#!/bin/bash
set -e

# OSTP Server - Automated Deployment Script
# Version: 0.1.0
# Requires: root/sudo access

GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color

echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║   OSTP Server Deployment Script       ║${NC}"
echo -e "${GREEN}║   Version 0.1.0                        ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo

# Check if running as root
if [[ $EUID -ne 0 ]]; then
   echo -e "${RED}Error: This script must be run as root${NC}"
   echo "Usage: sudo ./deploy.sh"
   exit 1
fi

# Check if binaries exist
if [ ! -f "ostp-server" ] || [ ! -f "oncp-master" ]; then
    echo -e "${RED}Error: Binaries not found in current directory${NC}"
    exit 1
fi

# Verify checksums
echo -e "${YELLOW}→${NC} Verifying integrity..."
if sha256sum -c SHA256SUMS > /dev/null 2>&1; then
    echo -e "${GREEN}✓${NC} Checksums verified"
else
    echo -e "${RED}✗${NC} Checksum verification failed!"
    read -p "Continue anyway? (y/N): " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        exit 1
    fi
fi

# Configuration prompts
echo
echo -e "${YELLOW}═══ Configuration ═══${NC}"
read -p "Network octet (10.X.0.0/16, default 42): " NETWORK_OCTET
NETWORK_OCTET=${NETWORK_OCTET:-42}

read -p "ostp-server listen port (default 443): " OSTP_PORT
OSTP_PORT=${OSTP_PORT:-443}

read -p "oncp-master listen port (default 8080): " ONCP_PORT
ONCP_PORT=${ONCP_PORT:-8080}

read -p "Install directory (default /usr/local/bin): " INSTALL_DIR
INSTALL_DIR=${INSTALL_DIR:-/usr/local/bin}

read -p "Config directory (default /etc/ostp): " CONFIG_DIR
CONFIG_DIR=${CONFIG_DIR:-/etc/ostp}

read -p "Database directory (default /var/lib/ostp): " DATA_DIR
DATA_DIR=${DATA_DIR:-/var/lib/ostp}

# Generate PSK
echo
echo -e "${YELLOW}→${NC} Generating PSK..."
PSK=$(openssl rand -hex 32)
echo -e "${GREEN}✓${NC} PSK generated: ${YELLOW}${PSK}${NC}"
echo -e "${RED}⚠ SAVE THIS PSK! It will be stored in ${CONFIG_DIR}/server.json${NC}"

# Create directories
echo
echo -e "${YELLOW}→${NC} Creating directories..."
mkdir -p "$INSTALL_DIR"
mkdir -p "$CONFIG_DIR"
mkdir -p "$DATA_DIR"
mkdir -p /var/log/ostp

# Install binaries
echo -e "${YELLOW}→${NC} Installing binaries..."
cp ostp-server oncp-master "$INSTALL_DIR/"
chmod +x "$INSTALL_DIR/ostp-server" "$INSTALL_DIR/oncp-master"
echo -e "${GREEN}✓${NC} Binaries installed to $INSTALL_DIR"

# Create ostp-server config
cat > "$CONFIG_DIR/server.json" <<EOF
{
  "listen_addr": "0.0.0.0:${OSTP_PORT}",
  "psk": "${PSK}",
  "master_url": "http://127.0.0.1:${ONCP_PORT}",
  "country_code": "US",
  "max_clients": 1000
}
EOF
chmod 600 "$CONFIG_DIR/server.json"
echo -e "${GREEN}✓${NC} Configuration saved to $CONFIG_DIR/server.json"

# Create systemd service for oncp-master
cat > /etc/systemd/system/oncp-master.service <<EOF
[Unit]
Description=ONCP Master Node - Control Plane API
After=network.target

[Service]
Type=simple
User=root
WorkingDirectory=${DATA_DIR}
Environment="ONCP_DATABASE=${DATA_DIR}/oncp.db"
Environment="ONCP_NETWORK_OCTET=${NETWORK_OCTET}"
ExecStart=${INSTALL_DIR}/oncp-master serve --listen 0.0.0.0:${ONCP_PORT} --network-octet ${NETWORK_OCTET}
Restart=on-failure
RestartSec=5s
StandardOutput=append:/var/log/ostp/oncp-master.log
StandardError=append:/var/log/ostp/oncp-master.log

