#!/bin/sh

set -e

# TODO basic error checking
# TODO verbosity
# TODO hardening

export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

_server_base_url="$_domain"

echo "Provisioning: $_server_base_url$ - (whoami)@$(hostname)"

_docker_container_config_dir="/var/docker"
_docker_compose_version="1.25.4"

# add user
useradd -m -s /bin/bash ray
groupadd docker
usermod -aG docker ray
mkdir /home/ray/.ssh
cp /root/.ssh/authorized_keys /home/ray/.ssh/
chown ray: /home/ray/.ssh/authorized_keys

apt-get update
apt-get upgrade --yes
apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg2 \
    software-properties-common \
    apache2-utils \
    ufw

ufw allow ssh
ufw allow http
ufw allow https
ufw --force enable

curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
add-apt-repository \
  "deb [arch=amd64] https://download.docker.com/linux/debian \
  $(lsb_release -cs) \
  stable"
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io

curl -L "https://github.com/docker/compose/releases/download/$_docker_compose_version/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

echo "Basic HTTP authorisation password for user: ray"
_HT_PASSWD=$(htpasswd -nB ray | sed -e 's/\$/\$\$/g')

docker network create web

mkdir -p "$_docker_container_config_dir"/traefik
mkdir -p "$_docker_container_config_dir"/portainer
touch "$_docker_container_config_dir"/traefik/acme.json
chmod 600 "$_docker_container_config_dir"/traefik/acme.json

cd "$_docker_container_config_dir"/traefik || exit 20
echo "api:
  dashboard: true

entryPoints:
  http:
    address: \":80\"
  https:
    address: \":443\"

providers:
  docker:
    endpoint: \"unix:///var/run/docker.sock\"
    exposedByDefault: false

certificatesResolvers:
  http:
    acme:
      email: $_lets_encrypt_email
      storage: acme.json
      httpChallenge:
        entryPoint: http
" > traefik.yml

echo "version: '3'

services:
  traefik:
    image: traefik:v2.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - web
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml:ro
      - ./acme.json:/acme.json
    labels:
      - \"traefik.enable=true\"
      - \"traefik.http.routers.traefik.entrypoints=http\"
      - \"traefik.http.routers.traefik.rule=Host(\`$_server_base_url\`)\"
      - \"traefik.http.middlewares.traefik-auth.basicauth.users=$_HT_PASSWD\"
      - \"traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https\"
      - \"traefik.http.routers.traefik.middlewares=traefik-https-redirect\"
      - \"traefik.http.routers.traefik-secure.entrypoints=https\"
      - \"traefik.http.routers.traefik-secure.rule=Host(\`$_server_base_url\`)\"
      - \"traefik.http.routers.traefik-secure.middlewares=traefik-auth\"
      - \"traefik.http.routers.traefik-secure.tls=true\"
      - \"traefik.http.routers.traefik-secure.tls.certresolver=http\"
      - \"traefik.http.routers.traefik-secure.service=api@internal\"

networks:
  web:
    external: true
" >> docker-compose.yml
docker-compose up -d

cd "$_docker_container_config_dir"/portainer || exit 30
# create "$_docker_container_config_dir"/portainer/docker-compose.yml
_portainer_url="portainer.$_server_base_url"
echo "version: '3'

services:
  portainer:
    image: portainer/portainer:latest
    container_name: portainer
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - web
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data:/data
    labels:
      - \"traefik.enable=true\"
      - \"traefik.http.routers.portainer.entrypoints=http\"
      - \"traefik.http.routers.portainer.rule=Host(\`$_portainer_url\`)\"
      - \"traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https\"
      - \"traefik.http.routers.portainer.middlewares=portainer-https-redirect\"
      - \"traefik.http.routers.portainer-secure.entrypoints=https\"
      - \"traefik.http.routers.portainer-secure.rule=Host(\`$_portainer_url\`)\"
      - \"traefik.http.routers.portainer-secure.tls=true\"
      - \"traefik.http.routers.portainer-secure.tls.certresolver=http\"
      - \"traefik.http.routers.portainer-secure.service=portainer\"
      - \"traefik.http.services.portainer.loadbalancer.server.port=9000\"
      - \"traefik.docker.network=web\"

networks:
  web:
    external: true
" >> docker-compose.yml
docker-compose up -d

echo "-------------------------------------------------------------------------"
echo ""
echo "VISIT PORTAINER URL NOW TO SET INITIAL LOGIN:"
echo "  https://$_portainer_url"
echo ""
echo "Traefik URl:  https://$_server_base_url"
echo ""
echo "WARNING: May get insecure SSL errors"
echo "         this is temporary while certs are in process of being issued"

rm /tmp/setup.sh