#!/usr/bin/env bash
# Nextcloud + Apache + PHP 8.3-FPM on Ubuntu 24.04
# - Applies requested php.ini edits
# - Apache with proxy_fcgi (no mod_php)
# - Downloads Nextcloud to /var/www/nextcloud
# - MariaDB DB + user
# - Redis for file locking (optional but recommended)

set -euo pipefail
IFS=$'\n\t'
export DEBIAN_FRONTEND=noninteractive

# ====== EDIT ME ======
DOMAIN="cloud.example.com"
NC_DIR="/var/www/nextcloud"
NC_DATA_DIR="/var/ncdata"

DB_NAME="nextcloud"
DB_USER="nextclouduser"
DB_PASS="ChangeMe_DB_Secret!"

ADMIN_USER="ncadmin"
ADMIN_PASS="ChangeMe_Admin_Secret!"

PHP_VER="8.3"
PHP_FPM_SOCK="/run/php/php${PHP_VER}-fpm.sock"

# ====== Base packages ======
apt-get update
apt-get -y upgrade
apt-get install -y software-properties-common apt-transport-https ca-certificates \
  lsb-release unzip wget curl gnupg2 tar sudo

# ====== MariaDB ======
apt-get install -y mariadb-server mariadb-client
systemctl enable --now mariadb

# Headless mysql_secure_installation equivalent
mysql --protocol=socket <<'SQL'
DELETE FROM mysql.user WHERE User='';
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db LIKE 'test\_%';
FLUSH PRIVILEGES;
SQL

mysql --protocol=socket <<SQL
CREATE DATABASE IF NOT EXISTS \`${DB_NAME}\`
  CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
CREATE USER IF NOT EXISTS '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PASS}';
GRANT ALL PRIVILEGES ON \`${DB_NAME}\`.* TO '${DB_USER}'@'localhost';
FLUSH PRIVILEGES;
SQL

# ====== PHP 8.3 + FPM + Redis/APCu/Imagick ======
apt-get install -y php${PHP_VER} php${PHP_VER}-fpm php${PHP_VER}-cli php${PHP_VER}-common \
  php${PHP_VER}-mysql php${PHP_VER}-xml php${PHP_VER}-mbstring php${PHP_VER}-curl \
  php${PHP_VER}-gd php${PHP_VER}-zip php${PHP_VER}-intl php${PHP_VER}-bcmath \
  php${PHP_VER}-gmp php-redis php-apcu php-imagick

systemctl enable --now php${PHP_VER}-fpm

# ====== Apply YOUR requested php.ini edits ======
PHP_INI="/etc/php/${PHP_VER}/fpm/php.ini"
sed -ri 's/^;?\s*memory_limit\s*=.*/memory_limit = 512M/' "$PHP_INI"
sed -ri 's/^;?\s*upload_max_filesize\s*=.*/upload_max_filesize = 1024M/' "$PHP_INI"
sed -ri 's/^;?\s*post_max_size\s*=.*/post_max_size = 1024M/' "$PHP_INI"
sed -ri 's/^;?\s*max_execution_time\s*=.*/max_execution_time = 360/' "$PHP_INI"

# Recommended opcache (kept minimal here)
sed -ri 's/^;?\s*opcache.enable\s*=.*/opcache.enable=1/' "$PHP_INI"
sed -ri 's/^;?\s*opcache.enable_cli\s*=.*/opcache.enable_cli=0/' "$PHP_INI"

systemctl restart php${PHP_VER}-fpm

# ====== Redis (for transactional file locking & memcache) ======
apt-get install -y redis-server
sed -ri 's|^#?\s*unixsocket\s+.*|unixsocket /var/run/redis/redis-server.sock|' /etc/redis/redis.conf
sed -ri 's|^#?\s*unixsocketperm\s+.*|unixsocketperm 770|' /etc/redis/redis.conf
install -d -m 0755 /var/run/redis
systemctl enable --now redis-server
usermod -aG redis www-data || true
systemctl restart redis-server

