#!/bin/sh

if [ "$1" = "-h" -o "$1" = "--help" -o $# -ne 1 ]; then
	echo "Usage $0 <dirname>"
	echo "<dirname> is the full path to the site, such as /var/www/example.nl"
	echo "which is created if it does not exist yet. If it exists, it's"
	echo "permissions are reset".
	exit 0
fi

HTTPD_USER=www-data
# The primary group of the created user
HTTPD_USERS_GID=1002
# The template to copy
TEMPLATE_DIR=/data/www/template
# The bases to create users under
USERBASE="ou=Httpd Users,ou=Users,dc=drsnuggles,dc=stderr,dc=nl"
GROUPBASE="ou=Domain Groups,ou=Groups,dc=drsnuggles,dc=stderr,dc=nl"
# PHP config to change the error_log setting in
PHP_CONFIG=conf/php.ini.override
# PHP error logfile to set error_log to
PHP_ERRORLOG=logs/php.log

# Get dir
DIR="$1"

if [ -e "$DIR" ]; then
	if [ ! -d "$DIR" ]; then
		echo "$DIR" must be a directory, or not exist yet.
		exit 1;
	fi
	echo "Skipping creation of $DIR, it already exists";
else
	# Create $DIR from $TEMPLATE_DIR, if it does not exist yet
	echo "Creating $DIR from $TEMPLATE_DIR"
	cp -R "$TEMPLATE_DIR" "$DIR"
fi

# Make $DIR absolute
cd "$DIR"
DIR=`pwd`

# Strip prefix
SITE=`basename $DIR`

# replace . with -
GROUP=`echo $SITE | sed s/\\\\./-/g`
SCRIPT_USER="httpd-$GROUP"

if getent passwd | grep $SCRIPT_USER &> /dev/null && getent group | grep $GROUP &> /dev/null; then
	echo "$SCRIPT_USER and/or $GROUP already exists, skipping account creation"
else
	# find a uid
	ID=2000
	while getent passwd | cut -f 3 -d: | grep "^$ID\$" &>/dev/null && getent group | cut -f 3 -d: | grep "^$ID\$" &> /dev/null; do
		((ID++))
	done;

	echo Found uid/gid $ID for $SCRIPT_USER/$GROUP

	# Create a user for scripts to run as, and a group to give write permissions to
	# files.
	ldapvi --profile bind --add --in --ldapvi <<EOF || exit
add cn=$GROUP,$GROUPBASE
cn: $GROUP
gidNumber: $ID
objectClass: posixGroup
objectClass: top

add cn=$SITE,$USERBASE
cn: $SITE
uidNumber: $ID
gidNumber: $HTTPD_USERS_GID
homeDirectory: $DIR
objectClass: posixAccount
objectClass: account
objectClass: top
uid: $SCRIPT_USER
EOF
fi

if getent passwd | grep $SCRIPT_USER &> /dev/null && getent group | grep $GROUP &> /dev/null; then
	echo "$SCRIPT_USER and $GROUP created succesfully"
else
	echo "User or group creation failed"
	exit 1
fi

echo "Setting up permissions"
# Set up permissions
sudo chown -R 0:$GROUP "$DIR"

# By default, let the owner have write access, the group have read access
sudo setfacl -R --set d:u::rwX,d:g::rX,d:o::-,u::rwX,g::rX,o::- "$DIR"

# Give the group write access to htdocs, applications, conf and data
sudo setfacl -R -m g::rwX,d:g::rwX "$DIR/htdocs" "$DIR/applications" "$DIR/conf" "$DIR/data"

# Give lighttpd read access to the dir itself
sudo setfacl -m u:$HTTPD_USER:rx "$DIR"

# Allow lighttpd to read anything in htdocs, applications, conf and data
sudo setfacl -R -m d:u:$HTTPD_USER:rX,u:$HTTPD_USER:rX "$DIR/htdocs" "$DIR/applications" "$DIR/conf" "$DIR/data"

# Allow lighttpd to write new files in logs (but not touch existing or those created by lighttpd)
sudo setfacl -m u:$HTTPD_USER:rwX "$DIR/logs"

# Give scripts read access to the dir itself
sudo setfacl -m u:$SCRIPT_USER:rx "$DIR"

# Allow scripts to read anything in applications, htdocs and conf
sudo setfacl -R -m d:u:$SCRIPT_USER:rX,u:$SCRIPT_USER:rX "$DIR/applications" "$DIR/htdocs" "$DIR/conf"

# Allow scripts to create new files in logs and data (but not touch existing or those created by lighttpd)
sudo setfacl -m u:$SCRIPT_USER:rwX "$DIR/logs" "$DIR/data"

# Temp, chown existing log files
sudo sh -c "chown -R $SCRIPT_USER \"$DIR\"/logs/php.log* \"$DIR\"/logs/wipi.log*"
sudo sh -c "chown -R $HTTPD_USER \"$DIR\"/logs/access.log*"

# Now, set the error_log setting in php.ini

echo Updating `basename $PHP_CONFIG`

sudo sed -i "s#^error_log *=.*#error_log = $DIR/$PHP_ERRORLOG#" "$DIR/$PHP_CONFIG"


# Done!
echo "Done!"
echo "Now add human users to $GROUP."
echo "Also add this site to /usr/local/sbin/spawn-fcgi.sh and enable"
echo "fcgi in lighttpd if dynamic content is required."