#!/bin/bash

######################################################################################
#### Version 2.2                                                                  ####
#### For questions or comments contact@mylinux.work                               ####
#### Author : Phil Connor                                                         ####
####                                                                              ####
#### Notes :                                                                      ####
####   This script is a simple "helper" to install and configure Maria,           ####
####   PowerDNS and PowerAdmin on RedHat Based servers.                           ####
####   There is no silver bullet. Don't expect the perfect setup,                 ####
####   review comments and adapt the parameters to your application usage.        ####
####                                                                              ####
####   Use this script at your OWN risk. There is no guarantee whatsoever.        ####
####                                                                              ####
####   Usage chmod 755 then ./PdnsInstall.sh or bash PdnsInstall.sh               ####
######################################################################################

########################
#### User Variables ####
########################
MYSQL_PASS='Password@123'               # <-- Your MySql root Password here
MY_PDNS_USR=pdns                        # <-- The username for your PowerDNS connect to DB
MY_PDNS_DB=powerdns                     # <-- The name for your PowerDNS DB
MY_PDNS_PW=somepassword                 # <-- The password you wantt for you PowerDNS DB
MY_PDNS_HOST=localhost                  # <-- The default here is localhost, but can be set to a remote host if you have configured that
DEL_MY_CNF=Y                            # <-- Place a Capital Y for yes or N for no here to delete /root/.my.cnf when db_instal function is done
WEB_HOST_NAME=test1.linuxcomputer.cloud # <-- The FQDN of your server goes here
EMAIL=admin@$WEB_HOST_NAME              # <-- This is the email you want to use for Let's Encrypt registations
HTTP=nginx                              # <-- Choose apache or nginx --> The apache Config is in BETA TESTING please only choose nginx unless you know what your doing

##########################
#### System Variables ####
##########################
ip4=$(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1)
host=$(hostname -f)

if [ "$(command -v lsb_release)" ]; then
    OS=$(lsb_release -i | awk '{print $3}' | tr '[:upper:]' '[:lower:]')
    OSVER=$(lsb_release -r | awk '{print $2}' | awk -F. '{print $1}')
else 
    OS=$(grep PRETTY_NAME /etc/os-release | sed 's/PRETTY_NAME=//g' | tr -d '="' | awk '{print $1}' | tr '[:upper:]' '[:lower:]')
    OSVER=$(grep VERSION_ID /etc/os-release | sed 's/VERSION_ID=//g' | tr -d '="' | awk -F. '{print $1}')
fi

###########################################################
#### Detect Package Manger from OS and OSVer Variables ####
###########################################################
if [[ ${OS} = alma || ${OS} = amazon || ${OS} = centos || ${OS} = red || ${OS} = rocky || ${OS} = oracle ]]; then
	if [ "${OSVER}" = 7 ]; then
		PAKMGR="yum -y"
	else
		PAKMGR="dnf -y"
	fi
elif [ "${OS}" = ubuntu ]; then
	PAKMGR="apt -y"
fi

##########################
#### Detect Root User ####
##########################
function check_RootUser() {
    #if [ "$(id -u)" != "0" ]; then
    if [ "$(whoami)" != 'root' ]; then
        echo "You dont have permission to run $0 as non-root user. Use sudo su -"
        exit 1
    fi

}

####################
#### Code Start ####
####################

#########################
#### Install MariaDB ####
#########################
function install_mysql() {
    {
        if [ ! "$(command -v mysql)" ]; then
            if [ "${OS}" = ubuntu ]; then
                ${PAKMGR} update
                ${PAKMGR} install mariadb-client mariadb-server
            else
                ${PAKMGR} install mariadb mariadb-server
            fi
        fi
        systemctl enable --now mariadb
    }
}

######################
#### Secure MySQL ####
######################
function secure_mysql() {
    {
        if [ ! "$(command -v expect)" ]; then
            ${PAKMGR} install expect
        fi

        expect -f - <<-EOF
            set timeout 10
            spawn mysql_secure_installation
            expect "Enter current password for root (enter for none):"
            send -- "\r"
            expect "Set root password?"
            send -- "y\r"
            expect "New password:"
            send -- "${MYSQL_PASS}\r"
            expect "Re-enter new password:"
            send -- "${MYSQL_PASS}\r"
            expect "Remove anonymous users?"
            send -- "y\r"
            expect "Disallow root login remotely?"
            send -- "y\r"
            expect "Remove test database and access to it?"
            send -- "y\r"
            expect "Reload privilege tables now?"
            send -- "y\r"
            expect eof
EOF
    }
}

