#!/bin/sh

BOLD=$(tput bold)
NORMAL=$(tput sgr0)
tmp_ipa_folder=/tmp/ipa-libvirt-qemu-configure
limits_conf=/etc/security/limits.conf
user_admin=brestadmin
brestusers=brestusers
brestadmins=brestadmins
HOSTNAME=`hostname -s`
DOMAIN=`hostname -d`
FQDN=$HOSTNAME.$DOMAIN
ONEHOME=/var/lib/one
ONE_USER=oneadmin

systemctl restart opennebula-onedisk-incron.service

KDC=$( awk '{if ($1 == "server") print $3}' '/etc/ipa/default.conf' )
if [ -z $KDC ]; then
        KDC=$FQDN
fi


trap ctrl_c INT
function ctrl_c() {
        echo -e "\n\n** Срыв настройки\n"
        rm -rf $tmp_ipa_folder
        exit 0
}

#systemctl stop firewalld.service
#systemctl disable firewalld.service

echo -e "\n${BOLD}Мастер настройки libvirt в режиме взаимодействия с IPA-доменом${NORMAL}"

astramode=$(astra-modeswitch get)
if [ "$astramode" == "2" ]; then
    usercaps -m PARSEC_CAP_IGNMACLVL,PARSEC_CAP_IGNMACCAT,PARSEC_CAP_IGNMACINT $ONE_USER
fi
if [ "$astramode" == "2" ]; then
    pdpl-user -i 127 $ONE_USER
fi

if [ ! -d "$tmp_ipa_folder" ]; then
    mkdir $tmp_ipa_folder
fi

if [ -f "/etc/default/libvirtd" ]; then
    cp /etc/default/libvirtd /etc/default/libvirtd.pre-ipa-libvirt-qemu
fi
if [ -f "/etc/libvirt/libvirtd.conf" ]; then
    cp /etc/libvirt/libvirtd.conf /etc/libvirt/libvirtd.conf.pre-ipa-libvirt-qemu
fi
if [ -f "/etc/libvirt/qemu.conf" ]; then
    cp /etc/libvirt/qemu.conf /etc/libvirt/qemu.conf.pre-ipa-libvirt-qemu
fi
if [ -f "/etc/sasl2/libvirt.conf" ]; then
    cp /etc/sasl2/libvirt.conf /etc/sasl2/libvirt.conf.pre-ipa-libvirt-qemu
fi
if [ -f "/etc/sasl2/qemu.conf" ]; then
    cp /etc/sasl2/qemu.conf /etc/sasl2/qemu.conf.pre-ipa-libvirt-qemu
fi

cp /etc/default/libvirtd.ipa-libvirt-qemu /etc/default/libvirtd
#cp /etc/libvirt/libvirtd.conf.ipa-libvirt-qemu /etc/libvirt/libvirtd.conf
cp /etc/libvirt/qemu.conf.ipa-libvirt-qemu /etc/libvirt/qemu.conf
cp /etc/sasl2/libvirt.conf.ipa-libvirt-qemu /etc/sasl2/libvirt.conf
cp /etc/sasl2/qemu.conf.ipa-libvirt-qemu /etc/sasl2/qemu.conf

echo -n "Введите имя администратора ipa-сервера (по умолчанию admin): "
read ipa_user_admin
if [ -z "$ipa_user_admin" ]; then
    ipa_user_admin="admin"
fi

echo -n "Введите пароль администратора ipa-сервера: "
read -s ipa_user_pass
echo
while [ -z "$ipa_user_pass" ]; do
    echo -n "Введите пароль администратора ipa-сервера: "
    read -s ipa_user_pass
    echo
done
echo $ipa_user_pass | kinit $ipa_user_admin || {
echo -e "\033[91m Вы неправильно ввели логин или пароль, попробуйте еще раз \033[0m"
ctrl_c
}

check_service=$(ipa service-find | grep "libvirt/$FQDN@${DOMAIN^^}" | grep -v grep)
if [ -z "$check_service" ]; then
    ipa service-add libvirt/$FQDN@${DOMAIN^^}
fi
if [ -f /etc/libvirt/libvirt.keytab ]; then
    rm /etc/libvirt/libvirt.keytab
fi
ipa-getkeytab -s $KDC -p libvirt/$FQDN@${DOMAIN^^} -k /etc/libvirt/libvirt.keytab
chown root:libvirt-qemu /etc/libvirt/libvirt.keytab
chmod 0640 /etc/libvirt/libvirt.keytab

adduser $user_admin libvirt-admin
adduser $user_admin libvirt-qemu
adduser $user_admin libvirt
adduser $user_admin kvm
adduser $user_admin astra-console
adduser $user_admin astra-audit

#Fix for Astra 1.6 Update 7
adduser libvirt-qemu kvm

echo "Добавление системных групп в домен"
for G in kvm libvirt libvirt-qemu libvirt-admin astra-audit
do
    check_group=$(ipa group-find | grep $G | grep -v grep)
    if [ -z "$check_group" ]; then
        ipa group-add $G --desc="Group for BREST"
    fi
done

for G in kvm libvirt libvirt-qemu
do
    check_in_group_bu=$(ipa group-show  $G| grep "$brestusers" | grep -v grep)
    if [ -z "$check_in_group_bu" ]; then
        ipa group_add_member $G --groups=$brestusers
    fi

    check_in_group_ba=$(ipa group-show  $G| grep "$brestadmins" | grep -v grep)
    if [ -z "$check_in_group_ba" ]; then
        ipa group_add_member $G --groups=$brestadmins
    fi
done

