#!/usr/bin/env bash
# setup.sh — install bindcar's example BIND9 config on a bare-metal or VM host
#
# Run this once on the BIND9 host before starting bindcar in drone mode.
# Requires root (or sudo) and a working BIND9 installation.
#
# Usage:
#   sudo ./setup.sh
#
# After setup, start bindcar drone with the env vars printed at the end.

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
BIND_CONF_DIR="${BIND_CONF_DIR:-/etc/bind}"
ZONE_DIR="${ZONE_DIR:-/var/cache/bind}"
BIND_USER="${BIND_USER:-bind}"

# --- Require root ---
if [[ $EUID -ne 0 ]]; then
    echo "error: this script must be run as root (try: sudo $0)" >&2
    exit 1
fi

echo "=== bindcar external-bind9 setup ==="
echo "BIND9 config dir : $BIND_CONF_DIR"
echo "Zone file dir    : $ZONE_DIR"
echo ""

# --- Copy config files ---
echo "[1/4] copying config files to $BIND_CONF_DIR ..."
install -m 0644 -o root -g "$BIND_USER" \
    "${SCRIPT_DIR}/named.conf"         "${BIND_CONF_DIR}/named.conf"
install -m 0644 -o root -g "$BIND_USER" \
    "${SCRIPT_DIR}/named.conf.options" "${BIND_CONF_DIR}/named.conf.options"
install -m 0644 -o root -g "$BIND_USER" \
    "${SCRIPT_DIR}/named.conf.local"   "${BIND_CONF_DIR}/named.conf.local"
install -m 0644 -o root -g "$BIND_USER" \
    "${SCRIPT_DIR}/rndc.conf"          "${BIND_CONF_DIR}/rndc.conf"

# --- Generate RNDC TSIG key ---
echo "[2/4] generating RNDC TSIG key ..."
RNDC_SECRET="$(openssl rand -base64 32)"

cat > "${BIND_CONF_DIR}/rndc.key" <<EOF
// Generated by bindcar setup.sh — do not edit manually
key "rndc-key" {
    algorithm hmac-sha256;
    secret "${RNDC_SECRET}";
};
EOF

# Restrict key file to root:bind, readable by named but not world
chown root:"${BIND_USER}" "${BIND_CONF_DIR}/rndc.key"
chmod 0640 "${BIND_CONF_DIR}/rndc.key"

# --- Ensure zone dir exists and is writable by named ---
echo "[3/4] preparing zone dir $ZONE_DIR ..."
mkdir -p "${ZONE_DIR}"
chown "${BIND_USER}:${BIND_USER}" "${ZONE_DIR}"
chmod 0755 "${ZONE_DIR}"

# --- Validate config syntax ---
echo "[4/4] validating named.conf syntax ..."
if command -v named-checkconf &>/dev/null; then
    named-checkconf "${BIND_CONF_DIR}/named.conf" \
        && echo "named.conf syntax OK" \
        || { echo "named.conf syntax FAILED — fix the config before starting named" >&2; exit 1; }
else
    echo "named-checkconf not found, skipping syntax check"
fi

echo ""
echo "=== setup complete ==="
echo ""
echo "Start BIND9, then run bindcar drone with:"
echo ""
echo "  RNDC_SERVER=127.0.0.1:953        \\"
echo "  RNDC_KEY_NAME=rndc-key           \\"
echo "  RNDC_ALGORITHM=hmac-sha256       \\"
echo "  RNDC_SECRET=${RNDC_SECRET}       \\"
echo "  NSUPDATE_SERVER=127.0.0.1        \\"
echo "  NSUPDATE_PORT=53                 \\"
echo "  BIND_ZONE_DIR=${ZONE_DIR}        \\"
echo "  bindcar drone"
echo ""
echo "Save RNDC_SECRET to a secrets manager — it is shown only once."