###################################
#### Install PowerDNS DataBase ####
###################################
function pdns_db_install() {
    {
        define () {
            IFS=$'\n' read -r -d '' "$1"
        }

        if [ ! -f /root/.my.cnf ]; then
            {
                echo '[mysql]'
                echo 'user=root'
                echo "password=$MYSQL_PASS"
            } >/root/.my.cnf
        fi

        mysql -e "CREATE DATABASE $MY_PDNS_DB /*\!40100 DEFAULT CHARACTER SET utf8 */;"
        mysql -e "CREATE USER $MY_PDNS_USR@localhost IDENTIFIED BY '$MY_PDNS_PW';"
        mysql -e "GRANT ALL PRIVILEGES ON $MY_PDNS_DB.* TO '$MY_PDNS_USR'@'localhost';"
        mysql -e "ALTER USER '$MY_PDNS_DB'@'localhost' IDENTIFIED BY '$MY_PDNS_PW';"
        mysql -e "FLUSH PRIVILEGES;"
        
        touch /tmp/pdns.sql
        OUTFILE="/tmp/pdns.sql"
        define PDNS_SQL << 'EOF'
        CREATE TABLE domains (
        id                    INT AUTO_INCREMENT,
        name                  VARCHAR(255) NOT NULL,
        master                VARCHAR(128) DEFAULT NULL,
        last_check            INT DEFAULT NULL,
        type                  VARCHAR(6) NOT NULL,
        notified_serial       INT UNSIGNED DEFAULT NULL,
        account               VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
        PRIMARY KEY (id)
        ) Engine=InnoDB CHARACTER SET 'latin1';

        CREATE UNIQUE INDEX name_index ON domains(name);


        CREATE TABLE records (
        id                    BIGINT AUTO_INCREMENT,
        domain_id             INT DEFAULT NULL,
        name                  VARCHAR(255) DEFAULT NULL,
        type                  VARCHAR(10) DEFAULT NULL,
        content               VARCHAR(64000) DEFAULT NULL,
        ttl                   INT DEFAULT NULL,
        prio                  INT DEFAULT NULL,
        disabled              TINYINT(1) DEFAULT 0,
        ordername             VARCHAR(255) BINARY DEFAULT NULL,
        auth                  TINYINT(1) DEFAULT 1,
        PRIMARY KEY (id)
        ) Engine=InnoDB CHARACTER SET 'latin1';

        CREATE INDEX nametype_index ON records(name,type);
        CREATE INDEX domain_id ON records(domain_id);
        CREATE INDEX ordername ON records (ordername);


        CREATE TABLE supermasters (
        ip                    VARCHAR(64) NOT NULL,
        nameserver            VARCHAR(255) NOT NULL,
        account               VARCHAR(40) CHARACTER SET 'utf8' NOT NULL,
        PRIMARY KEY (ip, nameserver)
        ) Engine=InnoDB CHARACTER SET 'latin1';


        CREATE TABLE comments (
        id                    INT AUTO_INCREMENT,
        domain_id             INT NOT NULL,
        name                  VARCHAR(255) NOT NULL,
        type                  VARCHAR(10) NOT NULL,
        modified_at           INT NOT NULL,
        account               VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
        comment               TEXT CHARACTER SET 'utf8' NOT NULL,
        PRIMARY KEY (id)
        ) Engine=InnoDB CHARACTER SET 'latin1';

        CREATE INDEX comments_name_type_idx ON comments (name, type);
        CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);


        CREATE TABLE domainmetadata (
        id                    INT AUTO_INCREMENT,
        domain_id             INT NOT NULL,
        kind                  VARCHAR(32),
        content               TEXT,
        PRIMARY KEY (id)
        ) Engine=InnoDB CHARACTER SET 'latin1';

        CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind);


        CREATE TABLE cryptokeys (
        id                    INT AUTO_INCREMENT,
        domain_id             INT NOT NULL,
        flags                 INT NOT NULL,
        active                BOOL,
        published             BOOL DEFAULT 1,
        content               TEXT,
        PRIMARY KEY(id)
        ) Engine=InnoDB CHARACTER SET 'latin1';

        CREATE INDEX domainidindex ON cryptokeys(domain_id);


        CREATE TABLE tsigkeys (
        id                    INT AUTO_INCREMENT,
        name                  VARCHAR(255),
        algorithm             VARCHAR(50),
        secret                VARCHAR(255),
        PRIMARY KEY (id)
        ) Engine=InnoDB CHARACTER SET 'latin1';

        CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);
EOF
        {
            printf "%s\n" "$PDNS_SQL" | cut -c 2-
        } > "$OUTFILE"
        if [ ${DEL_MY_CNF} != N ]; then
            rm -rf /root/.my.cnf
        fi
        mysql -D powerdns < /tmp/pdns.sql
        rm /tmp/pdns.sql
    }
}

####################################
#### Install/Configure PowerDNS ####
####################################
function pdns_app_install() {
    {
        if [ "${OS}" = ubuntu ]; then
            if systemctl is-enabled systemd-resolved; then
                systemctl disable --now systemd-resolved
                systemctl mask systemd-resolved
                sed -i 's/nameserver /#nameserver /g' /etc/resolv.conf
                echo -e 'nameserver 8.8.8.8 \nnameserver 8.8.4.4' >> /etc/resolv.conf
            fi
            DEBIAN_FRONTEND=noninteractive ${PAKMGR} install pdns-backend-mysql fpdns bind9utils
        else
            ${PAKMGR} install epel-release
            ${PAKMGR} install http://rpms.remirepo.net/enterprise/remi-release-8.rpm
            ${PAKMGR} install pdns-backend-mysql pdns bind-utils
            expect -f - <<-EOF
                set timeout 2
                spawn dnf module enable php:remi-7.4
                expect "Is this ok:"
                send -- "y\r"
                expect eof
EOF
        fi
        
        echo "" >/etc/pdns/pdns.conf
        cat >/etc/pdns/pdns.conf <<EOF
        # Autogenerated configuration file template

