#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }

DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production || die "no top level env?"
source env.production || die "no local env?"

if [ -r "./env.secrets" ]; then
	docker-compose up -d || die "nextcloud: unable to start"
	exit 0
fi

docker-compose down 2>/dev/null

NEXTCLOUD_CLIENT_SECRET="$(openssl rand -hex 32)"
NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 6)"

echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD"
cat <<EOF > env.secrets
# Do not check in!
NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_ADMIN_PASSWORD
NEXTCLOUD_TRUSTED_DOMAINS=$NEXTCLOUD_HOSTNAME
NEXTCLOUD_CLIENT_SECRET=$NEXTCLOUD_CLIENT_SECRET
EOF

BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
PROVIDER="$(jq -c . <<EOF
{
	"custom_oidc": [
		{
			"name":		"keycloak",
			"title":	"Keycloak",
			"clientId":	"nextcloud",
			"clientSecret":	"$NEXTCLOUD_CLIENT_SECRET",
			"authorizeUrl":	"$BASE/auth",
			"tokenUrl":	"$BASE/token",
			"userInfoUrl":	"$BASE/userinfo",
			"logoutUrl":	"$BASE/logout",
			"scope":	"openid",
			"groupsClaim":	"roles",
			"style":	"keycloak",
			"displayNameClaim": "",
			"defaultGroup":	""
		}
	]
}
EOF
)"


docker-compose up -d || die "unable to bring up docker"

# wait for the nextcloud instance to be responsive
# TODO: how to find out if it is ready?
echo "Sleeping a minute while nextcloud installs"
sleep 60


docker-compose exec -u www-data -T nextcloud bash -x <<EOF || die "unable to configure sociallogin"
./occ app:install calendar
./occ app:install sociallogin
./occ config:app:set sociallogin prevent_create_email_exists --value=1 || exit 1
./occ config:app:set sociallogin update_profile_on_login --value=1 || exit 1
./occ config:app:set sociallogin custom_providers --value='$PROVIDER' || exit 1
EOF

../keycloak/client-delete 'nextcloud' || echo "client did not exist?"

../keycloak/client-create << EOF || die "unable to create client id"
{
	"clientId": "nextcloud",
	"rootUrl": "https://$NEXTCLOUD_HOSTNAME/",
	"adminUrl": "https://$NEXTCLOUD_HOSTNAME/",
	"redirectUris": [ "https://$NEXTCLOUD_HOSTNAME/*" ],
	"webOrigins": [ "https://$NEXTCLOUD_HOSTNAME" ],
	"clientAuthenticatorType": "client-secret",
	"secret": "$NEXTCLOUD_CLIENT_SECRET"
}
EOF