for G in libvirt-admin astra-audit
do
    check_in_group_ba=$(ipa group-show  $G| grep "$brestadmins" | grep -v grep)
    if [ -z "$check_in_group_ba" ]; then
        ipa group_add_member $G --groups=$brestadmins
    fi
done

echo "Включение Group Merging"

tf=/usr/share/pam-configs/groups_merging
sudo touch "${tf}" ; sudo chmod 0644 "${tf}" ; sudo chown root.root "${tf}"
cat <<EOF | sudo tee "${tf}" 1>/dev/null
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so use_first_pass
EOF

pam-auth-update --package groups_merging --force

sed -i -r -e '/^\s*group:/s/(compat|files) sss/\1 [SUCCESS=merge] sss/;' /etc/nsswitch.conf

cp /etc/group /etc/group_before_libvirt_conf

test -z "${LOGFILE}" && LOGFILE=/root/deploy.log
for gp in kvm libvirt libvirt-qemu libvirt-admin brestadmins brestusers astra-audit;
do
   {
      tgid="$( getent group -s  sss  "${gp}" | awk -F':' '{print $3}' )"
      ogid="$( getent group -s files "${gp}" | awk -F':' '{print $3}' )"
   } 2>/dev/null
   # if group exists locally and in domain
   test -n "${ogid}" && test -n "${tgid}" && test ${ogid} -ne ${tgid} && {
      # use sed because groupmod fails because the new GID already exists
      sed -i -r -e "/^${gp}:/s/:${ogid}:/:${tgid}:/;" /etc/group
      # log to stdout and logfile
      printf '%s %s\n' "$( date -u "+%FT%TZ" )" "Change ${gp} from gid ${ogid} to ${tgid}" | tee -a "${LOGFILE}"
   }
done

if [ "$astramode" == "2" ]; then
    if [ -d "$ONEHOME/plbl" ]; then
        chown $ONE_USER:libvirt-qemu $ONEHOME/plbl
        chmod 0775 $ONEHOME/plbl
    fi
fi

rm -rf $tmp_ipa_folder

if ! systemctl is-enabled libvirtd-tcp.socket >/dev/null; then
        systemctl enable libvirtd-tcp.socket >/dev/null || true
        #systemctl start libvirtd-tcp.socket >/dev/null || true
fi

#проброс ssh c Брест
while [ -z "$key" ]; do
        key= server_fqdn= node_fqdn= user_name= user_password= yesno= def_node_fqdn="$(hostname -f)"
        #echo -n "Введите полное доменное имя этого компьютера (по умолчанию ${BOLD}${def_node_fqdn}${NORMAL}): "
        #read node_fqdn
        #if [ -z  "${node_fqdn}" ];then
        node_fqdn="${def_node_fqdn}"
        #fi
        echo
        echo -n "-----Добавление хоста к кластеру ${BOLD}\"Брест\"${NORMAL}------"
        echo
        while [ -z "$server_fqdn" ]; do
            echo -n "Введите полное доменное имя фронтальной машины ${BOLD}\"Брест\"${NORMAL}: "
            read server_fqdn
            if [ -n "$server_fqdn" ] && ! ping -i0.5 -c2 ${server_fqdn} > /dev/null 2>&1;then
                echo "Адрес \"${server_fqdn}\" не доступен."
                server_fqdn=
            fi
        done
        while [ -z "$user_name" ]; do
            echo -n "Введите имя локального администратора фронтальной машины ${BOLD}\"Брест\"${NORMAL} (пользователь должен иметь беcпарольный доступ через механизм sudo): "
            read user_name
        done
        while [ -z "$user_password" ]; do
            echo -n "Введите пароль администратора: "
            read -s user_password
            echo
        done

        escaped_password=$(printf "%q" "$user_password")
        key=($(expect -c 'spawn -noecho ssh -o StrictHostKeyChecking=no '${user_name}@${server_fqdn}' "sudo -u oneadmin bash -c \"cat /var/lib/one/.ssh/id_rsa.pub\"";
        expect "*assword:*";
        send -- "'"${escaped_password}"'\r";
        expect eof' | grep "^ssh-rsa"; exit))

        if [ -n "$key" ];then
            if [ -f $ONEHOME/.ssh/authorized_keys ]; then
                grep -qw "${key[1]}" $ONEHOME/.ssh/authorized_keys || sudo -u $ONE_USER bash -c "echo \"${key[*]}\" >> $ONEHOME/.ssh/authorized_keys"
            else
                sudo -u $ONE_USER bash -c "echo \"${key[*]}\" >> $ONEHOME/.ssh/authorized_keys"
                chmod 0600 $ONEHOME/.ssh/authorized_keys
            fi
        else
            echo -e "ОШИБКА ввода имени и/или пароля Администратора сервера \"${server_fqdn}\""
            message="Повторить ввод данных сервера?(Да/Нет): "
            answer=
            while [ -z "$answer" ];do
                echo -n "$message"
                read answer
                answer=$(echo ${answer,,})
                case $answer in
                    'да'|'yes'|'y') answer="x";;
                    'нет'|'no'|'n') answer='x'; key='x';;
                    *) answer=; message="Укажите \"Да\" или \"Нет\": ";;
                esac
            done
        fi
        sshpass -p "${user_password}" ssh ${user_name}@${server_fqdn} "sudo onehost create -i kvm -v kvm -r off ${node_fqdn};"
        rc=$?
        [ "x$rc" != "x0" ] && exit $rc
done

if [ -f /etc/libvirt/libvirt.keytab ]; then
    service libvirtd restart
    echo -e "\n\t${BOLD}Настройка прошла успешно!${NORMAL}"
else
    echo -e "\n\tОшибка!"
fi