        #################################
        # ignore-unknown-settings       Configuration settings to ignore if they are unknown
        #
        # ignore-unknown-settings=

        #################################
        # 8bit-dns      Allow 8bit dns queries
        #
        # 8bit-dns=no

        #################################
        # allow-axfr-ips        Allow zonetransfers only to these subnets
        #
        # allow-axfr-ips=127.0.0.0/8,::1
        

        #################################
        # allow-dnsupdate-from  A global setting to allow DNS updates from these IP ranges.
        #
        # allow-dnsupdate-from=127.0.0.0/8,::1

        #################################
        # allow-notify-from     Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.
        #
        # allow-notify-from=0.0.0.0/0,::/0

        #################################
        # allow-unsigned-autoprimary    Allow autoprimaries to create zones without TSIG signed NOTIFY
        #
        # allow-unsigned-autoprimary=yes

        #################################
        # allow-unsigned-notify Allow unsigned notifications for TSIG secured zones
        #
        # allow-unsigned-notify=yes

        #################################
        # allow-unsigned-supermaster    Allow supermasters to create zones without TSIG signed NOTIFY
        #
        # allow-unsigned-supermaster=yes

        #################################
        # also-notify   When notifying a zone, also notify these nameservers
        #
        # also-notify=

        #################################
        # any-to-tcp    Answer ANY queries with tc=1, shunting to TCP
        #
        # any-to-tcp=yes

        #################################
        # api   Enable/disable the REST API (including HTTP listener)
        #
        # api=no

        #################################
        # api-key       Static pre-shared authentication key for access to the REST API
        #
        # api-key=

        #################################
        # autosecondary Act as an autosecondary (formerly superslave)
        #
        # autosecondary=no

        #################################
        # axfr-fetch-timeout    Maximum time in seconds for inbound AXFR to start or be idle after starting
        #
        # axfr-fetch-timeout=10

        #################################
        # axfr-lower-serial     Also AXFR a zone from a master with a lower serial
        #
        # axfr-lower-serial=no

        #################################
        # cache-ttl     Seconds to store packets in the PacketCache
        #
        # cache-ttl=20

        #################################
        # carbon-instance       If set overwrites the instance name default
        #
        # carbon-instance=auth

        #################################
        # carbon-interval       Number of seconds between carbon (graphite) updates
        #
        # carbon-interval=30

        #################################
        # carbon-namespace      If set overwrites the first part of the carbon string
        #
        # carbon-namespace=pdns

        #################################
        # carbon-ourname        If set, overrides our reported hostname for carbon stats
        #
        # carbon-ourname=

        #################################
        # carbon-server If set, send metrics in carbon (graphite) format to this server IP address
        #
        # carbon-server=

        #################################
        # chroot        If set, chroot to this directory for more security
        #
        # chroot=

        #################################
        # config-dir    Location of configuration directory (pdns.conf)
        #
        config-dir=/etc/pdns

        #################################
        # config-name   Name of this virtual configuration - will rename the binary image
        #
        # config-name=

        #################################
        # consistent-backends   Assume individual zones are not divided over backends. Send only ANY lookup operations to the backend to reduce the number of lookups
        #
        # consistent-backends=yes

        #################################
        # control-console       Debugging switch - don't use
        #
        # control-console=no

        #################################
        # daemon        Operate as a daemon
        #
        daemon=yes

        #################################
        # default-api-rectify   Default API-RECTIFY value for zones
        #
        # default-api-rectify=yes

        #################################
        # default-ksk-algorithm Default KSK algorithm
        #
        # default-ksk-algorithm=ecdsa256

        #################################
        # default-ksk-size      Default KSK size (0 means default)
        #
        # default-ksk-size=0

        #################################
        # default-publish-cdnskey       Default value for PUBLISH-CDNSKEY
        #
        # default-publish-cdnskey=

        #################################
        # default-publish-cds   Default value for PUBLISH-CDS
        #
        # default-publish-cds=

        #################################
        # default-soa-content   Default SOA content
        #
        # default-soa-content=a.misconfigured.dns.server.invalid hostmaster.@ 0 10800 3600 604800 3600

        #################################
        # default-soa-edit      Default SOA-EDIT value
        #
        # default-soa-edit=

        #################################
        # default-soa-edit-signed       Default SOA-EDIT value for signed zones
        #
        # default-soa-edit-signed=

        #################################
        # default-ttl   Seconds a result is valid if not set otherwise
        #
        # default-ttl=3600

        #################################
        # default-zsk-algorithm Default ZSK algorithm
        #
        # default-zsk-algorithm=

        #################################
        # default-zsk-size      Default ZSK size (0 means default)
        #
        # default-zsk-size=0

        #################################
        # direct-dnskey Fetch DNSKEY, CDS and CDNSKEY RRs from backend during DNSKEY or CDS/CDNSKEY synthesis
        #
        # direct-dnskey=no

        #################################
        # disable-axfr  Disable zonetransfers but do allow TCP queries
        #
        disable-axfr=no

