

# Start all services
start_services() {
    info "Starting and enabling all services..."
    
    # Reload systemd
    systemctl daemon-reload
    
    # Start services in order
    services=("postgresql" "postfix" "dovecot" "opendkim" "clamav-daemon" "clamav-freshclam" "amavis" "spamassassin" "apache2")
    
    for service in "${services[@]}"; do
        if systemctl enable --now "$service"; then
            info "✓ $service started and enabled"
        else
            warning "✗ Failed to start $service"
        fi
        sleep 2
    done
    
    success "All services started"
}

# Test services
test_services() {
    info "Testing service status..."
    
    services=("postgresql" "postfix" "dovecot" "opendkim" "clamav-daemon" "amavis" "spamassassin" "apache2")
    
    for service in "${services[@]}"; do
        if systemctl is-active --quiet "$service"; then
            success "✓ $service is running"
        else
            warning "✗ $service is not running"
        fi
    done
}

# Display final information
display_final_info() {
    success "Email server setup resumed and completed!"
    echo
    echo -e "${BLUE}=== Setup Summary ===${NC}"
    echo "Hostname: $HOSTNAME"
    echo "Domain: $DOMAIN"
    echo "Admin Email: $ADMIN_EMAIL"
    echo "PostfixAdmin URL: https://$HOSTNAME/postfixadmin/"
    echo
    echo -e "${YELLOW}=== DNS Records Still Needed ===${NC}"
    echo "MX    $DOMAIN       $HOSTNAME"
    echo "TXT   $DOMAIN       \"v=spf1 mx ~all\""
    echo "TXT   _dmarc.$DOMAIN \"v=DMARC1; p=none; rua=mailto:dmarc@$DOMAIN\""
    echo
    echo -e "${YELLOW}=== DKIM DNS Record ===${NC}"
    if [[ -f "/etc/opendkim/keys/$DOMAIN/mail.txt" ]]; then
        cat "/etc/opendkim/keys/$DOMAIN/mail.txt"
    else
        echo "DKIM record not found - may need to regenerate"
    fi
    echo
    echo -e "${YELLOW}=== Next Steps ===${NC}"
    echo "1. Add the remaining DNS records shown above"
    echo "2. Visit https://$HOSTNAME/postfixadmin/setup.php to complete PostfixAdmin setup"
    echo "3. Create your first domain and mailbox"
    echo "4. Test email sending and receiving"
    echo
    echo -e "${GREEN}Setup completed successfully!${NC}"
}

# Main function
main() {
    echo -e "${BLUE}Email Server Setup Resume Script${NC}"
    echo "================================"
    echo
    
    # Check if running as root
    if [[ $EUID -ne 0 ]]; then
        error "This script must be run as root"
    fi
    
    get_config
    test_dns
    get_ssl_certificates
    update_ssl_configs
    start_services
    test_services
    display_final_info
}

main "$@"