#!/bin/bash

set -e

echo "=== Installing Apache HTTP Server ==="
tdnf install httpd --assumeyes

echo "=== Creating SSL certificate directory ==="
CERT_DIR="/root/http-certificates"
mkdir -p "$CERT_DIR"

echo "=== Generating private key ==="
openssl genpkey -out "$CERT_DIR/server.key" -algorithm RSA -pkeyopt rsa_keygen_bits:2048

echo "=== Generating CSR ==="
openssl req -new -key "$CERT_DIR/server.key" -out "$CERT_DIR/request.csr"

echo "=== Please sign 'request.csr' with your CA or create a self-signed certificate ==="
read -p "Place the signed certificate as 'server.crt' in $CERT_DIR and press [Enter] to continue..."

echo "=== Moving key and certificate to Apache configuration directory ==="
mv "$CERT_DIR"/server.* /etc/httpd/conf/
chmod 0400 /etc/httpd/conf/server.key /etc/httpd/conf/server.crt
chown root:root /etc/httpd/conf/server.key /etc/httpd/conf/server.crt

echo "=== Configuring Apache ==="
HTTPD_CONF="/etc/httpd/conf/httpd.conf"
sed -i 's|#LoadModule ssl_module|LoadModule ssl_module|' "$HTTPD_CONF"
sed -i 's|#LoadModule socache_shmcb_module|LoadModule socache_shmcb_module|' "$HTTPD_CONF"
sed -i 's|#Include conf/extra/httpd-ssl.conf|Include conf/extra/httpd-ssl.conf|' "$HTTPD_CONF"

echo "=== Creating authentication file ==="
HTPASSWD_FILE="/etc/httpd/conf/.htpasswd"
read -p "Enter username for HTTP authentication: " USERNAME
htpasswd -c "$HTPASSWD_FILE" "$USERNAME"
chown apache "$HTPASSWD_FILE"
chmod 0400 "$HTPASSWD_FILE"

echo "=== Updating SSL configuration ==="
SSL_CONF="/etc/httpd/conf/extra/httpd-ssl.conf"
cat <<EOF >> "$SSL_CONF"

<Directory /var/www/html/PROD/COMP>
  AuthType Basic
  AuthName "Basic Authentication"
  AuthUserFile /etc/httpd/conf/.htpasswd
  Require valid-user
</Directory>

<Directory "/var/www/html/PROD/COMP/Compatibility/VxrailCompatibilityData.json">
  <If "%{HTTP:Cookie} == 'ngssosession=ngsso-token' ">
    Require all granted
  </If>
</Directory>

<Directory /var/www/html/PROD/vsan/hcl>
  <If "%{HTTP:X-vmw-esp-clientid} == 'offline-depot-hcl-vcf' ">
    Require all granted
  </If>
</Directory>

Alias /products/v1/bundles/lastupdatedtime /var/www/html/PROD/vsan/hcl/lastupdatedtime.json
Alias /products/v1/bundles/all /var/www/html/PROD/vsan/hcl/all.json

<Directory /var/www/html/umds-patch-store>
  Require all granted
</Directory>
EOF

echo "=== Starting and enabling Apache ==="
httpd -t
systemctl start httpd
systemctl enable httpd

echo "=== Opening ports in firewall ==="
IPTABLES_CONF="/etc/systemd/scripts/ip4save"
grep -q -- "--dport 443" "$IPTABLES_CONF" || echo "-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT" >> "$IPTABLES_CONF"
grep -q -- "--dport 22" "$IPTABLES_CONF" || echo "-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT" >> "$IPTABLES_CONF"
systemctl restart iptables

echo "=== Removing default Apache index page ==="
rm -f /var/www/html/index.html

echo "=== Setting permissions on document root ==="
chown apache -R /var/www/html/
find /var/www/html -type d -exec chmod 0500 {} \;
find /var/www/html -type f -exec chmod 0400 {} \;

echo "=== Apache HTTP Server setup complete ==="