        #################################
        # disable-axfr-rectify  Disable the rectify step during an outgoing AXFR. Only required for regression testing.
        #
        # disable-axfr-rectify=no

        #################################
        # disable-syslog        Disable logging to syslog, useful when running inside a supervisor that logs stdout
        #
        # disable-syslog=no

        #################################
        # distributor-threads   Default number of Distributor (backend) threads to start
        #
        # distributor-threads=3

        #################################
        # dname-processing      If we should support DNAME records
        #
        # dname-processing=no

        #################################
        # dnssec-key-cache-ttl  Seconds to cache DNSSEC keys from the database
        #
        # dnssec-key-cache-ttl=30

        #################################
        # dnsupdate     Enable/Disable DNS update (RFC2136) support. Default is no.
        #
        # dnsupdate=no

        #################################
        # domain-metadata-cache-ttl     Seconds to cache zone metadata from the database
        #
        # domain-metadata-cache-ttl=

        #################################
        # edns-subnet-processing        If we should act on EDNS Subnet options
        #
        # edns-subnet-processing=no

        #################################
        # enable-lua-records    Process LUA records for all zones (metadata overrides this)
        #
        # enable-lua-records=no

        #################################
        # entropy-source        If set, read entropy from this file
        #
        # entropy-source=/dev/urandom

        #################################
        # expand-alias  Expand ALIAS records
        #
        # expand-alias=no

        #################################
        # forward-dnsupdate     A global setting to allow DNS update packages that are for a Slave zone, to be forwarded to the master.
        #
        # forward-dnsupdate=yes

        #################################
        # forward-notify        IP addresses to forward received notifications to regardless of master or slave settings
        #
        # forward-notify=

        #################################
        # guardian      Run within a guardian process
        #
        guardian=yes

        #################################
        # include-dir   Include *.conf files from this directory
        #
        # include-dir=

        #################################
        # launch        Which backends to launch and order to query them in
        #
        #launch=bindi
        launch=gmysql
        gmysql-dnssec
        gmysql-host=$MY_PDNS_HOST
        gmysql-user=$MY_PDNS_USR
        gmysql-password=$MY_PDNS_PW
        gmysql-dbname=$MY_PDNS_DB

        #################################
        # load-modules  Load this module - supply absolute or relative path
        #
        # load-modules=

        #################################
        # local-address Local IP addresses to which we bind
        #
        # local-address=0.0.0.0, ::

        #################################
        # local-address-nonexist-fail   Fail to start if one or more of the local-address's do not exist on this server
        #
        # local-address-nonexist-fail=yes

        #################################
        # local-port    The port on which we listen
        #
        # local-port=53

        #################################
        # log-dns-details       If PDNS should log DNS non-erroneous details
        #
        # log-dns-details=no

        #################################
        # log-dns-queries       If PDNS should log all incoming DNS queries
        #
        # log-dns-queries=no

        #################################
        # log-timestamp Print timestamps in log lines
        #
        # log-timestamp=yes

        #################################
        # logging-facility      Log under a specific facility
        #
        # logging-facility=

        #################################
        # loglevel      Amount of logging. Higher is more. Do not set below 3
        #
        # loglevel=4

        #################################
        # lua-axfr-script       Script to be used to edit incoming AXFRs
        #
        # lua-axfr-script=

        #################################
        # lua-dnsupdate-policy-script   Lua script with DNS update policy handler
        #
        # lua-dnsupdate-policy-script=

        #################################
        # lua-health-checks-expire-delay        Stops doing health checks after the record hasn't been used for that delay (in seconds)
        #
        # lua-health-checks-expire-delay=3600

        #################################
        # lua-health-checks-interval    LUA records health checks monitoring interval in seconds
        #
        # lua-health-checks-interval=5

        #################################
        # lua-prequery-script   Lua script with prequery handler (DO NOT USE)
        #
        # lua-prequery-script=

        #################################
        # lua-records-exec-limit        LUA records scripts execution limit (instructions count). Values <= 0 mean no limit
        #
        # lua-records-exec-limit=1000

        #################################
        # master        Act as a primary
        #
        master=yes

        #################################
        # max-cache-entries     Maximum number of entries in the query cache
        #
        # max-cache-entries=1000000

        #################################
        # max-ent-entries       Maximum number of empty non-terminals in a zone
        #
        # max-ent-entries=100000

        #################################
        # max-generate-steps    Maximum number of $GENERATE steps when loading a zone from a file
        #
        # max-generate-steps=0

        #################################
        # max-nsec3-iterations  Limit the number of NSEC3 hash iterations
        #
        # max-nsec3-iterations=100

        #################################
        # max-packet-cache-entries      Maximum number of entries in the packet cache
        #
        # max-packet-cache-entries=1000000

        #################################
        # max-queue-length      Maximum queuelength before considering situation lost
        #
        # max-queue-length=5000

        #################################
        # max-signature-cache-entries   Maximum number of signatures cache entries
        #
        # max-signature-cache-entries=

        #################################
        # max-tcp-connection-duration   Maximum time in seconds that a TCP DNS connection is allowed to stay open.
        #
        # max-tcp-connection-duration=0

        #################################
        # max-tcp-connections   Maximum number of TCP connections
        #
        # max-tcp-connections=20

