hestiacp/func/domain.sh

#!/bin/bash

#===========================================================================#
#                                                                           #
# Hestia Control Panel - Domain Function Library                            #
#                                                                           #
#===========================================================================#

#----------------------------------------------------------#
#                        WEB                               #
#----------------------------------------------------------#

# Web template check
is_web_template_valid() {
	if [ -n "$WEB_SYSTEM" ]; then
		tpl="$WEBTPL/$WEB_SYSTEM/$WEB_BACKEND/$1.tpl"
		stpl="$WEBTPL/$WEB_SYSTEM/$WEB_BACKEND/$1.stpl"
		if [ ! -e "$tpl" ] || [ ! -e "$stpl" ]; then
			check_result "$E_NOTEXIST" "$1 web template doesn't exist"
		fi
	fi
}

# Proxy template check
is_proxy_template_valid() {
	if [ -n "$PROXY_SYSTEM" ]; then
		tpl="$WEBTPL/$PROXY_SYSTEM/$1.tpl"
		stpl="$WEBTPL/$PROXY_SYSTEM/$1.stpl"
		if [ ! -e "$tpl" ] || [ ! -e "$stpl" ]; then
			check_result "$E_NOTEXIST" "$1 proxy template doesn't exist"
		fi
	fi
}

# Backend template check
is_backend_template_valid() {
	if [ -n "$WEB_BACKEND" ]; then
		if [ ! -e "$WEBTPL/$WEB_BACKEND/$1.tpl" ]; then
			check_result "$E_NOTEXIST" "$1 backend template doesn't exist"
		fi
	fi
}

# Web domain existence check
is_web_domain_new() {
	web=$(grep -F -H "DOMAIN='$1'" $HESTIA/data/users/*/web.conf)
	if [ -n "$web" ]; then
		if [ "$type" == 'web' ]; then
			check_result "$E_EXISTS" "Web domain $1 exists"
		fi
		web_user=$(echo "$web" | cut -f 7 -d /)
		if [ "$web_user" != "$user" ]; then
			check_result "$E_EXISTS" "Web domain $1 exists"
		fi
	fi
}

# Web alias existence check
is_web_alias_new() {
	grep -wH "$1" $HESTIA/data/users/*/web.conf | while read -r line; do
		user=$(echo $line | cut -f 7 -d /)
		string=$(echo $line | cut -f 2- -d ':')
		parse_object_kv_list $string
		if [ -n "$ALIAS" ]; then
			a1=$(echo "'$ALIAS'" | grep -F "'$1'")
			if [ -n "$a1" ] && [ "$2" == "web" ]; then
				return "$E_EXISTS"
			fi
			if [ -n "$a1" ] && [ "$user" != "$user" ]; then
				return "$E_EXISTS"
			fi
			a2=$(echo "'$ALIAS'" | grep -F "'$1,")
			if [ -n "$a2" ] && [ "$2" == "web" ]; then
				return "$E_EXISTS"
			fi
			if [ -n "$a2" ] && [ "$user" != "$user" ]; then
				return "$E_EXISTS"
			fi
			a3=$(echo "'$ALIAS'" | grep -F ",$1,")
			if [ -n "$a3" ] && [ "$2" == "web" ]; then
				return "$E_EXISTS"
			fi
			if [ -n "$a3" ] && [ "$user" != "$user" ]; then
				return "$E_EXISTS"
			fi
			a4=$(echo "'$ALIAS'" | grep -F ",$1'")
			if [ -n "$a4" ] && [ "$2" == "web" ]; then
				return "$E_EXISTS"
			fi
			if [ -n "$a4" ] && [ "$user" != "$user" ]; then
				return "$E_EXISTS"
			fi
		fi
	done
	if [ $? -ne 0 ]; then
		check_result "$E_EXISTS" "Web alias $1 exists"
	fi
}

# Prepare web backend
prepare_web_backend() {
	# Accept first function argument as backend template otherwise fallback to $template global variable
	local backend_template=${1:-$template}

	pool=$(find -L /etc/php/ -name "$domain.conf" -exec dirname {} \;)
	# Check if multiple-PHP installed
	regex="socket-(\d+)_(\d+)"
	if [[ $backend_template =~ ^.*PHP-([0-9])\_([0-9])$ ]]; then
		backend_version="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}"
		pool=$(find -L /etc/php/$backend_version -type d \( -name "pool.d" -o -name "*fpm.d" \))
	else
		backend_version=$(multiphp_default_version)
		if [ -z "$pool" ] || [ -z "$BACKEND" ]; then
			pool=$(find -L /etc/php/$backend_version -type d \( -name "pool.d" -o -name "*fpm.d" \))
		fi
	fi

	if [ ! -e "$pool" ]; then
		check_result $E_NOTEXIST "php-fpm pool doesn't exist"
	fi
	backend_type="$domain"
	if [ "$WEB_BACKEND_POOL" = 'user' ]; then
		backend_type="$user"
	fi
	if [ -e "$pool/$backend_type.conf" ]; then
		backend_lsnr=$(grep "listen =" $pool/$backend_type.conf)
		backend_lsnr=$(echo "$backend_lsnr" | cut -f 2 -d = | sed "s/ //")
		if [ -n "$(echo $backend_lsnr | grep /)" ]; then
			backend_lsnr="unix:$backend_lsnr"
		fi
	fi
}

# Delete web backend
delete_web_backend() {
	find -L /etc/php/ -type f -name "$backend_type.conf" -exec rm -f {} \;
}

# Prepare web aliases
prepare_web_aliases() {
	i=1
	for tmp_alias in ${1//,/ }; do
		tmp_alias_idn="$tmp_alias"
		if [[ "$tmp_alias" = *[![:ascii:]]* ]]; then
			tmp_alias_idn=$(idn2 --quiet $tmp_alias)
		fi
		if [[ $i -eq 1 ]]; then
			aliases="$tmp_alias"
			aliases_idn="$tmp_alias_idn"
			alias_string="ServerAlias $tmp_alias_idn"
		else
			aliases="$aliases,$tmp_alias"
			aliases_idn="$aliases_idn,$tmp_alias_idn"
			if (($i % 100 == 0)); then
				alias_string="$alias_string\n    ServerAlias $tmp_alias_idn"
			else
				alias_string="$alias_string $tmp_alias_idn"
			fi
		fi
		alias_number=$i
		((i++))
	done
}

