#!/usr/bin/env bash
#
# onx-time-status — Sunucu zaman senkronu durumu (chrony/timedatectl parse).
#
# Mail (DKIM/Received headers), SSL (cert validity check), Audit log
# (event ordering) — hepsi accurate clock'a bağımlı. Bu sysapi admin
# panelde drift badge + NTP sources gösterimi için.
#
# Stdin (JSON): {} (no args)
#
# Stdout (JSON):
#   {
#     "ok": true,
#     "timezone": "Europe/Istanbul",
#     "system_time": "2026-05-19T13:00:00+03:00",
#     "ntp_synced": true,
#     "ntp_active": true,
#     "drift_seconds": 0.001234,
#     "leap_status": "Normal",
#     "reference_id": "...",
#     "stratum": 2,
#     "sources": [
#       {"server": "0.tr.pool.ntp.org", "stratum": 2, "reach": "377", "lastrx": "12s ago"}
#     ],
#     "chrony_active": true,
#     "warning": null
#   }
#
# Exit codes: 0 = ok (her durumda — chrony yoksa bile JSON döner)

INPUT=$(cat 2>/dev/null || echo '{}')

TZ=$(timedatectl show --property=Timezone --value 2>/dev/null || echo "UTC")
SYS_TIME=$(date -Iseconds)
NTP_SYNCED=$(timedatectl show --property=NTPSynchronized --value 2>/dev/null)
NTP_ACTIVE=$(timedatectl show --property=NTP --value 2>/dev/null)

# chrony
CHRONY_ACTIVE="false"
DRIFT="0"
LEAP="unknown"
REF_ID=""
STRATUM=0
SOURCES_JSON="[]"
WARNING=""

if systemctl is-active --quiet chronyd 2>/dev/null; then
    CHRONY_ACTIVE="true"

    if command -v chronyc >/dev/null 2>&1; then
        TRACKING=$(chronyc tracking 2>/dev/null)

        REF_ID=$(echo "$TRACKING" | grep -E "^Reference ID" | sed 's/.*: *//' | awk '{print $1}')
        STRATUM=$(echo "$TRACKING" | grep -E "^Stratum" | awk '{print $NF}')
        STRATUM="${STRATUM:-0}"

        # System time drift (seconds, signed)
        DRIFT_RAW=$(echo "$TRACKING" | grep -E "^System time" | sed -E 's/.*: ([0-9.e+-]+) seconds.*/\1/')
        [[ -z "$DRIFT_RAW" ]] && DRIFT_RAW="0"
        DRIFT="$DRIFT_RAW"

        LEAP=$(echo "$TRACKING" | grep -E "^Leap status" | sed 's/.*: *//')
        [[ -z "$LEAP" ]] && LEAP="unknown"

        # NTP sources parse (chronyc sources -n)
        SOURCES_RAW=$(chronyc sources -n 2>/dev/null | tail -n +4)
        SOURCES_JSON="["
        FIRST=1
        while IFS= read -r line; do
            [[ -z "$line" ]] && continue
            # ^ M S Name/IP Stratum Poll Reach LastRx Last sample
            # Skip header lines like "===..." or empty
            [[ "$line" =~ ^=+$ ]] && continue
            [[ "$line" =~ ^MS\ Name ]] && continue

            SRV=$(echo "$line" | awk '{print $2}')
            STR=$(echo "$line" | awk '{print $3}')
            REACH=$(echo "$line" | awk '{print $5}')
            LASTRX=$(echo "$line" | awk '{print $6}')

            [[ -z "$SRV" ]] && continue
            [[ $FIRST -eq 1 ]] || SOURCES_JSON+=","
            FIRST=0
            SOURCES_JSON+="{\"server\":\"$SRV\",\"stratum\":${STR:-0},\"reach\":\"${REACH:-0}\",\"lastrx\":\"${LASTRX:-?}\"}"
        done <<< "$SOURCES_RAW"
        SOURCES_JSON+="]"
    fi
fi

# Drift warning (>1 saniye veya negatif >1sn)
DRIFT_ABS=$(echo "$DRIFT" | sed 's/^-//' | awk '{ if ($1 > 1.0) print "high"; else print "ok"; }' 2>/dev/null)
[[ "$DRIFT_ABS" == "high" ]] && WARNING="System drift >1s — mail timestamps risky"

# NTP synced kontrolü
[[ "$NTP_SYNCED" != "yes" ]] && WARNING="${WARNING:+$WARNING; }NTP not synchronized"
[[ "$CHRONY_ACTIVE" != "true" && "$NTP_ACTIVE" != "yes" ]] && WARNING="${WARNING:+$WARNING; }No NTP daemon running"

cat <<JSON
{"ok":true,"timezone":"$TZ","system_time":"$SYS_TIME","ntp_synced":$([ "$NTP_SYNCED" = "yes" ] && echo true || echo false),"ntp_active":$([ "$NTP_ACTIVE" = "yes" ] && echo true || echo false),"chrony_active":${CHRONY_ACTIVE},"drift_seconds":${DRIFT:-0},"leap_status":"${LEAP}","reference_id":"${REF_ID}","stratum":${STRATUM:-0},"sources":${SOURCES_JSON},"warning":$([ -n "$WARNING" ] && echo "\"$WARNING\"" || echo null)}
JSON
exit 0