        #################################
        # max-tcp-connections-per-client        Maximum number of simultaneous TCP connections per client
        #
        # max-tcp-connections-per-client=0

        #################################
        # max-tcp-transactions-per-conn Maximum number of subsequent queries per TCP connection
        #
        # max-tcp-transactions-per-conn=0

        #################################
        # module-dir    Default directory for modules
        #
        module-dir=/usr/lib64/pdns

        #################################
        # negquery-cache-ttl    Seconds to store negative query results in the QueryCache
        #
        # negquery-cache-ttl=60

        #################################
        # no-shuffle    Set this to prevent random shuffling of answers - for regression testing
        #
        # no-shuffle=off

        #################################
        # non-local-bind        Enable binding to non-local addresses by using FREEBIND / BINDANY socket options
        #
        # non-local-bind=no

        #################################
        # only-notify   Only send AXFR NOTIFY to these IP addresses or netmasks
        #
        # only-notify=0.0.0.0/0,::/0

        #################################
        # outgoing-axfr-expand-alias    Expand ALIAS records during outgoing AXFR
        #
        # outgoing-axfr-expand-alias=no

        #################################
        # overload-queue-length Maximum queuelength moving to packetcache only
        #
        # overload-queue-length=0

        #################################
        # prevent-self-notification     Don't send notifications to what we think is ourself
        #
        # prevent-self-notification=yes

        #################################
        # primary       Act as a primary
        #
        # primary=no

        #################################
        # query-cache-ttl       Seconds to store query results in the QueryCache
        #
        # query-cache-ttl=20

        #################################
        # query-local-address   Source IP addresses for sending queries
        #
        # query-local-address=0.0.0.0 ::

        #################################
        # query-logging Hint backends that queries should be logged
        #
        # query-logging=no

        #################################
        # queue-limit   Maximum number of milliseconds to queue a query
        #
        # queue-limit=1500

        #################################
        # receiver-threads      Default number of receiver threads to start
        #
        # receiver-threads=1

        #################################
        # resolver      Use this resolver for ALIAS and the internal stub resolver
        #
        # resolver=no

        #################################
        # retrieval-threads     Number of AXFR-retrieval threads for slave operation
        #
        # retrieval-threads=2

        #################################
        # reuseport     Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket
        #
        # reuseport=no

        #################################
        # rng   Specify the random number generator to use. Valid values are auto,sodium,openssl,getrandom,arc4random,urandom.
        #
        # rng=auto

        #################################
        # secondary     Act as a secondary
        #
        # secondary=no

        #################################
        # secondary-do-renotify If this secondary should send out notifications after receiving zone transfers from a primary
        #
        # secondary-do-renotify=no

        #################################
        # security-poll-suffix  Zone name from which to query security update notifications
        #
        # security-poll-suffix=

        #################################
        # send-signed-notify    Send TSIG secured NOTIFY if TSIG key is configured for a zone
        #
        # send-signed-notify=yes

        #################################
        # server-id     Returned when queried for 'id.server' TXT or NSID, defaults to hostname - disabled or custom
        #
        # server-id=

        #################################
        # setgid        If set, change group id to this gid for more security
        #
        setgid=pdns

        #################################
        # setuid        If set, change user id to this uid for more security
        #
        setuid=pdns

        #################################
        # signing-threads       Default number of signer threads to start
        #
        # signing-threads=3

        #################################
        # slave Act as a secondary
        #
        #slave=yes

        #################################
        # slave-cycle-interval  Schedule slave freshness checks once every .. seconds
        #
        # slave-cycle-interval=60

        #################################
        # slave-renotify        If we should send out notifications for secondaried updates
        #
        # slave-renotify=no

        #################################
        # socket-dir    Where the controlsocket will live, /var/run/pdns when unset and not chrooted. Set to the RUNTIME_DIRECTORY environment variable when that variable has a value (e.g. under systemd).
        #
        # socket-dir=

        #################################
        # superslave    Act as a autosecondary
        #
        # superslave=no

        #################################
        # svc-autohints Transparently fill ipv6hint=auto ipv4hint=auto SVC params with AAAA/A records for the target name of the record (if within the same zone)
        #
        # svc-autohints=no

        #################################
        # tcp-control-address   If set, PowerDNS can be controlled over TCP on this address
        #
        # tcp-control-address=

        #################################
        # tcp-control-port      If set, PowerDNS can be controlled over TCP on this address
        #
        # tcp-control-port=53000

        #################################
        # tcp-control-range     If set, remote control of PowerDNS is possible over these networks only
        #
        # tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10

        #################################
        # tcp-control-secret    If set, PowerDNS can be controlled over TCP after passing this secret
        #
        # tcp-control-secret=

        #################################
        # tcp-fast-open Enable TCP Fast Open support on the listening sockets, using the supplied numerical value as the queue size
        #
        # tcp-fast-open=0

        #################################
        # tcp-idle-timeout      Maximum time in seconds that a TCP DNS connection is allowed to stay open while being idle
        #
        # tcp-idle-timeout=5

        #################################
        # traceback-handler     Enable the traceback handler (Linux only)
        #
        # traceback-handler=yes

        #################################
        # trusted-notification-proxy    IP address of incoming notification proxy
        #
        # trusted-notification-proxy=

