#!/bin/bash
# installer.sh - LiteSpeed Server Appliance Installer
# An Open Source Appliance from Robbie Ferguson
# (c) 2025 Robbie Ferguson - Licensed under Apache 2.0

set -e

# Variables
DEBIAN_FRONTEND=noninteractive

# Update system
apt update && apt upgrade -y

# Install essentials
apt install -y curl wget gnupg2 software-properties-common lsb-release unzip htop ufw fail2ban

# MariaDB
apt install -y mariadb-server mariadb-client

# Secure MariaDB (default root password is blank)
mysql -u root <<EOF
DELETE FROM mysql.user WHERE User='';
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%';
FLUSH PRIVILEGES;
EOF

# OpenLiteSpeed repo and install
wget -qO - https://repo.litespeed.sh | bash
apt install -y openlitespeed

# Start OpenLiteSpeed once to initialize directories
systemctl start lsws
sleep 2

# PHP and extensions
PHPVER=82
apt install -y lsphp$PHPVER lsphp$PHPVER-common lsphp$PHPVER-mysql lsphp$PHPVER-curl lsphp$PHPVER-imagick lsphp$PHPVER-intl lsphp$PHPVER-opcache lsphp$PHPVER-redis

# Set lsphp as default for LiteSpeed
systemctl stop lsws
sed -i 's/lsphp.*/lsphp$PHPVER/' /usr/local/lsws/conf/httpd_config.conf
systemctl start lsws

# Enable GZIP and Brotli compression
cat <<EOL >> /usr/local/lsws/conf/httpd_config.conf

compress 1
compressBr 1
EOL

# Redis for object caching
apt install -y redis-server php-redis

# Enable and start Redis
systemctl enable redis-server
systemctl start redis-server

# Setup default virtual host
mkdir -p /var/www/html
chown -R www-data:www-data /var/www/html

# Generate self-signed certificate for HTTPS
mkdir -p /etc/ssl/litespeed
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/litespeed/selfsigned.key \
  -out /etc/ssl/litespeed/selfsigned.crt \
  -subj "/C=US/ST=Denial/L=Nowhere/O=Dis/CN=localhost"

# Configure listener for HTTPS (443) in LiteSpeed
cat <<EOF >> /usr/local/lsws/conf/httpd_config.conf
listener SSL {
  address                 *:443
  secure                  1
  keyFile                 /etc/ssl/litespeed/selfsigned.key
  certFile                /etc/ssl/litespeed/selfsigned.crt
  vhRoot                  /var/www/html/
  vhMap                   Example *
}
EOF

# Install Certbot for optional Let's Encrypt
apt install -y certbot python3-certbot

# Configure UFW rules
ufw allow 22/tcp       # SSH
ufw allow 80/tcp       # HTTP
ufw allow 443/tcp      # HTTPS
ufw allow 7080/tcp     # LiteSpeed WebAdmin
ufw --force enable

# Restart OpenLiteSpeed to apply changes
systemctl restart lsws

# Print completion message
echo "\nLiteSpeed Server Appliance installed successfully!"
echo "Default Web Root: /var/www/html"
echo "Access OpenLiteSpeed WebAdmin at: https://<your-server-ip>:7080"
echo "Default admin login: admin / 123456 (change this immediately)"
echo "Run '/usr/local/lsws/admin/misc/admpass.sh' as root to change WebAdmin password"
echo "Self-signed SSL enabled for main site. Run Certbot later to upgrade to Let's Encrypt."