#!/usr/bin/env bash
set -euo pipefail

[[ $EUID -eq 0 ]] || { echo "Run as root"; exit 1; }

echo "=== db-admin installer v2.5.1 (one-click deps) ==="
FREE_KB=$(df --output=avail / | tail -1)
(( FREE_KB >= 1000000 )) || { echo "Not enough disk space"; exit 1; }

echo "[+] Installing OS dependencies"
export DEBIAN_FRONTEND=noninteractive
apt-get update -y
apt-get install -y \
  python3-venv python3-pip jq \
  mariadb-server mariadb-client \
  ca-certificates openssl curl

# Ensure DB service is up (non-fatal if inside minimal container without systemd)
systemctl enable --now mariadb >/dev/null 2>&1 || true

command -v mysql >/dev/null || { echo "ERROR: mysql client not found after install"; exit 1; }


# --- Interactive settings ---
# Defaults are sensible for Proxmox/LXC deployments behind a webfront (mintme):
# - DB on localhost
# - gunicorn bound to LAN (0.0.0.0:8080)
# - no nginx/apache in the container
#
# You only need to enter: DB password, web auth user/pass, and FQDN.

DB_NAME="db_admin"
DB_HOST="127.0.0.1"
DB_USER="db-user"

# Prompt helpers
ask_required () {
  local prompt="$1"
  local def="$2"
  local var
  while true; do
    if [[ -n "$def" ]]; then
      read -rp "$prompt [$def]: " var || true
      var="${var:-$def}"
    else
      read -rp "$prompt: " var || true
    fi
    var="$(echo -n "$var" | xargs)" || true
    if [[ -n "$var" ]]; then
      echo "$var"
      return 0
    fi
    echo "  -> Required. Please enter a value." >&2
  done
}

ask_optional () {
  local prompt="$1"
  local def="$2"
  local var
  read -rp "$prompt [$def]: " var || true
  var="${var:-$def}"
  echo "$var"
}

DB_PASS="$(ask_required "Database password (will be created for user $DB_USER)" "")"
AUTH_USER="$(ask_required "Web auth username" "db-user")"
AUTH_PASS="$(ask_required "Web auth password" "")"
FQDN="$(ask_required "FQDN (e.g. data.outsidethebox.top)" "")"

WEBSRV="none"
BIND_ADDR="0.0.0.0:8080"
INSTALL_DIR="/opt/outsidethedb"

echo
echo "--- Summary ---"
echo
echo "--- Summary ---"
echo " DB name:     $DB_NAME"
echo " DB host:     $DB_HOST"
echo " DB user:     $DB_USER"
echo " FQDN:        $FQDN"
echo " Webserver:   $WEBSRV"
echo " Bind:        $BIND_ADDR"
echo " Install dir: $INSTALL_DIR"
echo "--------------"
echo "Proceeding..."

mkdir -p "$INSTALL_DIR"
cp -r app "$INSTALL_DIR/"
cp VERSION "$INSTALL_DIR/"
cp requirements.txt "$INSTALL_DIR/"
mkdir -p "$INSTALL_DIR/bin" "$INSTALL_DIR/log"
cp bin/backup_now.sh "$INSTALL_DIR/bin/"
chown -R www-data:www-data "$INSTALL_DIR"

echo "[+] Setting up Python venv"
python3 -m venv "$INSTALL_DIR/venv"
"$INSTALL_DIR/venv/bin/pip" install --upgrade pip
"$INSTALL_DIR/venv/bin/pip" install -r "$INSTALL_DIR/requirements.txt"

echo "[+] Writing app config"
jq --arg host "$DB_HOST" --arg name "$DB_NAME" --arg user "$DB_USER" --arg pass "$DB_PASS" --arg fqdn "$FQDN" --arg authu "$AUTH_USER" --arg authp "$AUTH_PASS" \
  '.db.host=$host | .db.name=$name | .db.user=$user | .db.password=$pass | .site.fqdn=$fqdn | .site.auth_user=$authu | .site.auth_pass=$authp' \
  "$INSTALL_DIR/app/config.json" > "$INSTALL_DIR/app/config.json.tmp"
mv "$INSTALL_DIR/app/config.json.tmp" "$INSTALL_DIR/app/config.json"
chown www-data:www-data "$INSTALL_DIR/app/config.json"

echo "[*] DB schema ..."
SQL_ADMIN="root"
SQL_ADMIN_PASS=""