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=${DATA_DIR} /var/log/ostp

[Install]
WantedBy=multi-user.target
EOF

# Create systemd service for ostp-server
cat > /etc/systemd/system/ostp-server.service <<EOF
[Unit]
Description=OSTP VPN Server
After=network.target oncp-master.service
Requires=oncp-master.service

[Service]
Type=simple
User=root
WorkingDirectory=${CONFIG_DIR}
ExecStart=${INSTALL_DIR}/ostp-server -c ${CONFIG_DIR}/server.json
Restart=on-failure
RestartSec=5s
StandardOutput=append:/var/log/ostp/ostp-server.log
StandardError=append:/var/log/ostp/ostp-server.log

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/ostp

# Resource limits
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

echo -e "${GREEN}✓${NC} Systemd services created"

# Reload systemd
systemctl daemon-reload

# Configure firewall (if ufw is available)
if command -v ufw &> /dev/null; then
    echo -e "${YELLOW}→${NC} Configuring firewall..."
    ufw allow ${OSTP_PORT}/tcp comment "OSTP VPN Server"
    echo -e "${GREEN}✓${NC} Firewall rule added for port ${OSTP_PORT}"
    echo -e "${YELLOW}⚠${NC} Note: Port ${ONCP_PORT} (oncp-master) not exposed. Restrict to internal network in production!"
fi

# Enable and start services
echo
echo -e "${YELLOW}→${NC} Starting services..."
systemctl enable oncp-master ostp-server
systemctl start oncp-master

# Wait for oncp-master to start
sleep 2

# Generate enrollment token
echo -e "${YELLOW}→${NC} Generating enrollment token..."
TOKEN=$(${INSTALL_DIR}/oncp-master node token --expiry 60 2>/dev/null | grep -A1 "Token:" | tail -1 | xargs)
echo -e "${GREEN}✓${NC} Enrollment token (60 min): ${YELLOW}${TOKEN}${NC}"

# Start ostp-server
systemctl start ostp-server

echo
echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║   Deployment Complete! ✓               ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo
echo -e "${YELLOW}Services Status:${NC}"
systemctl status oncp-master --no-pager -l || true
systemctl status ostp-server --no-pager -l || true
echo
echo -e "${YELLOW}Important Information:${NC}"
echo -e "  • Network: ${GREEN}10.${NETWORK_OCTET}.0.0/16${NC}"
echo -e "  • Master IP: ${GREEN}10.${NETWORK_OCTET}.0.1${NC}"
echo -e "  • PSK: ${YELLOW}${PSK}${NC}"
echo -e "  • Enrollment Token: ${YELLOW}${TOKEN}${NC} (expires in 60 minutes)"
echo -e "  • Config: ${CONFIG_DIR}/server.json"
echo -e "  • Database: ${DATA_DIR}/oncp.db"
echo -e "  • Logs: /var/log/ostp/"
echo
echo -e "${YELLOW}Next Steps:${NC}"
echo -e "  1. Enroll nodes: ${GREEN}ostp-server --token ${TOKEN} --master https://your-master${NC}"
echo -e "  2. Approve nodes: ${GREEN}oncp-master node pending${NC} → ${GREEN}oncp-master node approve <id>${NC}"
echo -e "  3. Create users: ${GREEN}oncp-master user create --quota 100 --days 30${NC}"
echo -e "  4. Monitor logs: ${GREEN}journalctl -u ostp-server -f${NC}"
echo
echo -e "${RED}⚠ Security Reminder:${NC}"
echo -e "  • Save PSK in password manager"
echo -e "  • Restrict port ${ONCP_PORT} to internal network"
echo -e "  • Set up SSL/TLS reverse proxy for production"
echo -e "  • Configure log rotation"
echo

exit 0