#!/bin/bash
set -e

# OSTP Server - Automated Deployment Script
# Version: 0.1.0
# Requires: root/sudo access

GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color

echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║   OSTP Server Deployment Script       ║${NC}"
echo -e "${GREEN}║   Version 0.1.0                        ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo

# Check if running as root
if [[ $EUID -ne 0 ]]; then
   echo -e "${RED}Error: This script must be run as root${NC}"
   echo "Usage: sudo ./deploy.sh"
   exit 1
fi

# Check if binaries exist
if [ ! -f "ostp-server" ] || [ ! -f "oncp-master" ]; then
    echo -e "${RED}Error: Binaries not found in current directory${NC}"
    exit 1
fi

# Verify checksums
echo -e "${YELLOW}→${NC} Verifying integrity..."
if sha256sum -c SHA256SUMS > /dev/null 2>&1; then
    echo -e "${GREEN}✓${NC} Checksums verified"
else
    echo -e "${RED}✗${NC} Checksum verification failed!"
    read -p "Continue anyway? (y/N): " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        exit 1
    fi
fi

# Configuration prompts
echo
echo -e "${YELLOW}═══ Configuration ═══${NC}"
echo "Deployment mode:"
echo "  1) Standalone server (connect to existing Master Node)"
echo "  2) Full stack (ostp-server + oncp-master on this host)"
read -p "Select mode (1 or 2, default 2): " DEPLOY_MODE
DEPLOY_MODE=${DEPLOY_MODE:-2}

if [ "$DEPLOY_MODE" = "1" ]; then
    read -p "Master Node URL (e.g., http://master.example.com:8080): " MASTER_URL
    read -p "Enrollment token: " ENROLL_TOKEN
    NETWORK_OCTET=0  # Will be assigned by master
else
    read -p "Network octet (10.X.0.0/16, default 42): " NETWORK_OCTET
    NETWORK_OCTET=${NETWORK_OCTET:-42}
    read -p "oncp-master listen port (default 8080): " ONCP_PORT
    ONCP_PORT=${ONCP_PORT:-8080}
fi

read -p "ostp-server listen port (default 443): " OSTP_PORT
OSTP_PORT=${OSTP_PORT:-443}

read -p "Install directory (default /usr/local/bin): " INSTALL_DIR
INSTALL_DIR=${INSTALL_DIR:-/usr/local/bin}

read -p "Config directory (default /etc/ostp): " CONFIG_DIR
CONFIG_DIR=${CONFIG_DIR:-/etc/ostp}

read -p "Database directory (default /var/lib/ostp): " DATA_DIR
DATA_DIR=${DATA_DIR:-/var/lib/ostp}

# Generate PSK (only for full stack mode)
if [ "$DEPLOY_MODE" = "2" ]; then
    echo
    echo -e "${YELLOW}→${NC} Generating PSK..."
    PSK=$(openssl rand -hex 32)
    echo -e "${GREEN}✓${NC} PSK generated: ${YELLOW}${PSK}${NC}"
    echo -e "${RED}⚠ SAVE THIS PSK! It will be stored in ${CONFIG_DIR}/server.json${NC}"
else
    PSK="AUTO"  # Will be assigned by master after approval
fi

# Create directories
echo
echo -e "${YELLOW}→${NC} Creating directories..."
mkdir -p "$INSTALL_DIR"
mkdir -p "$CONFIG_DIR"
mkdir -p "$DATA_DIR"
mkdir -p /var/log/ostp

# Install binaries
echo -e "${YELLOW}→${NC} Installing binaries..."
cp ostp-server oncp-master "$INSTALL_DIR/"
chmod +x "$INSTALL_DIR/ostp-server" "$INSTALL_DIR/oncp-master"
echo -e "${GREEN}✓${NC} Binaries installed to $INSTALL_DIR"

# Create ostp-server config
if [ "$DEPLOY_MODE" = "1" ]; then
    # Standalone mode - enrollment config
    cat > "$CONFIG_DIR/server.json" <<EOF
{
  "listen": "0.0.0.0:${OSTP_PORT}",
  "psk": "${PSK}",
  "master_node_url": "${MASTER_URL}",
  "enrollment_token": "${ENROLL_TOKEN}",
  "node_name": "$(hostname)",
  "country_code": "US",
  "max_connections": 1000
}
EOF
else
    # Full stack mode
    cat > "$CONFIG_DIR/server.json" <<EOF
{
  "listen": "0.0.0.0:${OSTP_PORT}",
  "psk": "${PSK}",
  "master_node_url": "http://127.0.0.1:${ONCP_PORT}",
  "country_code": "US",
  "max_connections": 1000
}
EOF
fi
chmod 600 "$CONFIG_DIR/server.json"
echo -e "${GREEN}✓${NC} Configuration saved to $CONFIG_DIR/server.json"

# Create systemd service for oncp-master (only in full stack mode)
if [ "$DEPLOY_MODE" = "2" ]; then
cat > /etc/systemd/system/oncp-master.service <<EOF
[Unit]
Description=ONCP Master Node - Control Plane API
After=network.target

