#!/bin/bash
# ansipa-smb-setup.sh — configure the Samba scan-results share on the IPA container.
#
# Runs on every container start via ansipa-smb.service so that smb.conf and
# the Samba user are always in place after container restarts (ephemeral rootfs).
#
# Password source (first match wins):
#   1. SMB_SCAN_PASSWORD environment variable  (first boot / explicit override)
#   2. /data/samba/ansipa-smb.env              (persisted from first boot)

set -euo pipefail

LOG_TAG="ansipa-smb-setup"
SCAN_BASE="/data/scan-results"
SMB_CONF="/etc/samba/smb.conf"
SMB_USER="scanupload"
ENV_FILE="/data/samba/ansipa-smb.env"

log()  { echo "[$LOG_TAG] $*"; }
die()  { echo "[$LOG_TAG][ERROR] $*" >&2; exit 1; }

# ── Resolve password ──────────────────────────────────────────────────────────
SMB_PASS="${SMB_SCAN_PASSWORD:-}"

if [[ -z "$SMB_PASS" ]] && [[ -f "$ENV_FILE" ]]; then
    # shellcheck source=/dev/null
    source "$ENV_FILE"
    SMB_PASS="${SMB_SCAN_PASSWORD:-}"
fi

[[ -z "$SMB_PASS" ]] && die "SMB_SCAN_PASSWORD not set and $ENV_FILE not present. Set it in .env."

# ── Persist for subsequent restarts ──────────────────────────────────────────
# %q shell-quotes the value so passwords with spaces or special chars are safe.
mkdir -p "$(dirname "$ENV_FILE")"
printf 'SMB_SCAN_PASSWORD=%q\n' "$SMB_PASS" > "$ENV_FILE"
chmod 600 "$ENV_FILE"

# ── Directory structure (idempotent) ──────────────────────────────────────────
mkdir -p "$SCAN_BASE/archive" "$SCAN_BASE/alerts"

# ── System user ───────────────────────────────────────────────────────────────
if ! id "$SMB_USER" &>/dev/null; then
    useradd -r -s /sbin/nologin -d "$SCAN_BASE" -M "$SMB_USER"
    log "Created system user: $SMB_USER"
fi
chown -R "$SMB_USER:$SMB_USER" "$SCAN_BASE"

# ── smb.conf ──────────────────────────────────────────────────────────────────
log "Writing $SMB_CONF"
cat > "$SMB_CONF" <<CONF
[global]
    workgroup = WORKGROUP
    server string = Ansipa Security Server
    security = user
    map to guest = never
    # Store passdb on the persistent volume so passwords survive container restarts.
    passdb backend = tdbsam:/data/samba/passdb.tdb
    log file = /var/log/samba/log.%m
    max log size = 50
    # Disable printing subsystem entirely.
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

[ansipa-scans]
    comment = Ansipa scan results — managed by ansipa-enforce-policies
    path = $SCAN_BASE
    valid users = $SMB_USER
    read only = no
    browseable = no
    create mask = 0644
    directory mask = 0755
    force user = $SMB_USER
CONF

# ── Samba password (idempotent — smbpasswd -a adds or updates) ────────────────
log "Setting Samba password for $SMB_USER"
printf '%s\n%s\n' "$SMB_PASS" "$SMB_PASS" | smbpasswd -a -s "$SMB_USER" 2>/dev/null || \
printf '%s\n%s\n' "$SMB_PASS" "$SMB_PASS" | smbpasswd    -s "$SMB_USER" 2>/dev/null || \
log "WARN: smbpasswd returned non-zero (user may already exist with correct password)"

# ── Server-side scan checker cron (hourly, analysed on the IPA server itself) ─
# Always (re-)write: /etc/cron.d is on the ephemeral container layer and is
# lost on container recreation, so we must restore it on every start.
cat > /etc/cron.d/ansipa-check-scans <<'CRON'
# ansipa: analyze client scan logs and write alerts — managed, do not edit.
0 * * * * root /usr/local/sbin/ansipa-check-scans.sh 2>&1 | logger -t ansipa-check-scans
CRON
chmod 644 /etc/cron.d/ansipa-check-scans
log "Installed hourly scan-checker cron"

log "Samba setup complete. Share: //localhost/ansipa-scans  user: $SMB_USER"