#!/bin/bash
set -euo pipefail

if [[ "${EUID}" -ne 0 ]]; then
  echo "Please run with sudo."
  exit 1
fi

export DEBIAN_FRONTEND=noninteractive

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
MAIL_DOMAIN="${BOSS_MAIL_DOMAIN:-boss.hyzq.net}"
MAILBOX_USER="${BOSS_MAILBOX_USER:-bossmail}"
MAILBOX_HOME="/home/${MAILBOX_USER}"
STATE_DIR="/etc/boss-mail"
TLS_DIR="${STATE_DIR}/tls"
TLS_CERT_TARGET="${TLS_DIR}/fullchain.pem"
TLS_KEY_TARGET="${TLS_DIR}/privkey.pem"
MAILBOX_ENV_FILE="${STATE_DIR}/mailbox.env"

echo "postfix postfix/mailname string ${MAIL_DOMAIN}" | debconf-set-selections
echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections

apt-get update
apt-get install -y postfix dovecot-core dovecot-imapd mailutils swaks

install -d -m 700 "${STATE_DIR}"
install -d -m 700 "${TLS_DIR}"

if ! id "${MAILBOX_USER}" >/dev/null 2>&1; then
  useradd -m -s /usr/sbin/nologin "${MAILBOX_USER}"
fi

MAILBOX_PASSWORD="${BOSS_MAILBOX_PASSWORD:-}"
if [[ -z "${MAILBOX_PASSWORD}" && -f "${MAILBOX_ENV_FILE}" ]]; then
  # shellcheck disable=SC1090
  source "${MAILBOX_ENV_FILE}"
  MAILBOX_PASSWORD="${BOSS_MAILBOX_PASSWORD:-${MAILBOX_PASSWORD:-}}"
fi

if [[ -z "${MAILBOX_PASSWORD}" ]]; then
  MAILBOX_PASSWORD="$(openssl rand -base64 24 | tr -d '\n=' | cut -c1-20)"
fi

cat >"${MAILBOX_ENV_FILE}" <<EOF
BOSS_MAIL_DOMAIN=${MAIL_DOMAIN}
BOSS_MAILBOX_USER=${MAILBOX_USER}
BOSS_MAILBOX_PASSWORD=${MAILBOX_PASSWORD}
EOF
chmod 600 "${MAILBOX_ENV_FILE}"

echo "${MAILBOX_USER}:${MAILBOX_PASSWORD}" | chpasswd

install -m 755 "${SCRIPT_DIR}/sync-caddy-mail-cert.sh" /usr/local/bin/boss-mail-cert-sync.sh
cp "${SCRIPT_DIR}/systemd/boss-mail-cert-sync.service" /etc/systemd/system/boss-mail-cert-sync.service
cp "${SCRIPT_DIR}/systemd/boss-mail-cert-sync.timer" /etc/systemd/system/boss-mail-cert-sync.timer

cat > /etc/dovecot/conf.d/99-boss-mail.conf <<EOF
protocols = imap
mail_location = maildir:~/Maildir
disable_plaintext_auth = yes
auth_mechanisms = plain login
ssl = required
ssl_cert = <${TLS_CERT_TARGET}
ssl_key = <${TLS_KEY_TARGET}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}
EOF

postconf -e "myhostname = ${MAIL_DOMAIN}"
postconf -e "myorigin = /etc/mailname"
postconf -e "mydestination = \$myhostname, localhost.\$mydomain, localhost, ${MAIL_DOMAIN}"
postconf -e "inet_interfaces = all"
postconf -e "inet_protocols = all"
postconf -e "home_mailbox = Maildir/"
postconf -e "mailbox_size_limit = 0"
postconf -e "recipient_delimiter = +"
postconf -e "alias_maps = hash:/etc/aliases"
postconf -e "alias_database = hash:/etc/aliases"
postconf -e "smtpd_tls_cert_file = ${TLS_CERT_TARGET}"
postconf -e "smtpd_tls_key_file = ${TLS_KEY_TARGET}"
postconf -e "smtpd_tls_security_level = may"
postconf -e "smtp_tls_security_level = may"
postconf -e "smtpd_sasl_auth_enable = yes"
postconf -e "smtpd_sasl_type = dovecot"
postconf -e "smtpd_sasl_path = private/auth"
postconf -e "broken_sasl_auth_clients = yes"
postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination"

touch /etc/aliases
ALIASES_TMP="$(mktemp)"
grep -Ev '^(verify|no-reply|noreply|root|postmaster):|^# BOSS MAIL ALIASES (START|END)$' /etc/aliases > "${ALIASES_TMP}" || true
echo "postmaster: root" >> "${ALIASES_TMP}"
cat >> "${ALIASES_TMP}" <<EOF
root: ${MAILBOX_USER}
# BOSS MAIL ALIASES START
verify: ${MAILBOX_USER}
no-reply: ${MAILBOX_USER}
noreply: ${MAILBOX_USER}
# BOSS MAIL ALIASES END
EOF
install -m 644 "${ALIASES_TMP}" /etc/aliases
rm -f "${ALIASES_TMP}"
newaliases

if ! grep -q "^submission inet" /etc/postfix/master.cf; then
  cat >> /etc/postfix/master.cf <<'EOF'
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
EOF
fi

touch "${MAILBOX_HOME}/.hushlogin"
install -d -m 700 -o "${MAILBOX_USER}" -g "${MAILBOX_USER}" "${MAILBOX_HOME}/Maildir"
install -d -m 700 -o "${MAILBOX_USER}" -g "${MAILBOX_USER}" "${MAILBOX_HOME}/Maildir/cur"
install -d -m 700 -o "${MAILBOX_USER}" -g "${MAILBOX_USER}" "${MAILBOX_HOME}/Maildir/new"
install -d -m 700 -o "${MAILBOX_USER}" -g "${MAILBOX_USER}" "${MAILBOX_HOME}/Maildir/tmp"

/usr/local/bin/boss-mail-cert-sync.sh

systemctl daemon-reload
systemctl enable postfix dovecot boss-mail-cert-sync.timer
systemctl restart postfix dovecot
systemctl restart boss-mail-cert-sync.timer

printf 'Boss mail stack installed for %s\n' "${MAIL_DOMAIN}"
printf 'Mailbox user: %s\n' "${MAILBOX_USER}"
printf 'Mailbox password file: %s\n' "${MAILBOX_ENV_FILE}"