# Update web domain values
prepare_web_domain_values() {
	if [[ "$domain" = *[![:ascii:]]* ]]; then
		domain_idn=$(idn2 --quiet $domain)
	else
		domain_idn=$domain
	fi
	group="$user"
	docroot="$HOMEDIR/$user/web/$domain/public_html"
	sdocroot="$docroot"
	if [ "$SSL_HOME" = 'single' ]; then
		sdocroot="$HOMEDIR/$user/web/$domain/public_shtml"
		$BIN/v-add-fs-directory "$user" "$HOMEDIR/$user/web/$domain/public_shtml"
		chmod 751 $HOMEDIR/$user/web/$domain/public_shtml
		chown www-data:$user $HOMEDIR/$user/web/$domain/public_shtml
	fi

	if [ -n "$WEB_BACKEND" ]; then
		prepare_web_backend "$BACKEND"
	fi

	server_alias=''
	alias_string=''
	aliases_idn=''
	ssl_ca_str=''
	prepare_web_aliases $ALIAS

	ssl_crt="$HOMEDIR/$user/conf/web/$domain/ssl/$domain.crt"
	ssl_key="$HOMEDIR/$user/conf/web/$domain/ssl/$domain.key"
	ssl_pem="$HOMEDIR/$user/conf/web/$domain/ssl/$domain.pem"
	ssl_ca="$HOMEDIR/$user/conf/web/$domain/ssl/$domain.ca"
	if [ ! -e "$USER_DATA/ssl/$domain.ca" ]; then
		ssl_ca_str='#'
	fi

	# Set correct document root
	if [ -n "$CUSTOM_DOCROOT" ]; then
		# Custom document root has been set by the user, import from configuration
		custom_docroot="$CUSTOM_DOCROOT"
		docroot="$custom_docroot"
		sdocroot="$docroot"
	elif [ -n "$CUSTOM_DOCROOT" ] && [ -n "$target_directory" ]; then
		# Custom document root has been specified with a different target than public_html
		if [ -d "$HOMEDIR/$user/web/$target_domain/public_html/$target_directory/" ]; then
			custom_docroot="$HOMEDIR/$user/web/$target_domain/public_html/$target_directory"
			docroot="$custom_docroot"
			sdocroot="$docroot"
		fi
	elif [ -n "$CUSTOM_DOCROOT" ] && [ -z "$target_directory" ]; then
		# Set custom document root to target domain's public_html folder
		custom_docroot="$HOMEDIR/$user/web/$target_domain/public_html"
		docroot="$custom_docroot"
		sdocroot="$docroot"
	else
		# No custom document root specified, use default
		docroot="$HOMEDIR/$user/web/$domain/public_html"
		sdocroot="$docroot"
	fi

	if [ "$SUSPENDED" = 'yes' ]; then
		docroot="$HESTIA/data/templates/web/suspend"
		sdocroot="$HESTIA/data/templates/web/suspend"
		if [ "$PROXY_SYSTEM" == "nginx" ]; then
			PROXY="suspended"
		else
			TPL="suspended"
		fi
	fi
}

# Add web config
add_web_config() {
	# Check if folder already exists
	if [ ! -d "$HOMEDIR/$user/conf/web/$domain" ]; then
		mkdir -p "$HOMEDIR/$user/conf/web/$domain/"
	fi

	conf="$HOMEDIR/$user/conf/web/$domain/$1.conf"
	if [[ "$2" =~ stpl$ ]]; then
		conf="$HOMEDIR/$user/conf/web/$domain/$1.ssl.conf"
	fi

	domain_idn=$domain
	format_domain_idn

	WEBTPL_LOCATION="$WEBTPL/$1"
	if [ "$1" != "$PROXY_SYSTEM" ] && [ -n "$WEB_BACKEND" ] && [ -d "$WEBTPL_LOCATION/$WEB_BACKEND" ]; then
		if [ -f "$WEBTPL_LOCATION/$WEB_BACKEND/$2" ]; then
			# check for backend specific template
			WEBTPL_LOCATION="$WEBTPL/$1/$WEB_BACKEND"
		fi
	fi

	# Note: Removing or renaming template variables will lead to broken custom templates.
	#   -If possible custom templates should be automatically upgraded to use the new format
	#   -Alternatively a depreciation period with proper notifications should be considered

	cat "${WEBTPL_LOCATION}/$2" \
		| sed -e "s|%ip%|$local_ip|g" \
			-e "s|%domain%|$domain|g" \
			-e "s|%domain_idn%|$domain_idn|g" \
			-e "s|%alias%|${aliases//,/ }|g" \
			-e "s|%alias_idn%|${aliases_idn//,/ }|g" \
			-e "s|%alias_string%|$alias_string|g" \
			-e "s|%email%|info@$domain|g" \
			-e "s|%web_system%|$WEB_SYSTEM|g" \
			-e "s|%web_port%|$WEB_PORT|g" \
			-e "s|%web_ssl_port%|$WEB_SSL_PORT|g" \
			-e "s|%backend_lsnr%|$backend_lsnr|g" \
			-e "s|%rgroups%|$WEB_RGROUPS|g" \
			-e "s|%proxy_system%|$PROXY_SYSTEM|g" \
			-e "s|%proxy_port%|$PROXY_PORT|g" \
			-e "s|%proxy_ssl_port%|$PROXY_SSL_PORT|g" \
			-e "s/%proxy_extentions%/${PROXY_EXT//,/|}/g" \
			-e "s/%proxy_extensions%/${PROXY_EXT//,/|}/g" \
			-e "s|%user%|$user|g" \
			-e "s|%group%|$user|g" \
			-e "s|%home%|$HOMEDIR|g" \
			-e "s|%docroot%|$docroot|g" \
			-e "s|%sdocroot%|$sdocroot|g" \
			-e "s|%ssl_crt%|$ssl_crt|g" \
			-e "s|%ssl_key%|$ssl_key|g" \
			-e "s|%ssl_pem%|$ssl_pem|g" \
			-e "s|%ssl_ca_str%|$ssl_ca_str|g" \
			-e "s|%ssl_ca%|$ssl_ca|g" \
			> $conf

	process_http2_directive "$conf"

	chown root:$user $conf
	chmod 640 $conf

	if [[ "$2" =~ stpl$ ]]; then
		rm -f /etc/$1/conf.d/domains/$domain.ssl.conf
		ln -s $conf /etc/$1/conf.d/domains/$domain.ssl.conf

