#!/bin/bash
USER="vctp"
GROUP="dtms"
CONFIG_FILE="/etc/dtms/vctp.yml"
DEFAULT_PORT=9443

# Path to the custom sudoers file
SUDOERS_FILE="/etc/sudoers.d/${USER}"

# create a group & user if not exists
getent group "$GROUP" >/dev/null || groupadd -r "$GROUP"; /bin/true
getent passwd "$USER" >/dev/null || useradd -r -g "$GROUP" -m -s /bin/bash -c "vctp service" "$USER"

# create vctp config directory if it doesn't exist
[ -d /etc/dtms ] || mkdir -p /etc/dtms

# set group ownership on vctp config directory if not already done
[ "$(stat -c "%G" /etc/dtms)" = "$GROUP" ] || chgrp -R "$GROUP" /etc/dtms

# set permissions on vctp config directory if not already done
[ "$(stat -c "%a" /etc/dtms)" = "774" ] || chmod -R 774 /etc/dtms

# create vctp data directory if it doesn't exist
[ -d /var/lib/vctp ] || mkdir -p /var/lib/vctp
[ -d /var/lib/vctp/reports ] || mkdir -p /var/lib/vctp/reports

# set user ownership on vctp data directory if not already done
[ "$(stat -c "%U" /var/lib/vctp)" = "$USER" ] || chown -R "$USER" /var/lib/vctp

# set group ownership on vctp data directory if not already done
[ "$(stat -c "%G" /var/lib/vctp)" = "$GROUP" ] || chgrp -R "$GROUP" /var/lib/vctp

# Resolve effective application port from existing config (if present).
# Falls back to 9443 when the config file is missing/empty or bind_port is invalid.
APP_PORT="$DEFAULT_PORT"
if [ -s "$CONFIG_FILE" ]; then
    CONFIGURED_PORT="$(awk '
        /^[[:space:]]*#/ { next }
        /^[[:space:]]*bind_port[[:space:]]*:/ {
            line=$0
            sub(/^[[:space:]]*bind_port[[:space:]]*:[[:space:]]*/, "", line)
            sub(/[[:space:]]*#.*/, "", line)
            gsub(/["'\''[:space:]]/, "", line)
            if (line ~ /^[0-9]+$/) {
                print line
                exit
            }
        }
    ' "$CONFIG_FILE")"

    if [ -n "$CONFIGURED_PORT" ] && [ "$CONFIGURED_PORT" -ge 1 ] && [ "$CONFIGURED_PORT" -le 65535 ]; then
        APP_PORT="$CONFIGURED_PORT"
    fi
fi

# Check if firewalld is installed and active
if command -v systemctl >/dev/null 2>&1 && systemctl is-enabled firewalld >/dev/null 2>&1 && systemctl is-active firewalld >/dev/null 2>&1; then
    echo "Firewalld is enabled and running. Opening vCTP port ${APP_PORT}/tcp..."

    # Open effective application port.
    firewall-cmd --permanent --add-port="${APP_PORT}/tcp" >/dev/null 2>&1

    # Reload firewalld to apply changes
    firewall-cmd --reload >/dev/null 2>&1
else
    echo "Firewalld is not running or not enabled. Skipping firewall configuration."
fi