#!/bin/bash
# post install script for logcorrelator RPM package
# Compatible with CentOS 7, Rocky Linux 8, 9, 10
#
# Configuration file policy:
# - logcorrelator.yml: %config(noreplace) - NEVER overwritten on upgrade
# - logcorrelator.yml.example: ALWAYS updated with new configuration options
# - On first install: logcorrelator.yml is created from logcorrelator.yml.example
# - On upgrade: existing logcorrelator.yml is preserved

set -e

# Create logcorrelator user and group
if ! getent group logcorrelator >/dev/null 2>&1; then
    groupadd --system logcorrelator
fi

if ! getent passwd logcorrelator >/dev/null 2>&1; then
    useradd --system \
        --gid logcorrelator \
        --home-dir /var/lib/logcorrelator \
        --no-create-home \
        --shell /usr/sbin/nologin \
        logcorrelator
fi

# Create directories
mkdir -p /var/lib/logcorrelator
mkdir -p /var/log/logcorrelator
mkdir -p /var/run/logcorrelator

# Set ownership
# /var/run/logcorrelator: must be owned by logcorrelator for socket creation
# /var/log/logcorrelator: must be owned by logcorrelator for log file writing
# /var/lib/logcorrelator: home directory for the service
chown -R logcorrelator:logcorrelator /var/lib/logcorrelator
chown -R logcorrelator:logcorrelator /var/log/logcorrelator
chown -R logcorrelator:logcorrelator /var/run/logcorrelator
chown -R logcorrelator:logcorrelator /etc/logcorrelator

# Set permissions
# /var/run/logcorrelator: 755 to allow other users/apps to create sockets if needed
# /var/log/logcorrelator: 750 to restrict log access
# /var/lib/logcorrelator: 750 for service data
# /etc/logcorrelator: 750 to restrict config access
chmod 755 /var/run/logcorrelator
chmod 750 /var/lib/logcorrelator
chmod 750 /var/log/logcorrelator
chmod 750 /etc/logcorrelator

# Copy default config example (always updated)
# The main config file is preserved across upgrades via %config(noreplace)
if [ -f /etc/logcorrelator/logcorrelator.yml.example ]; then
    chown logcorrelator:logcorrelator /etc/logcorrelator/logcorrelator.yml.example
    chmod 640 /etc/logcorrelator/logcorrelator.yml.example
fi

# Create main config file only if it doesn't exist (first install)
if [ ! -f /etc/logcorrelator/logcorrelator.yml ]; then
    cp /etc/logcorrelator/logcorrelator.yml.example /etc/logcorrelator/logcorrelator.yml
    chown logcorrelator:logcorrelator /etc/logcorrelator/logcorrelator.yml
    chmod 640 /etc/logcorrelator/logcorrelator.yml
fi

# Set permissions for logrotate config
if [ -f /etc/logrotate.d/logcorrelator ]; then
    chmod 644 /etc/logrotate.d/logcorrelator
fi

# Reload systemd
if [ -x /bin/systemctl ]; then
    systemctl daemon-reload
    systemctl enable logcorrelator.service
    systemctl start logcorrelator.service
fi

exit 0