#!/bin/sh
set -e

. /scripts/utils.sh

log_info "Creating service accounts..."

# Socket URL for ldapi - must use URL-encoded path
LDAPI_SOCKET="ldapi://%2Frun%2Fopenldap%2Fldapi"

# Start slapd temporarily
log_info "Starting slapd temporarily for service account creation..."
/usr/sbin/slapd -h "$LDAPI_SOCKET" -F /etc/openldap/slapd.d -u ldap -g ldap
sleep 2

# Wait for slapd
wait_for_slapd 30 "$LDAPI_SOCKET"

# Generate passwords for each service if not provided
LDAP_SERVICE_KEYCLOAK_PASSWORD="${LDAP_SERVICE_KEYCLOAK_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_NEXTCLOUD_PASSWORD="${LDAP_SERVICE_NEXTCLOUD_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_GITEA_PASSWORD="${LDAP_SERVICE_GITEA_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_POSTFIX_PASSWORD="${LDAP_SERVICE_POSTFIX_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_DOVECOT_PASSWORD="${LDAP_SERVICE_DOVECOT_PASSWORD:-$(generate_password)}"
LDAP_SERVICE_SSSD_PASSWORD="${LDAP_SERVICE_SSSD_PASSWORD:-$(generate_password)}"

# Create service accounts LDIF
cat > /tmp/service-accounts.ldif << EOF
# Keycloak service account
dn: cn=keycloak,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: keycloak
description: Keycloak LDAP federation service account
userPassword: ${LDAP_SERVICE_KEYCLOAK_PASSWORD}

# Nextcloud service account
dn: cn=nextcloud,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: nextcloud
description: Nextcloud LDAP backend service account
userPassword: ${LDAP_SERVICE_NEXTCLOUD_PASSWORD}

# Gitea service account
dn: cn=gitea,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: gitea
description: Gitea LDAP authentication service account
userPassword: ${LDAP_SERVICE_GITEA_PASSWORD}

# Postfix service account
dn: cn=postfix,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: postfix
description: Postfix virtual mailbox lookup service account
userPassword: ${LDAP_SERVICE_POSTFIX_PASSWORD}

# Dovecot service account
dn: cn=dovecot,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: dovecot
description: Dovecot authentication service account
userPassword: ${LDAP_SERVICE_DOVECOT_PASSWORD}

# SSSD service account
dn: cn=sssd,ou=Services,${LDAP_BASE_DN}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: sssd
description: SSSD NSS/PAM service account
userPassword: ${LDAP_SERVICE_SSSD_PASSWORD}
EOF

# Add service accounts
ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f /tmp/service-accounts.ldif || \
    log_warn "Some service accounts may already exist"

# Output generated passwords to a file for reference
cat > /var/lib/openldap/service-passwords.txt << EOF
# Service Account Passwords (generated on first run)
# IMPORTANT: Store these securely and delete this file after noting passwords

LDAP_SERVICE_KEYCLOAK_PASSWORD=${LDAP_SERVICE_KEYCLOAK_PASSWORD}
LDAP_SERVICE_NEXTCLOUD_PASSWORD=${LDAP_SERVICE_NEXTCLOUD_PASSWORD}
LDAP_SERVICE_GITEA_PASSWORD=${LDAP_SERVICE_GITEA_PASSWORD}
LDAP_SERVICE_POSTFIX_PASSWORD=${LDAP_SERVICE_POSTFIX_PASSWORD}
LDAP_SERVICE_DOVECOT_PASSWORD=${LDAP_SERVICE_DOVECOT_PASSWORD}
LDAP_SERVICE_SSSD_PASSWORD=${LDAP_SERVICE_SSSD_PASSWORD}
EOF
chmod 600 /var/lib/openldap/service-passwords.txt
chown ldap:ldap /var/lib/openldap/service-passwords.txt

log_info "Service account passwords saved to /var/lib/openldap/service-passwords.txt"
log_warn "IMPORTANT: Retrieve these passwords and delete the file for security"

# Stop temporary slapd
log_info "Stopping temporary slapd..."
pkill slapd || true
sleep 2

# Cleanup
rm -f /tmp/service-accounts.ldif

log_info "Service account creation complete"