#!/bin/bash
#
# curlcheck: https://playterm.org
# curlcheck: https://electribrary.electribers.com 
# curlcheck: https://2wa.isvery.ninja 

disk(){
  space(){
	  df -h | awk '$6 ~ /^\/$/ {print $3" total used ("$5") of "$4}'
    #echo '-------'
    #ls /home | while read user; do du -hs /home/$user; done
  }
  "$@"
}

health(){
  echo "URL                             ONLINE SSL TIME"
  echo "-                               -      -   -"
  awk '/^# curlcheck: / {print $3}' $0 | while read url; do 
  printf "%s" "$url" | sed 's|.*://||g'
  curl -v -w 'Total: %{time_total}s\n' ${url} 2>&1 | \
  	awk '
  		BEGIN{
  		err="\033[5m\033[36;5;94m❌\033[0m"
  		ok="\033[1;36m♥\033[0m"
  		c["SSL"]=err
  		c["ONL"]=ok
  		c["TIM"]="?"  
  	}
  	/SSL certificate verify ok/ {c["SSL"]=ok  } 
  	/Could not resolve host:/   {c["ONL"]=err }
  	/^Total: /                  {c["TIM"]=$2  }
  	END { printf "\r\t\t\t\t"c["ONL"]"      "c["SSL"]"   "c["TIM"]"\n" }
  	'
  done
}

init(){
  grep ulimit /etc/profile || echo 'ulimit -n 65535 || true' >> /etc/profile # compensate alpine's low fd's
}

proxy(){
  install(){
    echo -e "\n[forwarded ports]" > .ports
    iptables -t nat -F # flush
    iptables -t nat -X # flush
    iptables -F        # flush
    ip6tables -F -t nat# flush
    ip6tables -F       # flush
    ip6tables -X       # flush
    ip6tables -t nat -F
    ip6tables -t nat -X
    ip_external=$(curl -s https://checkip.amazonaws.com)
    ipv6_external=$(ip addr | awk '/inet6.*scope global/ { print $2 }')
    # proxies
    proxyport(){
	printf "  %-5s => %-10s [%s]\n" $1 $2 $3 >> .ports
	iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $1 -j REDIRECT --to-ports $2
	#ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport $1 -j REDIRECT --to-ports $2
	#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport $1 -j REDIRECT --to-ports $2
	iptables -t nat -I OUTPUT -p tcp -d $ip_external --dport $1 -j REDIRECT --to-ports $2 # reverse ip
	#ip6tables -t nat -I OUTPUT -p tcp -d $ipv6_external --dport $1 -j REDIRECT --to-ports $2 # reverse ip
	ip6tables -A INPUT -p tcp --dport $1 -j ACCEPT
	ip6tables -A OUTPUT -p tcp --dport $1 -j ACCEPT
	#iptables -t nat -A POSTROUTING -p tcp --dport $2 -j MASQUERADE
	#iptables -t nat -A POSTROUTING -p tcp --dport $2 -j MASQUERADE
    }
    proxyport 80 8080 nginx-proxy-manager
    #proxyport 81 8181 nginx-proxy-manager
    proxyport 443 4443 nginx-proxy-manager
    #proxyport 993 9993 stalwart-mail
    #proxyport 25 2225 stalwart-mail
    #proxyport 465 4465 stalwart-mail
    #proxyport 587 5587 nodered
    #proxyport 25 5587 nodered

    # block port 3000 (nginx-proxy-manager exposes it)
    iptables -A INPUT -p tcp -d $ip_external --dport 3000 -j REJECT
    ip6tables -A INPUT -p tcp -d $ip_external --dport 3000 -j REJECT --reject-with icmp6-adm-unreach-3

    # block port 25
    #iptables -A INPUT -p tcp  -d $ip_external --dport 25 -j REJECT
    #ip6tables -A INPUT -p tcp -d $ip_external --dport 25-j REJECT

    # block irc 0.0.0.0:6667 port except for nodered docker 
    iptables -A INPUT -i lo -p tcp --dport 6667 -j ACCEPT
    iptables -A INPUT -s 10.0.2.2 -p tcp --dport 6667 -j ACCEPT
    iptables -A INPUT -p tcp --dport 6667 -j REJECT
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A INPUT -s fd00::/64 -p tcp --dport 6667 -j ACCEPT
    ip6tables -A INPUT -p tcp --dport 6667 -j REJECT

    # rateliming per ip
    #iptables --new-chain RATE-LIMIT
    #iptables --append RATE-LIMIT \
    #	    --match hashlimit \
    #	    --hashlimit-mode srcip \
    #	    --hashlimit-upto 50/sec \
    #	    --hashlimit-burst 20 \
    #	    --hashlimit-name conn_rate_limit \
    #	    --jump ACCEPT
    #iptables --append RATE-LIMIT --jump DROP
    rc-update add iptables
    rc-update add ip6tables
    /etc/init.d/iptables save
    /etc/init.d/ip6tables save
  }

  clear
  "$@"
  {
    iptables -t nat -L -n -v
    iptables -L
    ip6tables -L
  } | more
  cat .ports
}

logs(){
  tail -qf /home/2wa/nginx-proxy-manager/data/log/*.log | grep -v favicon | sed 's|\] \[.*|]|g'
}

backup(){
  cd /root
  echo "$(date) ./admin backup [start]" >> .cron.log
  BACKUP=backup-2wa.isvery.ninja.zip	
  crontab -l > crontab.root.txt
  apk list -i > alpine.packages.txt
  echo "$(su -c 'crontab -l' 2wa)" > crontab.2wa.txt
  nice -n 19 /usr/bin/ionice -c2 -n7 zip -r $BACKUP \
	  	    /root/admin /root/crontab.* /root/alpine*.txt /root/.ssh \
	  	    /home/2wa/.ssh /home/2wa/.config /home/2wa/nginx-proxy-manager/{app.sh,data,*.key} \
		    /home/2wa/weechat-redbean \
		    /home/2wa/invoiceninja \
		    /home/2wa/mailtrain \
		    /home/2wa/stalwart-mail \
		    /home/2wa/node-red \
		    /home/2wa/ntfy \
		    /home/2wa/portsleep* \
		    /home/2wa/tcgi* \
		    /home/2wa/stats \
		    -x '*.log.*' -x '*.weecha*' -x 'postfix/*' | awk '{ printf( "\r"$0 ) } END{ print ""}'
  ls -lah $BACKUP
  rclone copy $BACKUP stack:backup/. --progress
  echo "$(date) ./admin backup [stop]" >> /root/.cron.log
}

test -z $1 && { echo "Usage: "; grep '(){' $0; }
"$@"