#!/usr/bin/env bash
#
# onx-mailbox-create — Minimal mailbox provisioning sysapi.
#
# Sadece Maildir create + doveadm password hash dön. DB row'u Laravel
# MailboxProvisioner email_accounts tablosuna kendisi yazıyor (panel-side).
# Eski dovecot_users tablosuna INSERT yapmıyor (deprecated tasarım).
#
# Stdin (JSON):
#   {
#     "email":     "user@example.com",   // zorunlu
#     "password":  "<plaintext>",        // zorunlu, hash döner
#     "quota_mb":  1024,                 // opsiyonel, default 1024 (-1=unlimited)
#     "uid":       5000,                 // opsiyonel, vmail uid
#     "gid":       5000                  // opsiyonel, vmail gid
#   }
#
# Stdout (JSON):
#   {
#     "email":         "user@example.com",
#     "maildir":       "/var/vmail/example.com/user/Maildir",
#     "password_hash": "{SHA512-CRYPT}$6$...",
#     "quota_mb":      1024,
#     "uid":           5000,
#     "gid":           5000,
#     "home":          "/var/vmail/example.com/user",
#     "created":       true
#   }
#
# Exit codes: 0=ok, 1=invalid input, 2=preflight (vmail/doveadm yok),
#             3=execution fail (mkdir/chown/hash)

INPUT=$(cat 2>/dev/null || echo '{}')

EMAIL=$(echo "$INPUT" | jq -r '.email // ""' 2>/dev/null)
PASSWORD=$(echo "$INPUT" | jq -r '.password // ""' 2>/dev/null)
QUOTA_MB=$(echo "$INPUT" | jq -r '.quota_mb // 1024' 2>/dev/null)
UID_VAL=$(echo "$INPUT" | jq -r '.uid // 5000' 2>/dev/null)
GID_VAL=$(echo "$INPUT" | jq -r '.gid // 5000' 2>/dev/null)

[[ -z "$EMAIL" ]] && { echo '{"error":"email gerekli"}' >&2; exit 1; }
[[ -z "$PASSWORD" ]] && { echo '{"error":"password gerekli"}' >&2; exit 1; }
[[ ! "$EMAIL" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]] && { echo '{"error":"geçersiz email"}' >&2; exit 1; }

LOCAL="${EMAIL%@*}"
DOMAIN="${EMAIL#*@}"
[[ -z "$LOCAL" || -z "$DOMAIN" ]] && { echo '{"error":"email parse hatası"}' >&2; exit 1; }

VMAIL_ROOT="/var/vmail"
MAILBOX_HOME="${VMAIL_ROOT}/${DOMAIN}/${LOCAL}"
MAILDIR="${MAILBOX_HOME}/Maildir"

# vmail system user check
if ! id -u vmail >/dev/null 2>&1; then
    echo '{"error":"vmail user yok — useradd -r -u 5000 vmail"}' >&2
    exit 2
fi

# doveadm CLI check
if ! command -v doveadm >/dev/null 2>&1; then
    echo '{"error":"doveadm yok"}' >&2
    exit 2
fi

# Idempotency: Maildir zaten varsa hash dön + created:false
if [[ -d "${MAILDIR}/cur" ]]; then
    PASSWORD_HASH=$(doveadm pw -s SHA512-CRYPT -p "$PASSWORD" 2>/dev/null)
    echo "{\"email\":\"$EMAIL\",\"maildir\":\"$MAILDIR\",\"password_hash\":\"$PASSWORD_HASH\",\"quota_mb\":$QUOTA_MB,\"uid\":$UID_VAL,\"gid\":$GID_VAL,\"home\":\"$MAILBOX_HOME\",\"created\":false,\"note\":\"already_exists\"}"
    exit 0
fi

# Password hash (SHA512-CRYPT — Dovecot default)
PASSWORD_HASH=$(doveadm pw -s SHA512-CRYPT -p "$PASSWORD" 2>/dev/null)
[[ -z "$PASSWORD_HASH" ]] && { echo '{"error":"doveadm pw failed"}' >&2; exit 3; }

# v3.59 FIX: DOMAIN parent dizinini ÖNCE oluştur + chown (idempotent, NON-recursive).
# Bug: `mkdir -p ${MAILDIR}` domain dizinini (/var/vmail/<domain>/) ilk mailbox'ta
# root olarak yaratıyordu; `chown -R ${MAILBOX_HOME}` sadece user alt-ağacını
# hedeflediği için parent root:root kalıyordu → Dovecot LMTP (vmail user olarak
# teslim ediyor) parent dizine giremiyor → yeni mailler "Permission denied" bounce.
# Non-recursive chown: aynı domain'deki DİĞER mailbox'lara dokunma (zaten vmail).
DOMAIN_DIR="${VMAIL_ROOT}/${DOMAIN}"
mkdir -p "${DOMAIN_DIR}" || { echo '{"error":"domain dir mkdir failed"}' >&2; exit 3; }
chown "${UID_VAL}:${GID_VAL}" "${DOMAIN_DIR}" 2>/dev/null
chmod 770 "${DOMAIN_DIR}" 2>/dev/null

# Maildir tree
mkdir -p "${MAILDIR}/cur" "${MAILDIR}/new" "${MAILDIR}/tmp" || { echo '{"error":"mkdir failed"}' >&2; exit 3; }
chown -R "${UID_VAL}:${GID_VAL}" "${MAILBOX_HOME}" 2>/dev/null
chmod 770 "${MAILBOX_HOME}" "${MAILDIR}" "${MAILDIR}/cur" "${MAILDIR}/new" "${MAILDIR}/tmp" 2>/dev/null

# SELinux context (best-effort, RHEL family)
if command -v restorecon >/dev/null 2>&1; then
    restorecon -R "$MAILBOX_HOME" 2>/dev/null || true
fi

# JSON output — MailboxProvisioner password_hash + home alır
cat <<JSON
{"email":"$EMAIL","maildir":"$MAILDIR","password_hash":"$PASSWORD_HASH","quota_mb":$QUOTA_MB,"uid":$UID_VAL,"gid":$GID_VAL,"home":"$MAILBOX_HOME","created":true}
JSON
exit 0