		# Rename/Move extra SSL config files
		find=$(find $HOMEDIR/$user/conf/web/*.$domain.org* 2> /dev/null)
		for f in $find; do
			if [[ $f =~ .*/s(nginx|apache2)\.$domain\.conf(.*) ]]; then
				ServerType="${BASH_REMATCH[1]}"
				CustomConfigName="${BASH_REMATCH[2]}"
				if [ "$CustomConfigName" = "_letsencrypt" ]; then
					rm -f "$f"
					continue
				fi
				mv "$f" "$HOMEDIR/$user/conf/web/$domain/$ServerType.ssl.conf_old$CustomConfigName"
			fi
		done
	else
		rm -f /etc/$1/conf.d/domains/$domain.conf
		ln -s $conf /etc/$1/conf.d/domains/$domain.conf
		# Rename/Move extra config files
		find=$(find $HOMEDIR/$user/conf/web/*.$domain.org* 2> /dev/null)
		for f in $find; do
			if [[ $f =~ .*/(nginx|apache2)\.$domain\.conf(.*) ]]; then
				ServerType="${BASH_REMATCH[1]}"
				CustomConfigName="${BASH_REMATCH[2]}"
				if [ "$CustomConfigName" = "_letsencrypt" ]; then
					rm -f "$f"
					continue
				fi
				mv "$f" "$HOMEDIR/$user/conf/web/$domain/$ServerType.conf_old$CustomConfigName"
			elif [[ $f =~ .*/forcessl\.(nginx|apache2)\.$domain\.conf ]]; then
				ServerType="${BASH_REMATCH[1]}"
				mv "$f" "$HOMEDIR/$user/conf/web/$domain/$ServerType.forcessl.conf"
			fi
		done
	fi

	trigger="${2/.*pl/.sh}"
	if [ -x "${WEBTPL_LOCATION}/$trigger" ]; then
		$WEBTPL_LOCATION/$trigger \
			$user $domain $local_ip $HOMEDIR \
			$HOMEDIR/$user/web/$domain/public_html
	fi
}

# Get config top and bottom line number
get_web_config_lines() {
	tpl_lines=$(egrep -ni "name %domain_idn%" $1 | grep -w %domain_idn%)
	tpl_lines=$(echo "$tpl_lines" | cut -f 1 -d :)
	tpl_last_line=$(wc -l $1 | cut -f 1 -d ' ')
	if [ -z "$tpl_lines" ]; then
		check_result $E_PARSING "can't parse template $1"
	fi

	domain_idn=$domain
	format_domain_idn
	vhost_lines=$(grep -niF "name $domain_idn" $2)
	vhost_lines=$(echo "$vhost_lines" | egrep "$domain_idn($| |;)")
	vhost_lines=$(echo "$vhost_lines" | cut -f 1 -d :)
	if [ -z "$vhost_lines" ]; then
		check_result $E_PARSING "can't parse config $2"
	fi

	top_line=$((vhost_lines + 1 - tpl_lines))
	bottom_line=$((top_line - 1 + tpl_last_line))
	multi=$(sed -n "$top_line,$bottom_line p" $2 | grep ServerAlias | wc -l)
	if [ "$multi" -ge 2 ]; then
		bottom_line=$((bottom_line + multi - 1))
	fi
}

# Replace web config
replace_web_config() {
	conf="$HOMEDIR/$user/conf/web/$domain/$1.conf"
	if [[ "$2" =~ stpl$ ]]; then
		conf="$HOMEDIR/$user/conf/web/$domain/$1.ssl.conf"
	fi

	if [ -e "$conf" ]; then
		sed -i "s|$old|$new|g" $conf
	fi
}

# Delete web configuration
del_web_config() {
	conf="$HOMEDIR/$user/conf/web/$domain/$1.conf"
	local confname="$domain.conf"
	if [[ "$2" =~ stpl$ ]]; then
		conf="$HOMEDIR/$user/conf/web/$domain/$1.ssl.conf"
		confname="$domain.ssl.conf"
	fi

	# Clean up legacy configuration files
	if [ ! -e "$conf" ]; then
		local legacyconf="$HOMEDIR/$user/conf/web/$1.conf"
		if [[ "$2" =~ stpl$ ]]; then
			legacyconf="$HOMEDIR/$user/conf/web/s$1.conf"
		fi
		rm -f $legacyconf

		# Remove old global includes file
		rm -f /etc/$1/conf.d/hestia.conf
	fi

	# Remove domain configuration files and clean up symbolic links
	rm -f "$conf"

	if [ -n "$WEB_SYSTEM" ] && [ "$WEB_SYSTEM" = "$1" ]; then
		rm -f "/etc/$WEB_SYSTEM/conf.d/domains/$confname"
	fi
	if [ -n "$PROXY_SYSTEM" ] && [ "$PROXY_SYSTEM" = "$1" ]; then
		rm -f "/etc/$PROXY_SYSTEM/conf.d/domains/$confname"
	fi
}

