#!/bin/bash
# This script is used from the .iso installation medium

set -e
sed -i '/cdrom:/d' /etc/apt/sources.list
apt-get update
apt-get install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://repo.libre-workspace.org/gpg.key' | gpg --dearmor -o /usr/share/keyrings/libre-workspace-archive-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/libre-workspace-archive-keyring.gpg] https://repo.libre-workspace.org stable main' > /etc/apt/sources.list.d/libre-workspace-stable.list
apt-get update
apt-get install -y --allow-unauthenticated libre-workspace-portal
bash /usr/lib/libre-workspace/portal/prepare_for_first_boot.sh

# Write middleware.py directly
cat > /usr/lib/libre-workspace/portal/app_dashboard/middleware.py << 'EOF'
import os
from django.conf import settings
from django.shortcuts import redirect

class LoginRequiredMiddleware:
    """
    Force login for all portal pages once setup is complete.
    During initial setup (LINUX_ARBEITSPLATZ_CONFIGURED=False), all traffic is allowed through.
    The following prefixes are always allowed through regardless of setup state:
    - /welcome/   : Setup wizard
    - /idm/       : Login page and user management
    - /static/    : Static files
    - /api/       : REST API uses its own API key authentication
    - /openid/    : OIDC provider must be reachable for Nextcloud SSO and other apps
    - /media/     : Media files
    - /robots.txt : Allow crawlers to read the robots.txt disallow rules
    """
    def __init__(self, get_response):
        self.get_response = get_response
        self.allowed_prefixes = [
            "/welcome/",
            "/idm/",
            "/static/",
            "/api/",
            "/openid/",
            "/media/",
            "/robots.txt",
        ]

def _is_setup_complete(self):
        conf_path = "/etc/libre-workspace/portal/portal.conf"
        try:
            with open(conf_path) as f:
                for line in f:
                    if "LINUX_ARBEITSPLATZ_CONFIGURED" in line and "True" in line:
                        return True
        except Exception:
            pass
        return False

    def __call__(self, request):
        if not self._is_setup_complete():
            return self.get_response(request)
        if not request.user.is_authenticated:
            for prefix in self.allowed_prefixes:
                if request.path.startswith(prefix):
                    return self.get_response(request)
            return redirect(settings.LOGIN_URL)
        return self.get_response(request)
EOF

# Add middleware to settings.py
sed -i "s/'django.middleware.clickjacking.XFrameOptionsMiddleware',/'django.middleware.clickjacking.XFrameOptionsMiddleware',\n    'app_dashboard.middleware.LoginRequiredMiddleware',/" /usr/lib/libre-workspace/portal/lac/settings.py

systemctl restart libre-workspace-portal

# Disable this service so it doesn't run again
systemctl disable first-boot-setup.service
rm /etc/systemd/system/first-boot-setup.service
rm /root/install-libreworkspace.sh
reboot