#!/bin/bash
# this script runs INSIDE the container

#!/bin/bash
#set -e  # Exit on any error

echo "--> Starting ldapdock 0.9"
echo "--> Launching slapd (temp)..."

# Start slapd temporarily for setup
/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap &
sleep 3

# Populate with user & group
echo "--> Populating directory with marisa..."
cat > /tmp/add_content.ldif << 'EOF'
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

dn: cn=mages,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: mages
gidNumber: 5000
memberUid: marisa

dn: uid=marisa,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marisa
sn: Kirisame
givenName: Marisa
cn: Marisa Kirisame
displayName: Marisa Kirisame
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
gecos: Marisa Kirisame
loginShell: /bin/bash
homeDirectory: /home/marisa
EOF

ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/add_content.ldif
ldappasswd -x -D "cn=admin,dc=example,dc=com" -w admin -s qwerty "uid=marisa,ou=People,dc=example,dc=com"

# Kill temp slapd
pkill slapd
sleep 2

# === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
if [ ! -f "/export-certs/mycacert.crt" ]; then
    echo "--> No CA found in /export-certs → generating certificates..."

    mkdir -p /etc/ldap/certs
    cd /etc/ldap/certs

    # CA
    certtool --generate-privkey --bits 4096 --outfile ca-key.pem
    cat > ca.info <<EOF
cn = Example Company CA
ca
cert_signing_key
expiration_days = 3650
EOF
    certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem

    # Server
    certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
    cat > ldap01.info <<EOF
organization = Example Company
cn = example.com
tls_www_server
encryption_key
signing_key
expiration_days = 365
EOF
    certtool --generate-certificate \
      --load-privkey ldap01_slapd_key.pem \
      --load-ca-certificate ca-cert.pem \
      --load-ca-privkey ca-key.pem \
      --template ldap01.info \
      --outfile ldap01_slapd_cert.pem

    # Permissions
    chgrp openldap ldap01_slapd_key.pem
    chmod 640 ldap01_slapd_key.pem

    # Bundle
    cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
    chown root:openldap ldap01_slapd_cert_full.pem
    chmod 640 ldap01_slapd_cert_full.pem

    # Start temp slapd to apply config
    slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
    sleep 3

    # Apply TLS config
    cat > /tmp/certinfo.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF
    ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif

    # Trust locally
    cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
    update-ca-certificates

    # Kill temp
    pkill slapd
    sleep 2

    # === EXPORT TO HOST (always, since volume is mounted) ===
    echo "--> Exporting CA to /export-certs..."
    cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
    cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
    echo "--> CA ready at ./hosts-certs/mycacert.crt on host"
else
    echo "--> CA already exists at /export-certs/mycacert.crt → skipping generation"
fi

# === FINAL SLAPD START ===
echo "--> Starting final slapd with LDAPS..."
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
sleep 3

# === ENABLE TLS FOR ALL CLIENT TOOLS INSIDE CONTAINER ===
export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
echo "LDAPTLS_CACERT=$LDAPTLS_CACERT (all ldap* commands now work with TLS)"

echo "--> ldapdock framework ready."

# === KEEP CONTAINER ALIVE ===

# 'exec' replaces the script process with the command (e.g., /bin/bash),
# ensuring the container stays alive as long as that command runs interactively.
echo "Executing: $@"
exec "$@"