# SSL certificate verification
is_web_domain_cert_valid() {
	if [ ! -e "$ssl_dir/$domain.crt" ]; then
		check_result "$E_NOTEXIST" "$ssl_dir/$domain.crt not found"
	fi

	if [ ! -e "$ssl_dir/$domain.key" ]; then
		check_result "$E_NOTEXIST" "$ssl_dir/$domain.key not found"
	fi

	crt_vrf=$(openssl verify $ssl_dir/$domain.crt 2>&1)
	if [ -n "$(echo $crt_vrf | grep 'unable to load')" ]; then
		check_result "$E_INVALID" "SSL Certificate is not valid"
	fi

	if [ -n "$(echo $crt_vrf | grep 'unable to get local issuer')" ]; then
		if [ ! -e "$ssl_dir/$domain.ca" ]; then
			check_result "$E_NOTEXIST" "Certificate Authority not found"
		fi
	fi

	if [ -e "$ssl_dir/$domain.ca" ]; then
		s1=$(openssl x509 -noout -in $ssl_dir/$domain.crt -issuer 2> /dev/null | cut -d = -f2-)
		s2=$(openssl x509 -noout -in $ssl_dir/$domain.ca -subject 2> /dev/null | cut -d = -f2-)
		if [ "$s1" != "$s2" ]; then
			check_result "$E_NOTEXIST" "SSL intermediate chain is not valid"
		fi
	fi

	key_vrf=$(grep 'PRIVATE KEY' $ssl_dir/$domain.key | wc -l)
	if [ "$key_vrf" -ne 2 ]; then
		check_result "$E_INVALID" "SSL Key is not valid"
	fi
	if [ -n "$(grep 'ENCRYPTED' $ssl_dir/$domain.key)" ]; then
		check_result "$E_FORBIDEN" "SSL Key is protected (remove pass_phrase)"
	fi

	if pgrep -x "openssl" > /dev/null; then
		pkill openssl
	fi

	openssl s_server -quiet -cert $ssl_dir/$domain.crt \
		-key $ssl_dir/$domain.key >> /dev/null 2>&1 &
	pid=$!
	sleep 0.5
	disown &> /dev/null
	kill $pid &> /dev/null
	check_result $? "ssl certificate key pair is not valid" $E_INVALID
}

#----------------------------------------------------------#
#                        DNS                               #
#----------------------------------------------------------#

# DNS template check
is_dns_template_valid() {
	if [ ! -e "$DNSTPL/$1.tpl" ]; then
		check_result "$E_NOTEXIST" "$1 dns template doesn't exist"
	fi
}

# DNS domain existence check
is_dns_domain_new() {
	dns=$(ls $HESTIA/data/users/*/dns/$1.conf 2> /dev/null)
	if [ -n "$dns" ]; then
		if [ "$2" == 'dns' ]; then
			check_result "$E_EXISTS" "DNS domain $1 exists"
		fi
		dns_user=$(echo "$dns" | cut -f 7 -d /)
		if [ "$dns_user" != "$user" ]; then
			check_result "$E_EXISTS" "DNS domain $1 exists"
		fi
	fi
}

# Update domain zone
update_domain_zone() {
	domain_param=$(grep "DOMAIN='$domain'" $USER_DATA/dns.conf)
	parse_object_kv_list "$domain_param"
	local zone_ttl="$TTL"
	SOA=$(idn2 --quiet "$SOA")
	if [ -z "$SERIAL" ]; then
		SERIAL=$(date +'%Y%m%d01')
	fi
	if [[ "$domain" = *[![:ascii:]]* ]]; then
		domain_idn=$(idn2 --quiet "$domain")
	else
		domain_idn=$domain
	fi

	# Set SOA refresh value based on TLD
	tld="${domain_idn##*.}"
	case "$tld" in
		de | cz | pl | pt)
			refresh=1800
			;;
		*)
			refresh=3600
			;;
	esac

	zn_conf="$HOMEDIR/$user/conf/dns/$domain.db"
	echo "\$TTL $zone_ttl
@    IN    SOA    $SOA.    root.$domain_idn. (
                                            $SERIAL
                                            7200
                                            $refresh
                                            1209600
                                            180 )
" > $zn_conf

	fields='$RECORD\t$TTL\tIN\t$TYPE\t$PRIORITY\t$VALUE'
	while read line; do
		unset TTL
		IFS=$'\n'
		for key in $(echo $line | sed "s/' /'\n/g"); do
			eval ${key%%=*}="${key#*=}"
		done

		# inherit zone TTL if record lacks explicit TTL value
		[ -z "$TTL" ] && TTL="$zone_ttl"

		RECORD=$(idn2 --quiet "$RECORD")
		if [ "$TYPE" = 'CNAME' ] || [ "$TYPE" = 'MX' ]; then
			VALUE=$(idn2 --quiet "$VALUE")
		fi

		if [ "$TYPE" = 'TXT' ]; then
			txtlength=${#VALUE}
			if [ $txtlength -gt 255 ]; then
				already_chunked=0
				if [[ $VALUE == *"\" \""* ]] || [[ $VALUE == *"\"\""* ]]; then
					already_chunked=1
				fi
				if [ $already_chunked -eq 0 ]; then
					if [[ ${VALUE:0:1} = '"' ]]; then
						txtlength=$(($txtlength - 2))
						VALUE=${VALUE:1:txtlength}
					fi
					VALUE=$(echo $VALUE | fold -w 255 | xargs -I '$' echo -n '"$"')
				fi
			fi
		fi

		if [ "$SUSPENDED" != 'yes' ]; then
			eval echo -e "\"$fields\"" | sed "s/%quote%/'/g" >> $zn_conf
		fi
	done < $USER_DATA/dns/$domain.conf
}

# Update zone serial
update_domain_serial() {
	zn_conf="$HOMEDIR/$user/conf/dns/$domain.db"
	if [ -e $zn_conf ]; then
		zn_serial=$(head $zn_conf | grep 'SOA' -A1 | tail -n 1 | sed "s/ //g")
		s_date=$(echo ${zn_serial:0:8})
		c_date=$(date +'%Y%m%d')
		if [ "$s_date" == "$c_date" ]; then
			cur_value=$(echo ${zn_serial:8})
			new_value=$(expr $cur_value + 1)
			len_value=$(expr length $new_value)
			if [ 1 -eq "$len_value" ]; then
				new_value='0'$new_value
			fi
			serial="$c_date""$new_value"
		else
			serial="$(date +'%Y%m%d01')"
		fi
	else
		serial="$(date +'%Y%m%d01')"
	fi
	add_object_key "dns" 'DOMAIN' "$domain" 'SERIAL' 'RECORDS'
	update_object_value 'dns' 'DOMAIN' "$domain" '$SERIAL' "$serial"
}

# Get next DNS record ID
get_next_dnsrecord() {
	if [ -z "$id" ]; then
		curr_str=$(grep "ID=" $USER_DATA/dns/$domain.conf | cut -f 2 -d \' \
			| sort -n | tail -n1)
		id="$((curr_str + 1))"
	fi
}

