PIUSER = $(CHROOT)/var/tmp/piuser
02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
apache_conf = $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.orig
pi_log = $(CHROOT)/var/log/privacyidea/privacyidea.log
radius_dict = $(CHROOT)/etc/raddb/dictionary.orig
radius_module = $(CHROOT)/etc/raddb/mods-enabled/perl-privacyidea
radius_site = $(CHROOT)/etc/raddb/sites-enabled/privacyidea

systemd-units: appliance/MySQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
	cp appliance/MySQL-Backup.sh $(CHROOT)/usr/local/bin/
	cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/

$(PIUSER):
	-RUN useradd --system --comment="created from appliance building - privacyidea user" --home-dir="/var/lib/privacyidea/home" --shell="/sbin/nologin" --no-create-home --uid 605 --user-group privacyidea
	touch $(PIUSER)

$(02firstboot): appliance/02firstboot.start
	mkdir -p $(CHROOT)/etc/local.d
	cp $< $@
	touch $(CHROOT)/02firstboot

$(cert-renew.sh): appliance/cert-renew.sh
	mkdir -p $(CHROOT)/etc/ssl
	cp $< $@

$(apache_conf): $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	sed -i 's:APACHE2_OPTS=\":APACHE2_OPTS=\"-D WSGI :' $(CHROOT)/etc/conf.d/apache2

	mv $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf $(apache_conf)
	# vor </VirtualHost> Zeilen einfügen:
	sed '/<\/VirtualHost>/Q' $(apache_conf) >$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "    <Directory />" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "        Require all granted" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "        Options FollowSymLinks" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "        AllowOverride None" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "    </Directory>" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "    WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "    WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "    WSGIProcessGroup privacyidea" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "    WSGIPassAuthorization On" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	echo "" >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
	grep -A 9999 '<\/VirtualHost>' $(apache_conf) >>$(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf

	touch $(apache_conf)

$(pi_log):
	touch $(CHROOT)/var/log/privacyidea/privacyidea.log
	RUN chown privacyidea:root /var/log/privacyidea/privacyidea.log

$(radius_dict): $(CHROOT)/etc/privacyidea/dictionary
	if ! test -e $(radius_dict); \
		then mv $(CHROOT)/etc/raddb/dictionary $(radius_dict); \
	fi
	cp -f $(CHROOT)/etc/privacyidea/dictionary $(CHROOT)/etc/raddb/dictionary
	RUN chown root:radius /etc/raddb/dictionary
	chmod 640 $(CHROOT)/etc/raddb/dictionary
	touch $(radius_dict)

$(radius_module): $(CHROOT)/etc/privacyidea/freeradius3/mods-perl-privacyidea
	cp $(CHROOT)/etc/privacyidea/freeradius3/mods-perl-privacyidea $(CHROOT)/etc/raddb/mods-available/perl-privacyidea
	rm $(CHROOT)/etc/raddb/mods-enabled/eap
	ln -s ../mods-available/perl-privacyidea $(radius_module)

$(radius_site): $(CHROOT)/etc/privacyidea/freeradius3/privacyidea
	cp $(CHROOT)/etc/privacyidea/freeradius3/privacyidea $(CHROOT)/etc/raddb/sites-available/privacyidea
	RUN chown root:radius /etc/raddb/sites-available/privacyidea
	chmod 640 $(CHROOT)/etc/raddb/sites-available/privacyidea
	rm $(CHROOT)/etc/raddb/sites-enabled/*
	ln -s ../sites-available/privacyidea $(radius_site)

$(CHROOT)/var/lib/mysql: mariadb/my.cnf.root
	# MariaDB-Konfiguration ($$, weil make ein $ entfernt)
	sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
	cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf
	chmod 0600 $(CHROOT)/root/.my.cnf
	rm -rf $(CHROOT)/var/lib/mysql/*
	RUN bash -c 'yes gentoo | emerge --config dev-db/mariadb'


preinstall: $(PIUSER)

postinstall: systemd-units $(apache_conf) $(02firstboot) $(cert-renew.sh) $(pi_log) $(radius_dict) $(radius_module) $(radius_site) $(CHROOT)/var/lib/mysql