#!/bin/bash

BACKUP_DIR="/mnt/hardestdrive/gitea-backup"
LOG_DIR="/mnt/hardestdrive/gitea-backup-logs"
DATA_DIR="/mnt/hardestdrive/gitea"
DB_USER="root"
DB_NAME="gitea"
TIMESTAMP=$(date +"%Y%m%d-%H%M%S")
DB_BACKUP_FILE="${BACKUP_DIR}/gitea-database-backup-${TIMESTAMP}.sql.zst"
ARCHIVE_FILE="${BACKUP_DIR}/gitea-backup-${TIMESTAMP}.tar.zst"
ENCRYPTED_DB_BACKUP_FILE="${DB_BACKUP_FILE}.enc"
ENCRYPTED_ARCHIVE_FILE="${ARCHIVE_FILE}.enc"
KEY_FILE="/mnt/hardestdrive/gitea-backup.key"
REMOTE_USER="tom"
REMOTE_HOST="nordicdatarefinement.com"
REMOTE_PORT="23"
REMOTE_DIR="/mnt/hdd/gitea-backup"
REMOTE_KEEP_OLD=7

REQUIRED_PROGRAMS=("rsync" "mysqldump" "zstd" "tar" "systemctl" "openssl")
for prog in "${REQUIRED_PROGRAMS[@]}"; do
    if ! command -v "$prog" &>/dev/null; then
        echo "Error: $prog is not installed." >&2
        exit 1
    fi
done

if [[ ! -f "$KEY_FILE" ]]; then
    printf "Key file doesn't exist at '%s'\n" "$KEY_FILE"
    exit 1
fi

mkdir -p "${LOG_DIR}"
log() {
    local msg
    msg="$(date +"%Y-%m-%d %H:%M:%S") $1"
    echo "$msg" | tee -a "${LOG_DIR}/$TIMESTAMP.log"
}

log "Stopping Gitea service..."
systemctl stop gitea

log "Creating backup directories..."
mkdir -p "$BACKUP_DIR"

log "Creating archive of Gitea..."
tar -cf - -C "${DATA_DIR}" . | zstd -o "${ARCHIVE_FILE}"

log "Backing up MySQL database..."
mysqldump --single-transaction -u "${DB_USER}" "${DB_NAME}" | zstd >"${DB_BACKUP_FILE}"
if [ $? -ne 0 ]; then
    log "Error during database backup."
    systemctl start gitea
    exit 1
fi

log "Starting Gitea service..."
systemctl start gitea

log "Encrypting the SQL dump..."
openssl enc -aes-256-cbc -salt -pbkdf2 -in "${DB_BACKUP_FILE}" -out "${ENCRYPTED_DB_BACKUP_FILE}" -pass file:"${KEY_FILE}"
# openssl enc -aes-256-cbc -d -pbkdf2 -in "${ENCRYPTED_DB_BACKUP_FILE}" -out "gitea-database-backup-${TIMESTAMP}.sql.zst" -pass file:"${KEY_FILE}"
if [ $? -ne 0 ]; then
    log "Error during SQL dump encryption."
    exit 1
fi
rm "${DB_BACKUP_FILE}"

log "Encrypting the tarball..."
openssl enc -aes-256-cbc -salt -pbkdf2 -in "${ARCHIVE_FILE}" -out "${ENCRYPTED_ARCHIVE_FILE}" -pass file:"${KEY_FILE}"
# openssl enc -aes-256-cbc -d -pbkdf2 -in "${ENCRYPTED_ARCHIVE_FILE}" -out "gitea-backup-${TIMESTAMP}.tar.zst" -pass file:"${KEY_FILE}"
if [ $? -ne 0 ]; then
    log "Error during tarball encryption."
    exit 1
fi
rm "${ARCHIVE_FILE}"

log "Gitea backup completed successfully and encrypted."

log "Sending backups to remote server..."
rsync -av --progress -e "ssh -p ${REMOTE_PORT}" "${ENCRYPTED_DB_BACKUP_FILE}" "${ENCRYPTED_ARCHIVE_FILE}" "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_DIR}"
if [ $? -ne 0 ]; then
    log "Error during rsync to remote server."
    exit 1
fi

log "Backups sent successfully."

log "Removing dumps locally"
rm -r "${BACKUP_DIR}"

log "Cleaning up old backups on remote server, keeping ${REMOTE_KEEP_OLD}..."

ssh -p ${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST} <<EOF
  REMOTE_KEEP_OLD=${REMOTE_KEEP_OLD}
  REMOTE_DIR=${REMOTE_DIR}

  sqls=\$(ls ${REMOTE_DIR}/gitea-database-backup-*.sql.zst.enc 2>/dev/null)
  if [ \$(echo "\${sqls}" | wc -l) -gt ${REMOTE_KEEP_OLD} ]; then
    echo "\${sqls}" | sort | head -n -${REMOTE_KEEP_OLD} | xargs -I {} rm -- {}
  fi
  tars=\$(ls ${REMOTE_DIR}/gitea-backup-*.tar.zst.enc 2>/dev/null)
  if [ \$(echo "\${tars}" | wc -l) -gt ${REMOTE_KEEP_OLD} ]; then
    echo "\${tars}" | sort | head -n -${REMOTE_KEEP_OLD} | xargs -I {} rm -- {}
  fi
EOF