# Sort DNS records
sort_dns_records() {
	conf="$USER_DATA/dns/$domain.conf"
	cat $conf | sort -n -k 2 -t \' > $conf.tmp
	mv -f $conf.tmp $conf
}

# Check if this is a last record
is_dns_record_critical() {
	str=$(grep "ID='$id'" $USER_DATA/dns/$domain.conf)
	parse_object_kv_list "$str"
	if [ "$TYPE" = 'A' ] || [ "$TYPE" = 'NS' ]; then
		records=$(grep "TYPE='$TYPE'" $USER_DATA/dns/$domain.conf | wc -l)
		if [ $records -le 1 ]; then
			echo "Error: at least one $TYPE record should remain active"
			log_event "$E_INVALID" "$ARGUMENTS"
			exit "$E_INVALID"
		fi
	fi
}

# Check if dns record is valid
is_dns_fqnd() {
	t=$1
	r=$2
	fqdn_type=$(echo $t | grep "^NS\|CNAME\|MX\|PTR\|SRV")
	tree_length=3
	if [[ $t = 'CNAME' || $t = 'MX' || $t = 'PTR' ]]; then
		tree_length=2
	fi
	if [ -n "$fqdn_type" ]; then
		dots=$(echo $dvalue | grep -o "\." | wc -l)
		if [ "$dots" -lt "$tree_length" ]; then
			r=$(echo $r | sed -e "s/\.$//")
			msg="$t record $r should be a fully qualified domain name (FQDN)"
			echo "Error: $msg"
			log_event "$E_INVALID" "$ARGUMENTS"
			exit "$E_INVALID"
		fi
	fi
}

# Validate nameserver
is_dns_nameserver_valid() {
	d=$1
	t=$2
	r=$3
	if [ "$t" = 'NS' ]; then
		remote=$(echo $r | grep ".$domain.$")
		if [ -n "$remote" ]; then
			zone=$USER_DATA/dns/$d.conf
			a_record=${r%.$d.}
			n_record=$(grep "RECORD='$a_record'" $zone | grep "TYPE='A'")
			if [ -z "$n_record" ]; then
				check_result "$E_NOTEXIST" "IN A $a_record.$d does not exist"
			fi
		fi
	fi
}

#----------------------------------------------------------#
#                       MAIL                               #
#----------------------------------------------------------#

# Mail domain existence check
is_mail_domain_new() {
	mail=$(ls $HESTIA/data/users/*/mail/$1.conf 2> /dev/null)
	if [ -n "$mail" ]; then
		if [ "$2" == 'mail' ]; then
			check_result $E_EXISTS "Mail domain $1 exists"
		fi
		mail_user=$(echo "$mail" | cut -f 7 -d /)
		if [ "$mail_user" != "$user" ]; then
			check_result "$E_EXISTS" "Mail domain $1 exists"
		fi
	fi
	mail_sub=$(echo "$1" | cut -f 1 -d .)
	mail_nosub=$(echo "$1" | cut -f 1 -d . --complement)
	for mail_reserved in $(echo "mail $WEBMAIL_ALIAS"); do
		if [ -n "$(ls $HESTIA/data/users/*/mail/$mail_reserved.$1.conf 2> /dev/null)" ]; then
			if [ "$2" == 'mail' ]; then
				check_result "$E_EXISTS" "Required subdomain \"$mail_reserved.$1\" already exists"
			fi
		fi
		if [ -n "$(ls $HESTIA/data/users/*/mail/$mail_nosub.conf 2> /dev/null)" ] && [ "$mail_sub" = "$mail_reserved" ]; then
			if [ "$2" == 'mail' ]; then
				check_result "$E_INVALID" "The subdomain \"$mail_sub.\" is reserved by \"$mail_nosub\""
			fi
		fi
	done
}

# Checking mail account existence
is_mail_new() {
	check_acc=$(grep "ACCOUNT='$1'" $USER_DATA/mail/$domain.conf)
	if [ -n "$check_acc" ]; then
		check_result "$E_EXISTS" "mail account $1 already exists"
	fi
	check_als=$(awk -F "ALIAS='" '{print $2}' $USER_DATA/mail/$domain.conf)
	match=$(echo "$check_als" | cut -f 1 -d "'" | grep $1)
	if [ -n "$match" ]; then
		parse_object_kv_list $(grep "ALIAS='$match'" $USER_DATA/mail/$domain.conf)
		check_als=$(echo ",$ALIAS," | grep ",$1,")
		if [ -n "$check_als" ]; then
			check_result "$E_EXISTS" "mail alias $1 already exists"
		fi
	fi
}

# Add mail server SSL configuration
add_mail_ssl_config() {
	# Ensure that SSL certificate directories exists
	if [ ! -d "$HOMEDIR/$user/conf/mail/$domain/ssl/" ]; then
		mkdir -p $HOMEDIR/$user/conf/mail/$domain/ssl/
	fi

	if [ ! -d "$HESTIA/ssl/mail" ]; then
		mkdir -p $HESTIA/ssl/mail
	fi

	if [ ! -d /etc/dovecot/conf.d/domains ]; then
		mkdir -p /etc/dovecot/conf.d/domains
	fi

	# Add certificate to Hestia user configuration data directory
	if [ -f "$ssl_dir/$domain.crt" ]; then
		cp -f $ssl_dir/$domain.crt $USER_DATA/ssl/mail.$domain.crt
		cp -f $ssl_dir/$domain.key $USER_DATA/ssl/mail.$domain.key
		cp -f $ssl_dir/$domain.crt $USER_DATA/ssl/mail.$domain.pem
		if [ -e "$ssl_dir/$domain.ca" ]; then
			cp -f $ssl_dir/$domain.ca $USER_DATA/ssl/mail.$domain.ca
			echo >> $USER_DATA/ssl/mail.$domain.pem
			cat $USER_DATA/ssl/mail.$domain.ca >> $USER_DATA/ssl/mail.$domain.pem
		fi
	fi

	chmod 660 $USER_DATA/ssl/mail.$domain.*

	# Add certificate to user home directory
	cp -f $USER_DATA/ssl/mail.$domain.crt $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.crt
	cp -f $USER_DATA/ssl/mail.$domain.key $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.key
	cp -f $USER_DATA/ssl/mail.$domain.pem $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.pem
	if [ -e "$USER_DATA/ssl/mail.$domain.ca" ]; then
		cp -f $USER_DATA/ssl/mail.$domain.ca $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.ca
	fi

