#!/bin/sh

# PROVIDE: crowdsec
# BEFORE: crowdsec_firewall
# REQUIRE: LOGIN DAEMON NETWORKING
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service:
#
# crowdsec_enable (bool):	Set it to YES to enable crowdsec agent.
#				Default is "NO".
# crowdsec_config (str):	Set the agent config path.
#				Default is "%%PREFIX%%/etc/crowdsec/config.yaml".
# crowdsec_machine_name (str):	Name for the crowdsec instance when it's running its own lapi.
#				Default is "localhost".
# crowdsec_flags (str):	Set the extra flags to run the agent.
#				Default is ""

. /etc/rc.subr

name=crowdsec
rcvar=crowdsec_enable

load_rc_config "$name"

: "${crowdsec_enable:=NO}"
: "${crowdsec_config:=%%PREFIX%%/etc/crowdsec/config.yaml}"
: "${crowdsec_machine_name:=localhost}"
: "${crowdsec_flags:=}"

pidfile=/var/run/${name}_daemon.pid
pidfile_crowdsec=/var/run/${name}.pid
required_files="$crowdsec_config"
command="/usr/sbin/daemon"
command_crowdsec="%%PREFIX%%/bin/crowdsec"
command_cscli="%%PREFIX%%/bin/cscli"
command_args="-f -P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}"
reload_cmd="${name}_reload"
start_precmd="${name}_precmd"
configtest_cmd="${name}_configtest"
reload_precmd="${name}_configtest"
restart_precmd="${name}_configtest"
stop_precmd="${name}_stop_precmd"
stop_postcmd="${name}_stop_postcmd"
extra_commands="configtest reload"

crowdsec_stop_precmd() {
    # take note of the pid, because sbin/daemon will remove the file
    # without waiting for crowdsec to exit
    if [ -r "$pidfile_crowdsec" ]; then
        _CROWDSECPID="$(check_pidfile "$pidfile_crowdsec" "$command_crowdsec")"
        export _CROWDSECPID
    fi
}

crowdsec_stop_postcmd() {
    # wait for process to exit before restarting, or it will find the http port in use
    if [ -n "$_CROWDSECPID" ]; then
        wait_for_pids "$_CROWDSECPID"
    fi
}

crowdsec_precmd() {
    cs_cli() {
        "$command_cscli" -c "$crowdsec_config" "$@"
    }

    Config() {
        cs_cli config show --key "Config.$1"
    }

    # Is the LAPI enabled on this node?
    if [ "$(Config API.Server.Enable)" != "false" ]; then
        # There are no machines, we create one for cscli & log processor
        if [ "$(cs_cli machines list -o json --error)" = "[]" ]; then
            echo "Registering LAPI"
            cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || :
        fi

        CONFIG_DIR=$(Config ConfigPaths.ConfigDir)

        # Register to the central server to receive the community blocklist and more
        if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
            echo "Registering CAPI"
            cs_cli capi register || :
        fi
    fi

    # install the collection for the first time, or if it has been removed
    cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \
        cs_cli collections install crowdsecurity/freebsd || :
}

crowdsec_configtest() {
    echo "Performing sanity check on ${name} configuration."
    if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then
        exit 1
    fi
    echo "Configuration test OK"
}

crowdsec_reload() {
    echo "Reloading configuration"
    if [ -r "$pidfile_crowdsec" ]; then
        kill -HUP "$(check_pidfile "$pidfile_crowdsec" "${command_crowdsec}")"
    fi
}

run_rc_command "$1"