feuerwehr-getraenkeautomat-status/setup_testenv.sh

#!/bin/bash
#
# setup_testenv.sh — Local test environment setup for Feuerwehr Getränkeautomat Status
# Usage: sudo bash setup_testenv.sh
# Prerequisite: Project must already be located under /var/www
#

set -euo pipefail

# ── Determine project root (directory containing this script) ──────────────
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$SCRIPT_DIR"

# ── 1. Install Apache, PHP, and required modules ────────────────────────────
echo "→ Installing Apache (httpd), PHP, and required modules..."

sudo dnf install -y httpd php php-json php-mbstring php-xml jq

echo "✓ Packages installed"

# ── 2. Verify project is under /var/www ───────────────────────────────────
if [[ "$PROJECT_ROOT" != /var/www* ]]; then
    echo "ERROR: Project must be located under /var/www"
    echo "  Current location: $PROJECT_ROOT"
    echo "  Please move the project to /var/www (e.g. /var/www/feuerwehr-getraenkeautomat-status)"
    echo "  and run this script again from that location."
    exit 1
fi

echo "✓ Project location verified: $PROJECT_ROOT"

# ── 3. Update data/config.json to set base_path to /automat/ ───────────────
CONFIG_FILE="$PROJECT_ROOT/data/config.json"

if [[ ! -f "$CONFIG_FILE" ]]; then
    echo "ERROR: Config file not found: $CONFIG_FILE"
    exit 1
fi

echo "→ Updating config: app.base_path → /automat/"

jq '.app.base_path = "/automat/"' "$CONFIG_FILE" > "${CONFIG_FILE}.tmp"
mv "${CONFIG_FILE}.tmp" "$CONFIG_FILE"

echo "✓ Config updated"

# ── 4. Set ownership and permissions for Apache + current user ─────────────
CURRENT_USER=$(whoami)
APACHE_USER="apache"
APACHE_GROUP="apache"

echo "→ Setting permissions for user '$CURRENT_USER' and Apache user '$APACHE_USER'..."

# Ensure ACL support is available
if ! command -v setfacl &>/dev/null; then
    echo "  Installing ACL tools..."
    dnf install -y acl
fi

# Set ACLs so both the current user and Apache can read/write
setfacl -R -m u:"$CURRENT_USER":rwx,u:"$APACHE_USER":rwx "$PROJECT_ROOT"
setfacl -R -d -m u:"$CURRENT_USER":rwx,u:"$APACHE_USER":rwx "$PROJECT_ROOT"

# Also ensure the data directory itself is writable
chmod 0775 "$PROJECT_ROOT/data"
chmod 0664 "$PROJECT_ROOT/data/"*.json 2>/dev/null || true

echo "✓ Permissions configured (ACLs set for $CURRENT_USER and $APACHE_USER)"

# ── 5. Create Apache alias config for /automat ─────────────────────────────
APACHE_CONF="/etc/httpd/conf.d/automat.conf"

echo "→ Creating Apache configuration: $APACHE_CONF"

sudo cat > "$APACHE_CONF" << EOF
Alias /automat "$PROJECT_ROOT"

<Directory "$PROJECT_ROOT">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
EOF

echo "✓ Apache configuration written"

# ── 6. Enable and start httpd ─────────────────────────────────────────────
echo "→ Enabling and starting httpd..."

systemctl enable httpd
systemctl restart httpd

echo "✓ Apache (httpd) is running"

# ── 7. Configure SELinux permissions ─────────────────────────────────────
echo "→ Configuring SELinux permissions..."

# Check if SELinux is enabled
if command -v getenforce &>/dev/null; then
    SELINUX_STATUS=$(getenforce 2>/dev/null || echo "Disabled")
    if [[ "$SELINUX_STATUS" != "Disabled" && "$SELINUX_STATUS" != "Permissive" ]]; then
        echo "  SELinux is enabled ($SELINUX_STATUS), setting contexts..."
        
        # Install SELinux tools if not present
        if ! command -v semanage &>/dev/null; then
            echo "  Installing SELinux management tools..."
            sudo dnf install -y policycoreutils-python-utils
        fi
        
        # Set SELinux context for web content (readable by httpd)
        echo "  → Setting httpd_sys_content_t context for project files..."
        sudo semanage fcontext -a -t httpd_sys_content_t "$PROJECT_ROOT(/.*)?" 2>/dev/null || \
        sudo semanage fcontext -m -t httpd_sys_content_t "$PROJECT_ROOT(/.*)?" 2>/dev/null || true
        
        # Set SELinux context for data directory (writable by httpd/PHP)
        echo "  → Setting httpd_sys_rw_content_t context for data directory..."
        sudo semanage fcontext -a -t httpd_sys_rw_content_t "$PROJECT_ROOT/data(/.*)?" 2>/dev/null || \
        sudo semanage fcontext -m -t httpd_sys_rw_content_t "$PROJECT_ROOT/data(/.*)?" 2>/dev/null || true
        
        # Apply the contexts
        sudo restorecon -Rv "$PROJECT_ROOT" 2>/dev/null || true
        
        # Allow httpd to read/write to the data directory via PHP
        echo "  → Setting SELinux boolean: httpd_can_network_connect..."
        sudo setsebool -P httpd_can_network_connect on 2>/dev/null || true
        
        # If using PHP-FPM, allow httpd to connect to FPM socket
        if systemctl is-active php-fpm &>/dev/null; then
            echo "  → Allowing httpd to connect to PHP-FPM..."
            sudo setsebool -P httpd_can_network_relay on 2>/dev/null || true
        fi
        
        echo "✓ SELinux contexts configured"
    else
        echo "  SELinux is $SELINUX_STATUS, skipping SELinux configuration"
    fi
else
    echo "  (SELinux tools not found, skipping SELinux configuration)"
fi

# ── 8. Open firewall for HTTP ─────────────────────────────────────────────
echo "→ Configuring firewall for HTTP..."

if command -v firewall-cmd &>/dev/null; then
    firewall-cmd --permanent --add-service=http 2>/dev/null || true
    firewall-cmd --reload 2>/dev/null || true
    echo "✓ Firewall updated (HTTP service added)"
else
    echo "  (firewall-cmd not found, skipping firewall configuration)"
fi

# ── Done ───────────────────────────────────────────────────────────────────
echo ""
echo "========================================"
echo "  Setup complete!"
echo "========================================"
echo ""
echo "  Project root : $PROJECT_ROOT"
echo "  Served at    : http://localhost/automat/"
echo ""
echo "  Next steps:"
echo "  1. Open http://localhost/automat/ in your browser"
echo "  2. Check httpd status: sudo systemctl status httpd"
echo "  3. Check PHP errors:   $PROJECT_ROOT/data/php_errors.log"
echo "  4. Check SELinux denials: sudo ausearch -m AVC -ts recent"
echo ""