	# Clean up dovecot configuration (if it exists)
	if [ -f /etc/dovecot/conf.d/domains/$domain.conf ]; then
		rm -f /etc/dovecot/conf.d/domains/$domain.conf
	fi

	# Check if using custom / wildcard mail certificate
	wildcard_domain="\\*.$(echo "$domain" | cut -f 1 -d . --complement)"
	mail_cert_match=$($BIN/v-list-mail-domain-ssl $user $domain | awk '/SUBJECT|ALIASES/' | grep -wE " $domain| $wildcard_domain")

	if [ -n "$mail_cert_match" ]; then
		# Add domain SSL configuration to dovecot
		echo "" >> /etc/dovecot/conf.d/domains/$domain.conf
		echo "local_name $domain {" >> /etc/dovecot/conf.d/domains/$domain.conf
		echo "  ssl_cert = <$HOMEDIR/$user/conf/mail/$domain/ssl/$domain.pem" >> /etc/dovecot/conf.d/domains/$domain.conf
		echo "  ssl_key = <$HOMEDIR/$user/conf/mail/$domain/ssl/$domain.key" >> /etc/dovecot/conf.d/domains/$domain.conf
		echo "}" >> /etc/dovecot/conf.d/domains/$domain.conf

		# Add domain SSL configuration to exim4
		ln -s $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.pem $HESTIA/ssl/mail/$domain.crt
		ln -s $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.key $HESTIA/ssl/mail/$domain.key
	fi

	# Add domain SSL configuration to dovecot
	echo "" >> /etc/dovecot/conf.d/domains/$domain.conf
	echo "local_name mail.$domain {" >> /etc/dovecot/conf.d/domains/$domain.conf
	echo "  ssl_cert = <$HOMEDIR/$user/conf/mail/$domain/ssl/$domain.pem" >> /etc/dovecot/conf.d/domains/$domain.conf
	echo "  ssl_key = <$HOMEDIR/$user/conf/mail/$domain/ssl/$domain.key" >> /etc/dovecot/conf.d/domains/$domain.conf
	echo "}" >> /etc/dovecot/conf.d/domains/$domain.conf

	# Add domain SSL configuration to exim4
	ln -s $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.pem $HESTIA/ssl/mail/mail.$domain.crt
	ln -s $HOMEDIR/$user/conf/mail/$domain/ssl/$domain.key $HESTIA/ssl/mail/mail.$domain.key

	# Set correct permissions on certificates
	chmod 0750 $HOMEDIR/$user/conf/mail/$domain/ssl
	chown -R $MAIL_USER:mail $HOMEDIR/$user/conf/mail/$domain/ssl
	chmod 0644 $HOMEDIR/$user/conf/mail/$domain/ssl/*
	chown -h $user:mail $HOMEDIR/$user/conf/mail/$domain/ssl/*
	chmod -R 0644 $HESTIA/ssl/mail/*
	chown -h $user:mail $HESTIA/ssl/mail/*
}

# Delete SSL support for mail domain
del_mail_ssl_config() {
	# Check to prevent accidental removal of mismatched certificate
	wildcard_domain="\\*.$(echo "$domain" | cut -f 1 -d . --complement)"
	mail_cert_match=$($BIN/v-list-mail-domain-ssl $user $domain | awk '/SUBJECT|ALIASES/' | grep -wE " $domain| $wildcard_domain")

	# Remove old mail certificates
	rm -f $HOMEDIR/$user/conf/mail/$domain/ssl/*

	# Remove dovecot configuration
	rm -f /etc/dovecot/conf.d/domains/$domain.conf

	# Remove SSL vhost configuration
	rm -f $HOMEDIR/$user/conf/mail/$domain/*.*ssl.conf
	rm -f /etc/$WEB_SYSTEM/conf.d/domains/$WEBMAIL_ALIAS.$domain.ssl.conf
	rm -f /etc/$PROXY_SYSTEM/conf.d/domains/$WEBMAIL_ALIAS.$domain.ssl.conf

	# Remove SSL certificates
	rm -f $HOMEDIR/$user/conf/mail/$domain/ssl/*
	if [ -n "$mail_cert_match" ]; then
		rm -f $HESTIA/ssl/mail/$domain.crt $HESTIA/ssl/mail/$domain.key
	fi
	rm -f $HESTIA/ssl/mail/mail.$domain.crt $HESTIA/ssl/mail/mail.$domain.key
}

# Delete generated certificates from user configuration data directory
del_mail_ssl_certificates() {
	rm -f $USER_DATA/ssl/mail.$domain.ca
	rm -f $USER_DATA/ssl/mail.$domain.crt
	rm -f $USER_DATA/ssl/mail.$domain.key
	rm -f $USER_DATA/ssl/mail.$domain.pem
	rm -f $HOMEDIR/$user/conf/mail/$domain/ssl/*
}

# Add webmail config
add_webmail_config() {
	mkdir -p "$HOMEDIR/$user/conf/mail/$domain"
	conf="$HOMEDIR/$user/conf/mail/$domain/$1.conf"
	if [[ "$2" =~ stpl$ ]]; then
		conf="$HOMEDIR/$user/conf/mail/$domain/$1.ssl.conf"
	fi

	domain_idn=$domain
	format_domain_idn

	ssl_crt="$HOMEDIR/$user/conf/mail/$domain/ssl/$domain.crt"
	ssl_key="$HOMEDIR/$user/conf/mail/$domain/ssl/$domain.key"
	ssl_pem="$HOMEDIR/$user/conf/mail/$domain/ssl/$domain.pem"
	ssl_ca="$HOMEDIR/$user/conf/mail/$domain/ssl/$domain.ca"

	override_alias=""
	if [ "$WEBMAIL_ALIAS" != "mail" ]; then
		override_alias="mail.$domain"
		override_alias_idn="mail.$domain_idn"
	fi