# ====== Apache (NO mod_php; we use php-fpm via proxy_fcgi) ======
apt-get install -y apache2
a2enmod rewrite headers env dir mime ssl proxy_fcgi setenvif
a2enconf php${PHP_VER}-fpm   # provides the SetHandler for .php to PHP-FPM
# Make sure event MPM is on (good for FPM); disable prefork if present
a2dismod mpm_prefork >/dev/null 2>&1 || true
a2enmod mpm_event >/dev/null 2>&1 || true

# Nextcloud vhost
cat >/etc/apache2/sites-available/nextcloud.conf <<EOF
<VirtualHost *:80>
    ServerName ${DOMAIN}
    DocumentRoot ${NC_DIR}

    <Directory ${NC_DIR}>
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
    </Directory>

    # Large uploads
    LimitRequestBody 0
    SetEnv HOME ${NC_DIR}
    SetEnv HTTP_HOME ${NC_DIR}

    # Security headers (tune later, add HSTS after TLS)
    Header always set Referrer-Policy "no-referrer"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"

    # PHP-FPM socket
    <FilesMatch "\.php$">
        SetHandler "proxy:unix:${PHP_FPM_SOCK}|fcgi://localhost/"
    </FilesMatch>

    ErrorLog \${APACHE_LOG_DIR}/nextcloud_error.log
    CustomLog \${APACHE_LOG_DIR}/nextcloud_access.log combined
</VirtualHost>
EOF

a2ensite nextcloud.conf
a2dissite 000-default.conf >/dev/null 2>&1 || true
systemctl enable --now apache2
apache2ctl configtest
systemctl reload apache2

# ====== Download Nextcloud (latest) ======
mkdir -p /tmp/nc
cd /tmp/nc
wget -q https://download.nextcloud.com/server/releases/latest.zip
unzip -q -o latest.zip

# Deploy to /var/www/nextcloud
rm -rf "${NC_DIR}"
mv nextcloud "${NC_DIR}"

# Ownership & permissions
install -d -m 0750 "${NC_DATA_DIR}"
chown -R www-data:www-data "${NC_DIR}" "${NC_DATA_DIR}"
chmod -R 750 "${NC_DIR}"

# ====== Bootstrap Nextcloud (non-interactive) ======
sudo -u www-data php "${NC_DIR}/occ" maintenance:install \
  --database "mysql" \
  --database-name "${DB_NAME}" \
  --database-user "${DB_USER}" \
  --database-pass "${DB_PASS}" \
  --admin-user "${ADMIN_USER}" \
  --admin-pass "${ADMIN_PASS}" \
  --data-dir "${NC_DATA_DIR}"

# Trusted domain + base URL (HTTP for now—add TLS later)
sudo -u www-data php "${NC_DIR}/occ" config:system:set trusted_domains 1 --value="${DOMAIN}"
sudo -u www-data php "${NC_DIR}/occ" config:system:set overwrite.cli.url --value="http://${DOMAIN}"

# Caching: APCu local + Redis locking (unix socket)
sudo -u www-data php "${NC_DIR}/occ" config:system:set memcache.local --value='\OC\Memcache\APCu'
sudo -u www-data php "${NC_DIR}/occ" config:system:set memcache.locking --value='\OC\Memcache\Redis'
sudo -u www-data php "${NC_DIR}/occ" config:system:set redis --type=json --value='{"host":"\/var\/run\/redis\/redis-server.sock","port":0,"timeout":1.5}'

# ====== Cron every 5 minutes ======
cat >/etc/cron.d/nextcloud <<EOF
*/5 * * * * www-data php -f ${NC_DIR}/cron.php
EOF
chmod 0644 /etc/cron.d/nextcloud
systemctl restart cron

echo "================================================================="
echo " Nextcloud ready at:  http://${DOMAIN}"
echo " Admin: ${ADMIN_USER}  /  ${ADMIN_PASS}"
echo " Data dir: ${NC_DATA_DIR}"
echo "-----------------------------------------------------------------"
echo " Next steps:"
echo "  1) Issue TLS: apt-get install -y certbot python3-certbot-apache"
echo "     certbot --apache -d ${DOMAIN}"
echo "  2) In Nextcloud admin > Overview, run security & setup warnings."
echo "  3) Consider MariaDB tuning (innodb_buffer_pool_size etc.)"
echo "================================================================="