        #################################
        # udp-truncation-threshold      Maximum UDP response size before we truncate
        #
        # udp-truncation-threshold=1232

        #################################
        # upgrade-unknown-types Transparently upgrade known TYPExxx records. Recommended to keep off, except for PowerDNS upgrades until data sources are cleaned up
        #
        # upgrade-unknown-types=no

        #################################
        # version-string        PowerDNS version in packets - full, anonymous, powerdns or custom
        #
        # version-string=full
        version-string=ScoobyHost 0.1 Alpha

        #################################
        # webserver     Start a webserver for monitoring (api=yes also enables the HTTP listener)
        #
        # webserver=no

        #################################
        # webserver-address     IP Address of webserver/API to listen on
        #
        # webserver-address=127.0.0.1

        #################################
        # webserver-allow-from  Webserver/API access is only allowed from these subnets
        #
        # webserver-allow-from=127.0.0.1,::1

        #################################
        # webserver-loglevel    Amount of logging in the webserver (none, normal, detailed)
        #
        # webserver-loglevel=normal

        #################################
        # webserver-max-bodysize        Webserver/API maximum request/response body size in megabytes
        #
        # webserver-max-bodysize=2

        #################################
        # webserver-password    Password required for accessing the webserver
        #
        # webserver-password=

        #################################
        # webserver-port        Port of webserver/API to listen on
        #
        # webserver-port=8081

        #################################
        # webserver-print-arguments     If the webserver should print arguments
        #
        # webserver-print-arguments=no

        #################################
        # write-pid     Write a PID file
        #
        # write-pid=yes

        #################################
        # xfr-cycle-interval    Schedule primary/secondary SOA freshness checks once every .. seconds
        #
        # xfr-cycle-interval=60

        #################################
        # xfr-max-received-mbytes       Maximum number of megabytes received from an incoming XFR
        #
        # xfr-max-received-mbytes=100

        #################################
        # zone-cache-refresh-interval   Seconds to cache list of known zones
        #
        # zone-cache-refresh-interval=300

        #################################
        # zone-metadata-cache-ttl       Seconds to cache zone metadata from the database
        #
        # zone-metadata-cache-ttl=60
EOF

        if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
            setsebool -P pdns_can_network_connect_db 1
            setsebool -P nis_enabled 1
        fi

        sed -i 's/ //g' /etc/pdns/pdns.conf
        systemctl enable --nom pdns
    }
}

###########################################
#### Install/Configure Apache or Nginx ####
###########################################
function webserver_install() {
    {
        if [ ! -d /var/www/html/$WEB_HOST_NAME ]; then
            mkdir -p /var/www/html/$WEB_HOST_NAME
        fi

        if [ $HTTP = apache ]; then
            if [ "${OS}" = ubuntu ]; then
                ${PAKMGR} install build-essential apache2 php php-dev php-fpm php-gd php-intl php-mysql php-odbc php-pear php-xml php-xmlrpc php-mbstring gettext libmcrypt-dev
                pecl channel-update pecl.php.net
                pecl update-channels
                expect -f - <<-EOF
                    set timeout 10
                    spawn pecl install mcrypt
                    expect "libmcrypt prefix?"
                    send -- "\r"
                    expect eof
EOF
                sed -i 's/;extension=shmop/extension=mcrypt.so/g' /etc/php/*/cli/php.ini
                sed -i 's/;extension=shmop/extension=mcrypt.so/g' /etc/php/*/apache2/php.ini
                if ! php -m | grep mcrypt; then
                    echo ''
                    echo 'mcrypt did not install correctly on this Ubuntu machine...!'
                    exit 1
                fi
                systemctl restart apache2
            else
                ${PAKMGR} install httpd php74 php74-php-devel php74-php-fpm php74-php-gd php74-php-intl php74-php-mysqlnd php74-php-odbc php74-php-pear php74-php-xml php74-php-xmlrpc php74-php-mbstring php74-php-pecl-mcrypt gettext
            fi

            if [ "${OS}" = ubuntu ]; then
                path=/etc/apache2/sites-available/$WEB_HOST_NAME.conf
            else
                path=/etc/httpd/conf.d/$WEB_HOST_NAME.conf
            fi
            
            {
                echo '<VirtualHost *:80>'
                echo "    ServerAdmin admin@n$WEB_HOST_NAME"
                echo "    ServerName $WEB_HOST_NAME"
                echo "    DocumentRoot /var/www/html/$WEB_HOST_NAME"
                echo '    #DirectoryIndex index.php'
                echo "    #ErrorLog /var/log/httpd/$WEB_HOST_NAME-error.log"
                echo "    #CustomLog /var/log/httpd/$WEB_HOST_NAME-access.log combined"
                echo ''
                echo '    <IfModule !mod_php7.c>'
                echo '        <FilesMatch \.(php|phar)$>'
                if [ "${OS}" = ubuntu ]; then
                    echo '            SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"'
                else
                    echo '            SetHandler "proxy:unix:/var/opt/remi/php74/run/php-fpm/www.sock|fcgi://localhost"'
                fi
                echo '        </FilesMatch>'
                echo '    </IfModule>'
                echo '</VirtualHost>'
                }  > $path

