#!/bin/bash

toolName=ufw
toolDeps=$toolName

sq_aptOpt=
#sq_config=0

seq_config() {
  #if initSeqConfig "${seq_configName:?}" "${seq_configTemplate:?} ; then
  #  sq_config=1
  #else
  #  # End if no configuration file exists
  #  dry || return 1
  #fi
  ## Apt cmdline option to suppress user interaction
  interactive || sq_aptOpt="-y"

  ## Disable error checks if external scripts are used
  ## e.g. error on unbound variables
  #disableErrorCheck

  ## Return of non zero value will abort the sequence
  return 0
}

step_1_info() { echo "Install $toolName and allow ssh access"; }
step_1_alias() { echo "install"; }
step_1() {
  exe apt install $toolDeps ${sq_aptOpt}
  exe ufw allow ssh
}

step_2_info() { echo "Enable $toolName"; }
step_2() {
  exe ufw enable
}

step_20_info() { echo "Enable mail server essentials"; }
step_20_alias() { echo "mailserver"; }
step_20() {
  exe ufw allow "Postfix"
  exe ufw allow "Postfix SMTPS"
  exe ufw allow "Dovecot Secure IMAP"
  exe ufw allow "WWW Secure"
  # Manage sieve
  exe ufw allow 4190/tcp comment 'Managesieve'
}

step_22_info() { echo "Deny multicast from gateway"; }
step_22_options() { echo "[IP]"; }
step_22_alias() { echo "multicast"; }
step_22() {
  shift
  if [ -z "${1:-}" ] ; then
    error -e "No [IP} specified"
    return 1
  fi

  exe ufw deny in from "${1}" to 224.0.0.0/4 comment 'Broadcast Fritzbox'
  exe ufw deny in from "${1}" to 239.0.0.0/8 comment 'Broadcast Fritzbox'
}

step_24_info() {
  echo "Allow cifs mounts on eth0" 
  echoinfo " [PORT] (default 445)"
  echoinfo "  139  : Cifs version 1.0"
  echoinfo "  445  : Cifs version 2.0+"
}
step_24_options() { echo "<FILE SERVER IP|RANGE> [PORT]"; }
step_24_alias() { echo "cifs"; }
step_24() {
  shift
  local destIp=${1:-}
  local ipregex='^[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\.[0-2]*[0-9]{1,2}\/*[0-9]*$'
  endCheckEmpty destIp "No IP provided"
  if [[ ! ${1:-} =~ $ipregex ]]; then
    error "No valid IP provided"
    return 1
  fi
  local destPort=445
  case "${2:-}" in
    139|445)
      destPort="${2}";;
    "");; # Set default
    *)
      error -e "Invalid port."
      return 1;;
  esac

  exe ufw allow out on eth0 to "${destIp}" port "${destPort}" proto tcp comment "samba/cifs"
}

step_26_info() { echo "Basic secure VPN setup"; }
step_26_alias() { echo "vpn"; }
step_26() {
  exe ufw --force reset
  exe ufw allow in on eth0 to any port 22 comment "ssh"
  exe ufw default deny incoming
  exe ufw default deny outgoing
  exe ufw allow out on tun0

  # Initial openvpn connection
  exe ufw allow out on eth0 to any port 1194 proto udp comment "openvpn default"
  # Allow access to socks proxy dante
  exe ufw allow in on eth0 to any port 1080 comment "socks5 proxy danted"
  # Allow access to http proxy privoxy
  #exe ufw allow in on eth0 to any port 8118 comment "http proxy privoxy"

  exe ufw enable
  exe ufw status verbose
}

# shellcheck disable=SC2034 # Appears unused
readonly sqr_minVersion=16
# shellcheck disable=SC1091 # Don't follow this source
. /usr/local/bin/sequencer.sh