	# Note: Removing or renaming template variables will lead to broken custom templates.
	#   -If possible custom templates should be automatically upgraded to use the new format
	#   -Alternatively a depreciation period with proper notifications should be considered

	cat $MAILTPL/$1/$2 \
		| sed -e "s|%ip%|$local_ip|g" \
			-e "s|%domain%|$WEBMAIL_ALIAS.$domain|g" \
			-e "s|%domain_idn%|$WEBMAIL_ALIAS.$domain_idn|g" \
			-e "s|%root_domain%|$domain|g" \
			-e "s|%alias%|$override_alias|g" \
			-e "s|%alias_idn%|$override_alias_idn|g" \
			-e "s|%alias_string%|$alias_string|g" \
			-e "s|%email%|info@$domain|g" \
			-e "s|%web_system%|$WEB_SYSTEM|g" \
			-e "s|%web_port%|$WEB_PORT|g" \
			-e "s|%web_ssl_port%|$WEB_SSL_PORT|g" \
			-e "s|%backend_lsnr%|$backend_lsnr|g" \
			-e "s|%rgroups%|$WEB_RGROUPS|g" \
			-e "s|%proxy_system%|$PROXY_SYSTEM|g" \
			-e "s|%proxy_port%|$PROXY_PORT|g" \
			-e "s|%proxy_ssl_port%|$PROXY_SSL_PORT|g" \
			-e "s/%proxy_extensions%/${PROXY_EXT//,/|}/g" \
			-e "s|%user%|$user|g" \
			-e "s|%group%|$user|g" \
			-e "s|%home%|$HOMEDIR|g" \
			-e "s|%docroot%|$docroot|g" \
			-e "s|%sdocroot%|$sdocroot|g" \
			-e "s|%ssl_crt%|$ssl_crt|g" \
			-e "s|%ssl_key%|$ssl_key|g" \
			-e "s|%ssl_pem%|$ssl_pem|g" \
			-e "s|%ssl_ca_str%|$ssl_ca_str|g" \
			-e "s|%ssl_ca%|$ssl_ca|g" \
			> $conf

	process_http2_directive "$conf"

	chown root:$user $conf
	chmod 640 $conf

	if [[ "$2" =~ stpl$ ]]; then
		if [ -n "$WEB_SYSTEM" ]; then
			forcessl="$HOMEDIR/$user/conf/mail/$domain/$WEB_SYSTEM.forcessl.conf"
			rm -f /etc/$1/conf.d/domains/$WEBMAIL_ALIAS.$domain.ssl.conf
			ln -s $conf /etc/$1/conf.d/domains/$WEBMAIL_ALIAS.$domain.ssl.conf
		fi
		if [ -n "$PROXY_SYSTEM" ]; then
			forcessl="$HOMEDIR/$user/conf/mail/$domain/$PROXY_SYSTEM.forcessl.conf"
			rm -f /etc/$1/conf.d/domains/$WEBMAIL_ALIAS.$domain.ssl.conf
			ln -s $conf /etc/$1/conf.d/domains/$WEBMAIL_ALIAS.$domain.ssl.conf
		fi

		# Add rewrite rules to force HTTPS/SSL connections
		if [ -n "$PROXY_SYSTEM" ] || [ "$WEB_SYSTEM" = 'nginx' ]; then
			echo 'return 301 https://$server_name$request_uri;' > $forcessl
		else
			echo 'RewriteEngine On' > $forcessl
			echo 'RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]' >> $forcessl
		fi

		# Remove old configurations
		find $HOMEDIR/$user/conf/mail/ -maxdepth 1 -type f \( -name "$domain.*" -o -name "ssl.$domain.*" -o -name "*nginx.$domain.*" \) -exec rm {} \;
	else
		if [ -n "$WEB_SYSTEM" ]; then
			rm -f /etc/$1/conf.d/domains/$WEBMAIL_ALIAS.$domain.conf
			ln -s $conf /etc/$1/conf.d/domains/$WEBMAIL_ALIAS.$domain.conf
		fi
		if [ -n "$PROXY_SYSTEM" ]; then
			rm -f /etc/$1/conf.d/domains/$WEBMAIL_ALIAS.$domain.conf
			ln -s $conf /etc/$1/conf.d/domains/$WEBMAIL_ALIAS.$domain.conf
		fi
		# Clear old configurations
		find $HOMEDIR/$user/conf/mail/ -maxdepth 1 -type f \( -name "$domain.*" \) -exec rm {} \;
	fi
}

# Delete webmail support
del_webmail_config() {
	if [ -n "$WEB_SYSTEM" ]; then
		rm -f $HOMEDIR/$user/conf/mail/$domain/$WEB_SYSTEM.conf
		rm -f /etc/$WEB_SYSTEM/conf.d/domains/$WEBMAIL_ALIAS.$domain.conf
	fi

	if [ -n "$PROXY_SYSTEM" ]; then
		rm -f $HOMEDIR/$user/conf/mail/$domain/$PROXY_SYSTEM.*conf
		rm -f /etc/$PROXY_SYSTEM/conf.d/domains/$WEBMAIL_ALIAS.$domain.conf
	fi
}

# Delete SSL webmail support
del_webmail_ssl_config() {
	if [ -n "$WEB_SYSTEM" ]; then
		rm -f $HOMEDIR/$user/conf/mail/$domain/$WEB_SYSTEM.*ssl.conf
		rm -f /etc/$WEB_SYSTEM/conf.d/domains/$WEBMAIL_ALIAS.$domain.ssl.conf
	fi

	if [ -n "$PROXY_SYSTEM" ]; then
		rm -f $HOMEDIR/$user/conf/mail/$domain/$PROXY_SYSTEM.*ssl.conf
		rm -f /etc/$PROXY_SYSTEM/conf.d/domains/$WEBMAIL_ALIAS.$domain.ssl.conf
	fi
}

#----------------------------------------------------------#
#                        CMN                               #
#----------------------------------------------------------#