            
            if [ "${OS}" = ubuntu ]; then
                if ! apachectl configtest; then
                    echo ''
                    echo -e '\e[01;37m -----------------------------------------------------------------------------------------------------'
                    echo -e "\e[01;31m   An Error was detected with apache2, Please manually look at the configuration to comfirm it's good" >&2
                    echo -e '\e[01;37m -----------------------------------------------------------------------------------------------------'
                    exit 1
                fi
            else
                if ! httpd -t; then
                    echo ''
                    echo -e '\e[01;37m ----------------------------------------------------------------------------------------------------'
                    echo -e "\e[01;31m   An Error was detected with httpd, Please manually look at the configuration to comfirm it's good" >&2
                    echo -e '\e[01;37m ----------------------------------------------------------------------------------------------------'
                    exit 1
                fi
            fi
            
            if [ "${OS}" = ubuntu ]; then
                systemctl enable --now php-fpm
                a2dissite 000-default
                a2ensite $WEB_HOST_NAME
                systemctl enable apache2
                systemctl reload apache2
            else
                chcon -R -t httpd_sys_content_t /var/www/html/$WEB_HOST_NAME
                systemctl enable --now php74-php-fpm
                systemctl enable --now httpd
            fi
        elif [ $HTTP = nginx ]; then
            if [ "${OS}" = ubuntu ]; then
                ${PAKMGR} install build-essential php php-cli php-dev php-fpm php-gd php-intl php-json php-mysql php-pear php-xml php-xmlrpc php-mbstring gettext libmcrypt-dev
                pecl channel-update pecl.php.net
                pecl update-channels
                expect -f - <<-EOF
                    set timeout 10
                    spawn pecl install mcrypt
                    expect "libmcrypt prefix?"
                    send -- "\r"
                    expect eof
EOF
                sed -i 's/;extension=shmop/extension=mcrypt.so/g' /etc/php/*/cli/php.ini
                sed -i 's/;extension=shmop/extension=mcrypt.so/g' /etc/php/*/apache2/php.ini
                systemctl disable --now apache2
                systemctl mask apache2
                if ! php -m | grep mcrypt; then
                    echo ''
                    echo 'mcrypt did not install correctly on this Ubuntu machine...!'
                    exit 1
                    systemctl disable --now httpd
                    systemctl mask httpd
                fi
            else
                ${PAKMGR} install php php-fpm php-cli php-mysqlnd php-pecl-mcrypt php-json php-intl
                chown apache:apache /var/lib/php/sessions
                systemctl disable --now httpd
                systemctl mask httpd
            fi
        fi

            ${PAKMGR} install nginx

            if [[ ${OS} = centos || ${OS} = red || ${OS} = oracle || ${OS} = rocky || ${OS} = alma ]]; then
                if ! grep "listen = /run/php-fpm/www.sock" /etc/php-fpm.d/www.conf; then
                    sed -i '/listen = */c\listen = \/run\/php-fpm\/www.sock' /etc/php-fpm.d/www.conf
                fi
            fi

            if [ "${OS}" = ubuntu ]; then
                path=/etc/nginx/sites-available/$WEB_HOST_NAME.conf
            else
                path=/etc/nginx/conf.d/$WEB_HOST_NAME.conf
            fi
            # shellcheck disable=SC2016
            {
                echo 'server {'
                echo "     server_name $WEB_HOST_NAME;"
                echo '     listen 80;'
                echo ''
                echo "     root /var/www/html/$WEB_HOST_NAME;"
                echo "     #access_log /var/log/nginx/$WEB_HOST_NAME-access_log;"
                echo "     #error_log /var/log/nginx/$WEB_HOST_NAME-error_log;"
                echo ''
                echo '     index index.php;'
                echo ''
                echo '     location / {'
                echo '        try_files $uri $uri/ /index.php?query_string;'
                echo '      }'
                echo ''
                echo '     location ~ \.php$ {'
                echo '         fastcgi_index index.php;'
                echo '         fastcgi_split_path_info ^(.+\.php)(.*)$;'
                echo '         fastcgi_keep_conn on;'
                echo '         include /etc/nginx/fastcgi_params;'
                if [ "${OS}" = ubuntu ]; then
                    echo '         fastcgi_pass unix:/run/php/php-fpm.sock;'
                else
                    echo '         fastcgi_pass unix:/run/php-fpm/www.sock;'
                fi
                echo '         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;'
                echo '     }'
                echo ''
                echo '     location ~/\.ht {'
                echo '        deny all;'
                echo '     }'
                echo ''
                echo '}'
            } > $path

            if ! nginx -t; then
                echo ''
                echo -e '\e[01;37m --------------------------------------------------------------------------------------------------'
                echo -e "\e[01;31m  An Error was detected with nginx, Please manually look at the configuration to comfirm it's good" >&2
                echo -e '\e[01;37m --------------------------------------------------------------------------------------------------'
                exit 1
            fi
            
            if [ "${OS}" = ubuntu ]; then
                rm /etc/nginx/sites-enabled/default
                ln -s /etc/nginx/sites-available/$WEB_HOST_NAME.conf /etc/nginx/sites-enabled/$WEB_HOST_NAME
                systemctl enable --now php-fpm
                systemctl enable nginx
                systemctl start nginx
            else
                systemctl enable --now php-fpm
                systemctl enable nginx
                chcon -R -t httpd_sys_content_t /var/www/html/$WEB_HOST_NAME
                systemctl start nginx
        fi
    }
}

