#!/usr/bin/env bash

set -e

if [ ! -f /var/lib/krb5kdc/principal ]; then
    REALM="${KRB5_REALM:?KRB5_REALM must be set for first-time initialisation}"
    DOMAIN="${KRB5_DOMAIN:?KRB5_DOMAIN must be set for first-time initialisation}"
    KDC_HOST="${KRB5_KDC_HOST:?KRB5_KDC_HOST must be set to the FQDN of this KDC}"
    MASTER_PASSWORD="${KRB5_MASTER_PASSWORD:?KRB5_MASTER_PASSWORD must be set for first-time initialisation}"
    ADMIN_PRINCIPAL="${KRB5_ADMIN_PRINCIPAL:-admin}"
    ADMIN_PASSWORD="${KRB5_ADMIN_PASSWORD:?KRB5_ADMIN_PASSWORD must be set for first-time initialisation}"

    cat > /var/lib/krb5kdc/krb5.conf <<EOF
[libdefaults]
    default_realm = ${REALM}
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    ${REALM} = {
        kdc = ${KDC_HOST}
        admin_server = ${KDC_HOST}
    }

[domain_realm]
    .${DOMAIN} = ${REALM}
    ${DOMAIN} = ${REALM}
EOF

    cat > /var/lib/krb5kdc/kdc.conf <<EOF
[kdcdefaults]
    kdc_ports = 88

[realms]
    ${REALM} = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/var/lib/krb5kdc/kadm5.keytab
        acl_file = /var/lib/krb5kdc/kadm5.acl
        key_stash_file = /var/lib/krb5kdc/stash
        kdc_ports = 88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = aes256-cts-hmac-sha1-96
        supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
        default_principal_flags = +preauth
    }
EOF

    cat > /var/lib/krb5kdc/kadm5.acl <<EOF
${ADMIN_PRINCIPAL}/admin@${REALM} *
EOF

    cp /var/lib/krb5kdc/krb5.conf /etc/krb5.conf

    echo "Initializing Kerberos realm ${REALM}..."
    KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kdb5_util create -s -P "${MASTER_PASSWORD}" -r "${REALM}"
    KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kadmin.local -q "addprinc -pw ${ADMIN_PASSWORD} ${ADMIN_PRINCIPAL}/admin@${REALM}"
    echo "Realm initialized."
else
    echo "Realm already initialized, skipping."
    cp /var/lib/krb5kdc/krb5.conf /etc/krb5.conf

    CONFIGURED_HOST=$(grep -E '^\s+kdc\s*=' /var/lib/krb5kdc/krb5.conf | head -1 | cut -d= -f2- | tr -d ' ')
    if [ "$(hostname)" != "${CONFIGURED_HOST}" ]; then
        echo "Error: container hostname '$(hostname)' does not match configured KDC host '${CONFIGURED_HOST}'" >&2
        exit 1
    fi
fi

export KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf

krb5kdc -n &
KDC_PID=$!

kadmind -nofork &
KADMIND_PID=$!

wait -n $KDC_PID $KADMIND_PID