TMP=$(mktemp)
sed "s/DATABASE_NAME/$DB_NAME/g" template.sql > "$TMP"

if [[ -n "$SQL_ADMIN_PASS" ]]; then
  MYSQL_AUTH=(-u"$SQL_ADMIN" -p"$SQL_ADMIN_PASS")
else
  MYSQL_AUTH=(-u"$SQL_ADMIN")
fi

mysql "${MYSQL_AUTH[@]}" -e "CREATE DATABASE IF NOT EXISTS \`$DB_NAME\` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql "${MYSQL_AUTH[@]}" -e "CREATE USER IF NOT EXISTS '$DB_USER'@'%' IDENTIFIED BY '$DB_PASS'; GRANT ALL ON \`$DB_NAME\`.* TO '$DB_USER'@'%'; FLUSH PRIVILEGES;"
mysql "${MYSQL_AUTH[@]}" "$DB_NAME" < "$TMP"
rm -f "$TMP"

echo "[+] Installing systemd units"
cp db-admin.service /etc/systemd/system/db-admin.service
cp db-admin-sslcheck.service /etc/systemd/system/db-admin-sslcheck.service
cp db-admin-sslcheck.timer /etc/systemd/system/db-admin-sslcheck.timer

# Apply bind address to systemd unit
sed -i "s/-b 127\\.0\\.0\\.1:8080/-b ${BIND_ADDR}/" /etc/systemd/system/db-admin.service

systemctl daemon-reload
systemctl enable --now db-admin.service
systemctl enable --now db-admin-sslcheck.timer
systemctl restart db-admin.service

if [[ "$WEBSRV" == "nginx" ]]; then
  echo "[+] Installing nginx (optional)"
  apt-get install -y nginx apache2-utils
  htpasswd_file="/etc/nginx/.db-admin-htpasswd"
  htpasswd -b -c "$htpasswd_file" "$AUTH_USER" "$AUTH_PASS"
  cat > "/etc/nginx/sites-available/${FQDN}.conf" <<NGX
server {
  server_name $FQDN;
  access_log /var/log/nginx/${FQDN}.access.log;
  error_log  /var/log/nginx/${FQDN}.error.log;

  location / {
    auth_basic "Restricted";
    auth_basic_user_file $htpasswd_file;

    proxy_http_version 1.1;
    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto \$scheme;

    proxy_pass http://127.0.0.1:8080;
    client_max_body_size 20m;
  }

  listen 80;
}
NGX
  ln -sf "/etc/nginx/sites-available/${FQDN}.conf" "/etc/nginx/sites-enabled/${FQDN}.conf"
  nginx -t && systemctl reload nginx
  echo "Done. Visit: http://$FQDN"
elif [[ "$WEBSRV" == "apache" ]]; then
  echo "[+] Installing apache (optional)"
  apt-get install -y apache2 apache2-utils
  a2enmod proxy proxy_http headers auth_basic
  htpasswd_file="/etc/apache2/.db-admin-htpasswd"
  htpasswd -b -c "$htpasswd_file" "$AUTH_USER" "$AUTH_PASS"
  cat > "/etc/apache2/sites-available/${FQDN}.conf" <<APC
<VirtualHost *:80>
  ServerName $FQDN
  ErrorLog \${APACHE_LOG_DIR}/${FQDN}-error.log
  CustomLog \${APACHE_LOG_DIR}/${FQDN}-access.log combined

  <Location "/">
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile $htpasswd_file
    Require valid-user
  </Location>

  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:8080/
  ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
APC
  a2ensite "${FQDN}.conf"
  apache2ctl configtest && systemctl reload apache2
  echo "Done. Visit: http://$FQDN"
else
  echo "Done. No webserver installed in this container (recommended behind your webfront)."
  echo "Proxy your webfront to: http://<container-ip>:8080"
  echo "Example: proxy_pass http://192.168.0.24:8080;"
fi