#!/bin/bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH

: '
Copyright (C) 2022 - now  HaoZi Technology Co., Ltd.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.
'

source <(curl -f -s --connect-timeout 10 --retry 3 https://dl.cdn.haozi.net/panel/public.sh)
if [ $? -ne 0 ]; then
    echo "下载 public.sh 失败，请检查网络或稍后重试。"
    echo "Download public.sh failed, please check the network or try again later."
    exit 1
fi

channel=${1}
version=${2}
memcached_path="${setup_path}/server/memcached"

if ! id -u "memcached" >/dev/null 2>&1; then
    groupadd memcached
    useradd -s /sbin/nologin -g memcached memcached
fi

# 安装依赖
if [ ${OS} == "rhel" ]; then
    dnf makecache -y
    dnf groupinstall "Development Tools" -y
    dnf install openssl-devel cyrus-sasl cyrus-sasl-devel libevent-devel -y
elif [ ${OS} == "debian" ] || [ ${OS} == "ubuntu" ]; then
    apt-get update
    apt-get install build-essential libssl-dev libsasl2-2 libsasl2-dev libevent-dev -y
else
    error "不支持的操作系统"
fi
if [ "$?" != "0" ]; then
    error "安装依赖软件失败"
fi

# 准备目录
rm -rf ${memcached_path}
mkdir -p ${memcached_path}
cd ${memcached_path}

# 下载源码
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ${memcached_path}/memcached-${version}.tar.gz ${download_url}/memcached/memcached-${version}.tar.gz
wget --retry-connrefused --retry-on-host-error --retry-on-http-error=429,500,502,503,504 -t 10 -T 120 -O ${memcached_path}/memcached-${version}.tar.gz.sha256 ${download_url}/memcached/memcached-${version}.tar.gz.sha256

if ! sha256sum --status -c memcached-${version}.tar.gz.sha256; then
    rm -rf ${memcached_path}
    error "memcached 校验失败"
fi

tar -zxvf memcached-${version}.tar.gz
rm -f memcached-${version}.tar.gz
rm -f memcached-${version}.tar.gz.sha256
mv memcached-${version} src
cd src

./configure --prefix=${memcached_path} --enable-tls --enable-sasl --enable-sasl-pwdb --enable-64bit
if [ "$?" != "0" ]; then
    rm -rf ${memcached_path}
    error "memcached 配置失败"
fi

make -j${CORES}
if [ "$?" != "0" ]; then
    rm -rf ${memcached_path}
    error "memcached 编译失败"
fi

make install
if [ ! -f "${memcached_path}/bin/memcached" ]; then
    rm -rf ${memcached_path}
    error "memcached 安装失败"
fi

chown -R memcached:memcached ${memcached_path}
chmod -R 700 ${memcached_path}

# 设置服务
cat >/etc/systemd/system/memcached.service <<EOF
[Unit]
Description=memcached daemon
After=network.target
Wants=network.target

[Service]
User=memcached
Group=memcached
Type=simple
Restart=on-failure
RestartSec=5s
ExecStart=${memcached_path}/bin/memcached -p 11211 -u memcached -m 128 -c 1024 $OPTIONS

# Set up a new file system namespace and mounts private /tmp and /var/tmp
# directories so this service cannot access the global directories and
# other processes cannot access this service's directories.
PrivateTmp=true

# Mounts the /usr, /boot, and /etc directories read-only for processes
# invoked by this unit.
ProtectSystem=full

# Ensures that the service process and all its children can never gain new
# privileges
NoNewPrivileges=true

# Sets up a new /dev namespace for the executed processes and only adds API
# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
PrivateDevices=true

# Required for dropping privileges and running as a different user
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE

# Restricts the set of socket address families accessible to the processes
# of this unit. Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# Attempts to create memory mappings that are writable and executable at
# the same time, or to change existing memory mappings to become executable
# are prohibited.
MemoryDenyWriteExecute=true

# Explicit module loading will be denied. This allows to turn off module
# load and unload operations on modular kernels. It is recommended to turn
# this on for most services that do not need special file systems or extra
# kernel modules to work.
ProtectKernelModules=true

# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
# will be made read-only to all processes of the unit. Usually, tunable
# kernel variables should only be written at boot-time, with the sysctl.d(5)
# mechanism. Almost no services need to write to these at runtime; it is hence
# recommended to turn this on for most services.
ProtectKernelTunables=true

# The Linux Control Groups (cgroups(7)) hierarchies accessible through
# /sys/fs/cgroup will be made read-only to all processes of the unit.
# Except for container managers no services should require write access
# to the control groups hierarchies; it is hence recommended to turn this
# on for most services
ProtectControlGroups=true

# Any attempts to enable realtime scheduling in a process of the unit are
# refused.
RestrictRealtime=true

# Takes away the ability to create or manage any kind of namespace
RestrictNamespaces=true

[Install]
WantedBy=multi-user.target
EOF

chmod 644 /etc/systemd/system/memcached.service

systemctl daemon-reload
systemctl enable --now memcached
if [ "$?" != "0" ]; then
    error "启动失败"
fi

panel-cli app write memcached ${channel} ${version}

echo -e $HR
echo "安装完成"
echo -e $HR