#!/usr/bin/env bash

# Author        : Allan Christensen
# First Created : 22052021 (DD-MM-YYYY)
# Description   : Installs WordPress on Ubuntu 24.04
# License       : MIT License (see LICENSE file for details)

#
# Are we root
#
if [[ $(id -u) -ne 0 ]]; then echo "" && echo "Must be root or use sudo" && echo "" ; exit 1 ; fi

#
# Get php-fpm version
#
phpfpm=$(systemctl list-unit-files --type=service | awk '/php[0-9]+\.[0-9]+-fpm\.service/ {sub(".service","",$1); print $1; exit}')
if [[ -z "$phpfpm" ]]; then printf "\nUnable to detect php-fpm version. Is PHP-FPM installed?\n\n" ; exit 1 ; fi

#
# Check if required services are running or not
#
for svc in nginx mariadb "$phpfpm"; do systemctl is-active --quiet "$svc" || { printf "\n%s is not running, cannot continue...\n\n" "${svc^}" ; exit 1 ; }; done

#
# Check MariaDB authentication method (socket or not)
#
if mysql -u root -e ";" 2>/dev/null; then
    socket="SOCKET DETECTED — no need for -a or -m"
    socketusage="SOCKET DETECTED — this flag is not needed"
    socketauth="yes"
else
    socket="NO SOCKET DETECTED — you must use -a and -m"
    socketusage="NO SOCKET DETECTED — these flags are required"
    socketauth="no"
fi

#
# Define variables and functions
#

#
# Function usage
#
usage() {
    printf -- "\nwordpressinstall\n\n"

    if [[ "$socketauth" == "yes" ]]; then
        printf -- "SOCKET DETECTED — no need for -a or -m\n\n"
        printf -- "Installs WordPress on Ubuntu using MariaDB socket authentication.\n\n"
        printf -- "Usage:\n"
        printf -- "  sudo ./wordpressinstall -n <domain> -d <dbname> -u <dbuser> -p <dbpass>\n\n"
        printf -- "Example:\n"
        printf -- "  sudo ./wordpressinstall -n wp.something.xyz -d wpdb -u wpuser -p wpPass123\n\n"
    else
        printf -- "NO SOCKET DETECTED — you must use -a and -m\n\n"
        printf -- "Installs WordPress on Ubuntu using MariaDB password authentication.\n\n"
        printf -- "Usage:\n"
        printf -- "  sudo ./wordpressinstall -n <domain> -d <dbname> -u <dbuser> -p <dbpass> -m <adminpwd> [-a <adminuser>]\n\n"
        printf -- "Examples:\n"
        printf -- "  sudo ./wordpressinstall -n wp.something.xyz -d wpdb -u wpuser -p wpPass123 -m rootpwd\n"
        printf -- "  sudo ./wordpressinstall -n wp.something.xyz -d wpdb -u wpuser -p wpPass123 -a admin -m adminpwd\n\n"
    fi

    printf -- "Options:\n"
    printf -- "  -h | -help | --help   Show this help screen\n\n"
}

#
# Let's go
#
clear

#
# Trap: show usage if user requests help. Recognizes -help and --help as early exits before getopts
#
if [[ "$1" == "-help" || "$1" == "--help" ]]; then usage ; exit 0 ; fi

#
# Trap: malformed or missing input. Catches empty argument or argument not starting with '-'
#
if [[ $# -eq 0 || ! $1 =~ ^- ]]; then usage ; exit 1 ; fi

#
# Configure command line options
#
while getopts ":n:d:u:p:m:a:h" option; do
    case "$option" in
        n) hostname=$(echo "$OPTARG" | tr '[:upper:]' '[:lower:]');;
        d) dbname="$OPTARG";;
        u) dbuser="$OPTARG";;
        p) dbpass="$OPTARG";;
        m) mariadbpwd="$OPTARG";;
        a) mariadbadmin="$OPTARG";;
        h) usage; exit 0;;
        :) usage; echo ""; echo "Error! Option -$OPTARG requires an argument."; echo ""; exit 1;;
        \?) usage; echo ""; echo "Error! Invalid option: -$OPTARG"; echo ""; exit 1;;
    esac
done

#
# Parse and validate input
#
if [[ -z "$hostname" || -z "$dbname" || -z "$dbuser" || -z "$dbpass" ]]; then
    usage
    printf "\nERROR: Missing required arguments.\n"
    printf "Hostname (-n), Database name (-d), User (-u), and Password (-p) are mandatory.\n\n"
    exit 1
fi

# Convert to lowercase (domains are case-insensitive)
hostname=$(echo "$hostname" | tr '[:upper:]' '[:lower:]')

# Disallow leading hyphen
if [[ "$hostname" =~ ^- ]]; then
    printf "\nERROR: Domain cannot start with a hyphen.\n"
    printf "Example of valid input: wp.example.com\n\n"
    exit 1
fi

# Disallow spaces, slashes, underscores
if [[ "$hostname" =~ [[:space:]/_] ]]; then
    printf "\nERROR: Domain cannot contain spaces, slashes, or underscores.\n\n"
    exit 1
fi

# Validate domain format (RFC 1123)
if [[ ! "$hostname" =~ ^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$ ]]; then
    printf "\nERROR: Invalid domain format.\n"
    printf "Example of valid input: wp.example.com\n\n"
    exit 1
fi

# Prevent accidental overwrite of existing Nginx config
if [[ -f "/etc/nginx/conf.d/${hostname}.conf" ]]; then
    printf "\nERROR: A configuration file already exists for %s.\n" "$hostname"
    printf "Refusing to overwrite existing site.\n\n"
    exit 1
fi

