############################################
# POSTINST (POSIX /bin/sh)
############################################
#!/bin/sh
set -e

SERVICE="vpnclient.service"

DB_DIR="/var/lib/nacxwan/VpnClient"
DB="$DB_DIR/vpnclient_data.db"

# on met un backup "dpkg-friendly" dans /var/lib plutôt que /tmp
BACKUP_DIR="/var/lib/nacxwan/VpnClient/.upgrade-backup"
BACKUP_DB="$BACKUP_DIR/vpnclient_data.db"

LOG_DIR="/var/log/nacxwan/VpnClient"
UI_LOG="$LOG_DIR"
DAEMON_LOG="$LOG_DIR"

log() {
  echo "POSTINST: $*"
  if command -v logger >/dev/null 2>&1; then
    logger -t vpnclient-installer "POSTINST: $*"
  fi
}

is_systemd() {
  command -v systemctl >/dev/null 2>&1 && [ -d /run/systemd/system ]
}

svc_enable_if_first_install() {
  # sur Debian : enable seulement si 1ère install (quand $2 est vide)
  if [ -n "${2:-}" ]; then
    return 0
  fi

  if is_systemd; then
    systemctl enable "$SERVICE" >/dev/null 2>&1 || true
  fi
}

svc_restart() {
  if is_systemd; then
      systemctl daemon-reload >/dev/null 2>&1 || true
      systemctl restart "$SERVICE" >/dev/null 2>&1 || true
  fi
}

ensure_paths_and_perms() {
  # parents
  install -d -o root -g root -m 0755 /var/lib/nacxwan 2>/dev/null || true
  install -d -o root -g root -m 0755 /var/log/nacxwan 2>/dev/null || true

  # dirs partagés tous users + sticky bit
  install -d -o root -g root -m 1777 "$DB_DIR" 2>/dev/null || true
  install -d -o root -g root -m 1777 "$LOG_DIR" 2>/dev/null || true

  # ACL par défaut (best effort) pour garantir écriture même si umask défavorable
  if command -v setfacl >/dev/null 2>&1; then
    for D in "$DB_DIR" "$LOG_DIR"; do
      setfacl -m "o:rwx" "$D" >/dev/null 2>&1 || true
      setfacl -m "d:o:rwx" "$D" >/dev/null 2>&1 || true
      setfacl -m "m:rwx" "$D" >/dev/null 2>&1 || true
      setfacl -m "d:m:rwx" "$D" >/dev/null 2>&1 || true
    done
  fi

  # fichiers logs fixes (évite créations 0644 selon umask)
  touch "$UI_LOG" "$DAEMON_LOG" 2>/dev/null || true
  chown root:root "$UI_LOG" "$DAEMON_LOG" 2>/dev/null || true
  chmod 0666 "$UI_LOG" "$DAEMON_LOG" 2>/dev/null || true
}

restore_or_migrate_db() {
  # restore depuis backup upgrade (+wal/+shm)
  if [ -f "$BACKUP_DB" ]; then
    log "restore DB depuis backup upgrade (+wal/+shm)"
    for EXT in "" "-wal" "-shm"; do
      if [ -f "${BACKUP_DB}${EXT}" ]; then
        cp -f "${BACKUP_DB}${EXT}" "${DB}${EXT}" 2>/dev/null || true
      fi
    done
    rm -rf "$BACKUP_DIR" 2>/dev/null || true
    return 0
  fi

  # migration anciens emplacements (+wal/+shm)
  if [ ! -f "$DB" ]; then
    for OLD in \
      "/usr/local/nacxwan/vpnclient/vpnclient_data.db" \
      "/usr/share/nacxwan/vpnclient/vpnclient_data.db"
    do
      if [ -f "$OLD" ]; then
        log "migration DB depuis $OLD (+wal/+shm)"
        for EXT in "" "-wal" "-shm"; do
          if [ -f "${OLD}${EXT}" ]; then
            cp -f "${OLD}${EXT}" "${DB}${EXT}" 2>/dev/null || true
          fi
        done
        break
      fi
    done
  fi
}

fix_runtime_files_perms() {
  # DB + WAL/SHM : RW pour tous
  if [ ! -f "$DB" ]; then
    touch "$DB" 2>/dev/null || true
  fi
  chown root:root "$DB" 2>/dev/null || true
  chmod 0666 "$DB" 2>/dev/null || true

  for EXT in "-wal" "-shm"; do
    if [ -f "${DB}${EXT}" ]; then
      chown root:root "${DB}${EXT}" 2>/dev/null || true
      chmod 0666 "${DB}${EXT}" 2>/dev/null || true
    fi
  done

  # dirs sticky
  chown root:root "$DB_DIR" "$LOG_DIR" 2>/dev/null || true
  chmod 1777 "$DB_DIR" "$LOG_DIR" 2>/dev/null || true
}

refresh_caches() {
  command -v update-desktop-database >/dev/null 2>&1 && update-desktop-database -q /usr/share/applications >/dev/null 2>&1 || true
  command -v gtk-update-icon-cache >/dev/null 2>&1 && gtk-update-icon-cache -q /usr/share/icons/hicolor >/dev/null 2>&1 || true
}

log "$1 ${2:-}"

case "$1" in
  configure)
    ensure_paths_and_perms
    restore_or_migrate_db
    fix_runtime_files_perms
    refresh_caches

    # enable seulement si 1ère install, puis restart
    svc_enable_if_first_install "$@"
    svc_restart
    ;;

  abort-upgrade|abort-install|abort-remove|triggered|deconfigure)
    ;;
esac

exit 0
