#!/bin/bash
# postinst for edgeguard-api — creates system user, filesystem layout,
# initialises PostgreSQL (role + db + migrations), enables systemd
# units. Each step idempotent; safe to re-run on every upgrade.
set -e

export LC_ALL=C
export LANG=C

EG_USER="edgeguard"
EG_HOME="/var/lib/edgeguard"

case "$1" in
    configure)
        # ── System user ──────────────────────────────────────────────
        if ! getent passwd "$EG_USER" >/dev/null; then
            adduser --system --group --home "$EG_HOME" \
                    --shell /usr/sbin/nologin --no-create-home \
                    --gecos "EdgeGuard daemon" "$EG_USER"
        fi

        # ── Directories ──────────────────────────────────────────────
        for d in /etc/edgeguard /var/lib/edgeguard /var/log/edgeguard \
                 /etc/edgeguard/haproxy /etc/edgeguard/squid \
                 /etc/edgeguard/wireguard /etc/edgeguard/unbound \
                 /etc/edgeguard/nftables.d /etc/edgeguard/tls \
                 /var/lib/edgeguard/acme; do
            install -d -m 0750 -o "$EG_USER" -g "$EG_USER" "$d"
        done

        # ── Self-signed default cert so HAProxy starts cleanly ───────
        # HAProxy `bind :443 ssl crt /etc/edgeguard/tls/` needs at least
        # one PEM in the directory to come up. Operator runs certbot
        # later; until then, browsers see an unverified cert which is
        # the expected first-boot UX.
        DEFAULT_PEM="/etc/edgeguard/tls/_default.pem"
        if [ ! -f "$DEFAULT_PEM" ]; then
            HOSTNAME_FQDN="$(hostname -f 2>/dev/null || hostname)"
            TMP_KEY="$(mktemp)"
            TMP_CRT="$(mktemp)"
            openssl req -x509 -nodes -newkey rsa:2048 \
                -keyout "$TMP_KEY" -out "$TMP_CRT" \
                -days 3650 \
                -subj "/CN=$HOSTNAME_FQDN" \
                -addext "subjectAltName = DNS:$HOSTNAME_FQDN,DNS:localhost" \
                >/dev/null 2>&1
            cat "$TMP_CRT" "$TMP_KEY" > "$DEFAULT_PEM"
            chown "$EG_USER:$EG_USER" "$DEFAULT_PEM"
            chmod 0640 "$DEFAULT_PEM"
            rm -f "$TMP_KEY" "$TMP_CRT"
        fi

        # ── Pre-flight: validate embedded migration set ──────────────
        # Catches duplicate version prefixes BEFORE we touch the DB,
        # so a broken upgrade can't half-apply migrations and leave
        # the cluster wedged (mail-gateway 2026-05-08 incident).
        if ! /usr/bin/edgeguard-ctl migrate check; then
            echo "postinst: embedded migrations failed validation — aborting" >&2
            exit 1
        fi

        # ── PostgreSQL: ensure role + database exist ─────────────────
        # Requires postgresql-16 (or -17) running locally — guaranteed
        # by Depends. Idempotent — re-runs on upgrade are no-ops.
        if ! /usr/bin/edgeguard-ctl initdb; then
            echo "postinst: edgeguard-ctl initdb failed — aborting" >&2
            exit 1
        fi

        # ── Apply pending schema migrations ──────────────────────────
        if ! sudo -n -u "$EG_USER" /usr/bin/edgeguard-ctl migrate up; then
            echo "postinst: edgeguard-ctl migrate up failed — aborting" >&2
            exit 1
        fi

        # ── systemd ──────────────────────────────────────────────────
        systemctl daemon-reload
        systemctl enable --now edgeguard-api.service edgeguard-scheduler.service || true
        ;;

    abort-upgrade|abort-remove|abort-deconfigure)
        ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
        ;;
esac

#DEBHELPER#

exit 0