[Service]
Type=simple
User=root
WorkingDirectory=${DATA_DIR}
Environment="ONCP_DATABASE=${DATA_DIR}/oncp.db"
Environment="ONCP_NETWORK_OCTET=${NETWORK_OCTET}"
ExecStart=${INSTALL_DIR}/oncp-master serve --listen 0.0.0.0:${ONCP_PORT} --network-octet ${NETWORK_OCTET}
Restart=on-failure
RestartSec=5s
StandardOutput=append:/var/log/ostp/oncp-master.log
StandardError=append:/var/log/ostp/oncp-master.log

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=${DATA_DIR} /var/log/ostp

[Install]
WantedBy=multi-user.target
EOF
fi

# Create systemd service for ostp-server
cat > /etc/systemd/system/ostp-server.service <<EOF
[Unit]
Description=OSTP VPN Server
After=network.target
# Requires oncp-master.service only in full stack mode

[Service]
Type=simple
User=root
WorkingDirectory=${CONFIG_DIR}
ExecStart=${INSTALL_DIR}/ostp-server -c ${CONFIG_DIR}/server.json
Restart=on-failure
RestartSec=5s
StandardOutput=append:/var/log/ostp/ostp-server.log
StandardError=append:/var/log/ostp/ostp-server.log

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/ostp

# Resource limits
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

echo -e "${GREEN}✓${NC} Systemd services created"

# Reload systemd
systemctl daemon-reload

# Configure firewall (if ufw is available)
if command -v ufw &> /dev/null; then
    echo -e "${YELLOW}→${NC} Configuring firewall..."
    ufw allow ${OSTP_PORT}/tcp comment "OSTP VPN Server"
    echo -e "${GREEN}✓${NC} Firewall rule added for port ${OSTP_PORT}"
    echo -e "${YELLOW}⚠${NC} Note: Port ${ONCP_PORT} (oncp-master) not exposed. Restrict to internal network in production!"
fi

# Enable and start services
echo
echo -e "${YELLOW}→${NC} Starting services..."

if [ "$DEPLOY_MODE" = "2" ]; then
    # Full stack mode
    systemctl enable oncp-master ostp-server
    systemctl start oncp-master
    
    # Wait for oncp-master to start
    sleep 2
    
    # Generate enrollment token
    echo -e "${YELLOW}→${NC} Generating enrollment token..."
    TOKEN=$(${INSTALL_DIR}/oncp-master node token --expiry 60 2>/dev/null | grep -A1 "Token:" | tail -1 | xargs)
    echo -e "${GREEN}✓${NC} Enrollment token (60 min): ${YELLOW}${TOKEN}${NC}"
    
    # Start ostp-server
    systemctl start ostp-server
else
    # Standalone mode - just enable and start ostp-server
    systemctl enable ostp-server
    systemctl start ostp-server
    TOKEN="N/A (using enrollment token from config)"
fi

echo
echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║   Deployment Complete! ✓               ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
echo
echo -e "${YELLOW}Services Status:${NC}"
if [ "$DEPLOY_MODE" = "2" ]; then
    systemctl status oncp-master --no-pager -l || true
fi
systemctl status ostp-server --no-pager -l || true
echo
echo -e "${YELLOW}Important Information:${NC}"
if [ "$DEPLOY_MODE" = "2" ]; then
    echo -e "  • Mode: ${GREEN}Full Stack (Master + Server)${NC}"
    echo -e "  • Network: ${GREEN}10.${NETWORK_OCTET}.0.0/16${NC}"
    echo -e "  • Master IP: ${GREEN}10.${NETWORK_OCTET}.0.1${NC}"
    echo -e "  • PSK: ${YELLOW}${PSK}${NC}"
    echo -e "  • Enrollment Token: ${YELLOW}${TOKEN}${NC} (expires in 60 minutes)"
    echo -e "  • Database: ${DATA_DIR}/oncp.db"
else
    echo -e "  • Mode: ${GREEN}Standalone Server${NC}"
    echo -e "  • Master URL: ${GREEN}${MASTER_URL}${NC}"
    echo -e "  • Status: ${YELLOW}Waiting for approval${NC}"
fi
echo -e "  • Listen: ${GREEN}0.0.0.0:${OSTP_PORT}${NC}"
echo -e "  • Config: ${CONFIG_DIR}/server.json"
echo -e "  • Logs: /var/log/ostp/"
echo
if [ "$DEPLOY_MODE" = "2" ]; then
    echo -e "${YELLOW}Next Steps (Master Node):${NC}"
    echo -e "  1. Approve nodes: ${GREEN}oncp-master node pending${NC} → ${GREEN}oncp-master node approve <id>${NC}"
    echo -e "  2. Create users: ${GREEN}oncp-master user create --quota 100 --days 30${NC}"
    echo -e "  3. Monitor logs: ${GREEN}journalctl -u oncp-master -f${NC}"
else
    echo -e "${YELLOW}Next Steps (Standalone Server):${NC}"
    echo -e "  1. Ask admin to approve node on master"
    echo -e "  2. Check approval status: ${GREEN}journalctl -u ostp-server -f${NC}"
    echo -e "  3. After approval, server will auto-restart with assigned PSK and IP"
fi
echo -e "  4. Monitor server: ${GREEN}journalctl -u ostp-server -f${NC}"
echo
echo -e "${RED}⚠ Security Reminder:${NC}"
echo -e "  • Save PSK in password manager"
echo -e "  • Restrict port ${ONCP_PORT} to internal network"
echo -e "  • Set up SSL/TLS reverse proxy for production"
echo -e "  • Configure log rotation"
echo

exit 0