# Check for existing references in other Nginx configs
hostcheck=$(grep -r --exclude="README.md" "$hostname" /etc/nginx/ 2>/dev/null || true)
if [[ -n "$hostcheck" ]]; then
    printf "\nFound existing configuration mentioning %s — aborting to avoid collision.\n\n" "$hostname"
    exit 1
fi

# Prevent overwriting existing document root
if [[ -d "/var/www/html/${hostname}" ]]; then
    printf "\nERROR: Directory /var/www/html/%s already exists.\n" "$hostname"
    printf "Refusing to continue to avoid overwriting existing WordPress files.\n\n"
    exit 1
fi

# Check for spaces in DB credentials
if [[ "$dbname" =~ [[:space:]] || "$dbuser" =~ [[:space:]] || "$dbpass" =~ [[:space:]] ]]; then
    printf "\nERROR: Database name, user, and password cannot contain spaces.\n\n"
    exit 1
fi

#
# Ensure curl is installed
#
for tool in curl; do dpkg -s "$tool" &>/dev/null || apt install -y -qq "$tool" ; done

#
# Download, install, and configure the latest WordPress version
#
printf "\nDownloading latest WordPress package...\n"
mkdir -p /var/www/html
curl -sL https://wordpress.org/latest.tar.gz | tar -xzf - --transform "s,^wordpress,$hostname," -C "/var/www/html" || { echo "WordPress download or extraction failed"; exit 1; }
wptarget="/var/www/html/$hostname"
cp "$wptarget/wp-config-sample.php" "$wptarget/wp-config.php"
sed -i "s/database_name_here/$dbname/" "$wptarget/wp-config.php"
sed -i "s/username_here/$dbuser/"      "$wptarget/wp-config.php"
sed -i "s/password_here/$dbpass/"      "$wptarget/wp-config.php"
chown -R www-data: "$wptarget"

#
# Clone nginx-snippets; if nginx-snippets exists then just pull latest changes
#
nginxsnippets="/etc/nginx/nginx-snippets"
repo="https://git.x-files.dk/webserver/nginx-snippets.git"
if [[ -d "$nginxsnippets/.git" ]]; then git -C "$nginxsnippets" pull --quiet; else git clone --quiet "$repo" "$nginxsnippets"; fi

#
# Create WordPress Nginx configuration
#
cp "$nginxsnippets/hostfiles/wordpress.80.conf" /etc/nginx/conf.d/"$hostname".conf
sed -i -- "s/DOMAIN/$hostname/g" /etc/nginx/conf.d/"$hostname".conf
sed -i "s/PHPVERSION/$phpfpm/" /etc/nginx/conf.d/"$hostname".conf

#
# Wordpress hardeging
#
mkdir -p /etc/nginx/includes
cp "$nginxsnippets/wp-hardening.conf" /etc/nginx/includes/wp-hardening.conf
sed -i "s/PHPVERSION/$phpfpm/" /etc/nginx/includes/wp-hardening.conf
cp --no-clobber "$nginxsnippets/wp-rate-limit.conf" /etc/nginx/conf.d/wp-rate-limit.conf 2>/dev/null

#
# Determine MariaDB login method (uses earlier socket variable)
#
mariadbadmin="${mariadbadmin:-root}"

printf "\nChecking MariaDB access method...\n"

if [[ "$socketauth" == "yes" ]]; then
    dbmethod="socket"
    printf "Socket authentication detected (root)\n"
elif [[ -n "$mariadbpwd" && -n "$mariadbadmin" ]]; then
    dbmethod="admin"
    printf "Using admin user authentication (%s)\n" "$mariadbadmin"
elif [[ -n "$mariadbpwd" ]]; then
    dbmethod="password"
    printf "Using root password authentication\n"
else
    printf "\nERROR: No valid MariaDB authentication method found.\n"
    printf "Tried socket, root password, and admin credentials.\n\n"
    exit 1
fi

#
# Create WordPress database
#
case "$dbmethod" in
    socket)
        mysql -u root <<EOF
CREATE DATABASE IF NOT EXISTS $dbname;
CREATE USER IF NOT EXISTS '$dbuser'@'localhost' IDENTIFIED BY '${dbpass//\'/\'\\\'\'}';
GRANT ALL PRIVILEGES ON $dbname.* TO '$dbuser'@'localhost';
FLUSH PRIVILEGES;
EOF
        ;;
    password)
        mysql -u root -p"${mariadbpwd}" <<EOF
CREATE DATABASE IF NOT EXISTS $dbname;
CREATE USER IF NOT EXISTS '$dbuser'@'localhost' IDENTIFIED BY '${dbpass//\'/\'\\\'\'}';
GRANT ALL PRIVILEGES ON $dbname.* TO '$dbuser'@'localhost';
FLUSH PRIVILEGES;
EOF
        ;;
    admin)
        mysql -u "${mariadbadmin}" -p"${mariadbpwd}" <<EOF
CREATE DATABASE IF NOT EXISTS $dbname;
CREATE USER IF NOT EXISTS '$dbuser'@'localhost' IDENTIFIED BY '${dbpass//\'/\'\\\'\'}';
GRANT ALL PRIVILEGES ON $dbname.* TO '$dbuser'@'localhost';
FLUSH PRIVILEGES;
EOF
        ;;
esac

#
# Restarting Nginx and Phpfpm for changes to take effect
#
printf "\nRestarting services...\n"
systemctl restart "$phpfpm"
systemctl restart nginx

#
# Wordpress notice
#
wpnotice=$(cat <<EOF
-----------------------------------------------------------------------------------
IMPORTANT:

Go to http://$hostname/wp-admin/install.php and complete the setup
-----------------------------------------------------------------------------------
EOF
)

#
# Print notice
#
printf '%s\n' "$wpnotice"

#
# All done
#
printf "\nAll Done — WordPress files located at: %s\n" "$wptarget"

#
# End of script
#