# Checking domain existence
is_domain_new() {
	type=$1
	for object in ${2//,/ }; do
		if [ -n "$WEB_SYSTEM" ]; then
			is_web_domain_new $object $type
			is_web_alias_new $object $type
		fi
		if [ -n "$DNS_SYSTEM" ]; then
			is_dns_domain_new $object $type
		fi
		if [ -n "$MAIL_SYSTEM" ]; then
			is_mail_domain_new $object $type
		fi
	done
}

# Get domain variables
get_domain_values() {
	parse_object_kv_list $(grep "DOMAIN='$domain'" $USER_DATA/$1.conf)
}

#----------------------------------------------------------#
# 2 Char domain name detection                             #
#----------------------------------------------------------#

is_valid_extension() {
	if [ ! -e "$HESTIA/data/extensions/public_suffix_list.dat" ]; then
		mkdir $HESTIA/data/extensions/
		chmod 750 $HESTIA/data/extensions/
		/usr/bin/wget --tries=3 --timeout=15 --read-timeout=15 --waitretry=3 --no-dns-cache --quiet -O $HESTIA/data/extensions/public_suffix_list.dat https://raw.githubusercontent.com/publicsuffix/list/master/public_suffix_list.dat
	fi
	test_domain=$(idn2 -d "$1")
	extension=$(/bin/echo "${test_domain}" | /usr/bin/rev | /usr/bin/cut -d "." --output-delimiter="." -f 1 | /usr/bin/rev)
	exten=$(grep "^$extension\$" $HESTIA/data/extensions/public_suffix_list.dat)
}

is_valid_2_part_extension() {
	if [ ! -e "$HESTIA/data/extensions/public_suffix_list.dat" ]; then
		mkdir $HESTIA/data/extensions/
		chmod 750 $HESTIA/data/extensions/
		/usr/bin/wget --tries=3 --timeout=15 --read-timeout=15 --waitretry=3 --no-dns-cache --quiet -O $HESTIA/data/extensions/public_suffix_list.dat https://raw.githubusercontent.com/publicsuffix/list/master/public_suffix_list.dat
	fi
	test_domain=$(idn2 -d "$1")
	extension=$(/bin/echo "${test_domain}" | /usr/bin/rev | /usr/bin/cut -d "." --output-delimiter="." -f 1-2 | /usr/bin/rev)
	exten=$(grep "^$extension\$" $HESTIA/data/extensions/public_suffix_list.dat)
}

get_base_domain() {
	test_domain=$1
	is_valid_extension "$test_domain"
	if [ $? -ne 0 ]; then
		basedomain=$(/bin/echo "${test_domain}" | /usr/bin/rev | /usr/bin/cut -d "." --output-delimiter="." -f 1-2 | /usr/bin/rev)
	else
		is_valid_2_part_extension "$test_domain"
		if [ $? -ne 0 ]; then
			basedomain=$(/bin/echo "${test_domain}" | /usr/bin/rev | /usr/bin/cut -d "." --output-delimiter="." -f 1-2 | /usr/bin/rev)
		else
			extension=$(/bin/echo "${test_domain}" | /usr/bin/rev | /usr/bin/cut -d "." --output-delimiter="." -f 1-2 | /usr/bin/rev)
			partdomain=$(/bin/echo "${test_domain}" | /usr/bin/rev | /usr/bin/cut -d "." --output-delimiter="." -f 3 | /usr/bin/rev)
			basedomain="$partdomain.$extension"
		fi
	fi
}

is_base_domain_owner() {
	for object in ${1//,/ }; do
		if [ "$object" != "none" ]; then
			get_base_domain $object
			web=$(grep -F -H -h "DOMAIN='$basedomain'" $HESTIA/data/users/*/web.conf)
			if [ "$ENFORCE_SUBDOMAIN_OWNERSHIP" = "yes" ]; then
				if [ -n "$web" ]; then
					parse_object_kv_list "$web"
					if [ -z "$ALLOW_USERS" ] || [ "$ALLOW_USERS" != "yes" ]; then
						# Don't care if $basedomain all ready exists only if the owner is of the base domain is the current user
						check=$(is_domain_new "" $basedomain)
						if [ $? -ne 0 ]; then
							echo "Error: Unable to add $object. $basedomain belongs to a different user"
							exit 4
						fi
					fi
				else
					check=$(is_domain_new "" "$basedomain")
					if [ $? -ne 0 ]; then
						echo "Error: Unable to add $object. $basedomain belongs to a different user"
						exit 4
					fi
				fi
			fi
		fi
	done
}

#----------------------------------------------------------#
#           Process "http2" directive for NGINX            #
#----------------------------------------------------------#

process_http2_directive() {
	if [ -e /etc/nginx/conf.d/http2-directive.conf ]; then
		while IFS= read -r old_param; do
			new_param="$(echo "$old_param" | sed 's/\shttp2//')"
			sed -i "s/$old_param/$new_param/" "$1"
		done < <(grep -E "listen.*(\bssl\b(\s|.+){1,}\bhttp2\b|\bhttp2\b(\s|.+){1,}\bssl\b).*;" "$1")
	else
		if version_ge "$(nginx -v 2>&1 | cut -d'/' -f2)" "1.25.1"; then
			echo "http2 on;" > /etc/nginx/conf.d/http2-directive.conf

			while IFS= read -r old_param; do
				new_param="$(echo "$old_param" | sed 's/\shttp2//')"
				sed -i "s/$old_param/$new_param/" "$1"
			done < <(grep -E "listen.*(\bssl\b(\s|.+){1,}\bhttp2\b|\bhttp2\b(\s|.+){1,}\bssl\b).*;" "$1")
		else
			listen_ssl="$(grep -E "listen.*\s\bssl\b(?:\s)*.*;" "$1")"
			listen_http2="$(grep -E "listen.*(\bssl\b(\s|.+){1,}\bhttp2\b|\bhttp2\b(\s|.+){1,}\bssl\b).*;" "$1")"

			if [ -n "$listen_ssl" ] && [ -z "$listen_http2" ]; then
				while IFS= read -r old_param; do
					new_param="$(echo "$old_param" | sed 's/\sssl/ ssl http2/')"
					sed -i "s/$old_param/$new_param/" "$1"
				done < <(grep -E "listen.*\s\bssl\b(?:\s)*.*;" "$1")
			fi
		fi
	fi
}