############################
#### Install PowerAdmin ####
############################
function pdns_admin_install() {
    {
        if [ ! -d /var/www/html/$WEB_HOST_NAME ]; then
            mkdir -p /var/www/html/$WEB_HOST_NAME
        fi

        ${PAKMGR} install git
        cd /var/www/html/$WEB_HOST_NAME || exit
        git clone https://github.com/poweradmin/poweradmin.git
        mv poweradmin/* .
        rm -rf poweradmin/
        find /var/www/html/$WEB_HOST_NAME/ -type d -exec chmod 755 {} \;
        find /var/www/html/$WEB_HOST_NAME/ -type f -exec chmod 644 {} \;
        if [ "${OS}" = ubuntu ]; then
            chown www-data:www-data /var/www/html/$WEB_HOST_NAME/
        else   
            chown apache:apache /var/www/html/$WEB_HOST_NAME/
            chown apache:apache /var/lib/php/session
        fi
    }
}

##########################################
#### Install Certbot and request Cert ####
##########################################
install_certbot() {
    {
        if [ $HTTP = apache ]; then
            ${PAKMGR} install python3-certbot-apache
            systemctl enable --now httpd
        elif [ $HTTP = nginx ]; then
            ${PAKMGR} install python3-certbot-nginx
            systemctl enable --now nginx
        fi

        #################################################################################################
        ####         Be sure that your domain has the proper dns entry or this will not work.        ####
        ####                                                                                         ####
        ####      If your domain is not properly configured and you know it, or you just wanna       ####
        ####      test that you can get a cert uncomment this line                                   ####
        ####                                                                                         ####
        #### certbot certonly --redirect --agree-tos --nginx -d $WEB_HOST_NAME -m "$EMAIL" --dry-run ####                                          ####
        ####                              and comment out this line                                  ####
        ####     certbot --non-interactive --redirect --agree-tos -d $WEB_HOST_NAME -m "$EMAIL"      ####
        #################################################################################################

        if [ $HTTP = apache ]; then
            certbot certonly --redirect --agree-tos --apache -d $WEB_HOST_NAME -m "$EMAIL" --dry-run -v
            #certbot --non-interactive --redirect --agree-tos --apache -d $WEB_HOST_NAME -m "$EMAIL"
            systemctl restart httpd
        elif [ $HTTP = nginx ]; then
            certbot certonly --redirect --agree-tos --nginx -d $WEB_HOST_NAME -m "$EMAIL" --dry-run -v
            #certbot --non-interactive --redirect --agree-tos --nginx -d $WEB_HOST_NAME -m "$EMAIL"
            systemctl restart nginx
        fi

        if [ "${OS}" = ubuntu ]; then
            if ! grep "certbot" /var/spool/cron/crontab/root; then
                echo "0 */12  * * *   root    certbot -q renew" >>/etc/crontab
            fi
        else
            if ! grep "certbot" /var/spool/cron/root; then
                echo "0 */12 * * * root certbot -q renew" >>/var/spool/cron/root
            fi
        fi   
    }
}

#######################
#### Final Message ####
#######################
function install_complete() {
    {
        if [ ! -d /etc/letsencrypt/live/$WEB_HOST_NAME ]; then
            echo -e '\e[01;37m        ----------------------------------------------------------------------------------------------------'
            echo -e '\e[01;37m     -----------------------------------------------------------------------------------------------------------'
            echo -e "\e[01;32m You should now be able to complete the Poweradmin setup by accessing it here http://$host/install/ or by ip http://$ip4/install/"
            echo -e '\e[01;37m     -----------------------------------------------------------------------------------------------------------'
            echo -e '\e[01;37m        ----------------------------------------------------------------------------------------------------'
        else
            echo -e '\e[01;37m        ----------------------------------------------------------------------------------------------------'
            echo -e '\e[01;37m     -----------------------------------------------------------------------------------------------------------'
            echo -e "\e[01;32m You should now be able to complete the Poweradmin setup by accessing it here https://$host/install/ or by ip https://$ip4/install/"
            echo -e '\e[01;37m     -----------------------------------------------------------------------------------------------------------'
            echo -e '\e[01;37m        ----------------------------------------------------------------------------------------------------'
        fi
    }
}

##################
#### Code End ####
##################

check_RootUser
install_mysql
secure_mysql
pdns_db_install
pdns_app_install
webserver_install
pdns_admin_install
install_certbot
install_complete

mysql -e "CREATE DATABASE powerdns /*\!40100 DEFAULT CHARACTER SET utf8 */;"
mysql -e "CREATE USER pdns@localhost IDENTIFIED BY '$MY_PDNS_PW';"
mysql -e "GRANT ALL PRIVILEGES ON powerdns.* TO 'pdns'@'localhost';"
# mysql -e "ALTER USER 'pdns'@'localhost' IDENTIFIED BY 'linda6!3!';"
mysql -e "FLUSH PRIVILEGES;"


6xt3gXm?+5D6