#!/bin/bash

# Emergency Access Server Installation Script
# Run as root or with sudo

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Configuration
SERVICE_USER="emergency-access"
SERVICE_GROUP="emergency-access"
INSTALL_DIR="/opt/emergency-access"
CONFIG_DIR="/etc/emergency-access"
LOG_FILE="/var/log/emergency-access.log"
SERVICE_FILE="/etc/systemd/system/emergency-access.service"

print_status() {
    echo -e "${GREEN}[INFO]${NC} $1"
}

print_warning() {
    echo -e "${YELLOW}[WARNING]${NC} $1"
}

print_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

check_root() {
    if [[ $EUID -ne 0 ]]; then
        print_error "This script must be run as root"
        exit 1
    fi
}

install_dependencies() {
    print_status "Installing system dependencies..."

    # Detect package manager
    if command -v apt-get &> /dev/null; then
        apt-get update
        apt-get install -y python3 python3-pip python3-venv
    elif command -v yum &> /dev/null; then
        yum install -y python3 python3-pip
        # python3-venv not available in CentOS/RHEL, use built-in venv
    elif command -v dnf &> /dev/null; then
        dnf install -y python3 python3-pip
        # python3-venv not needed in newer Fedora, venv is built-in
    elif command -v pacman &> /dev/null; then
        pacman -S --noconfirm python python-pip
        # venv is built into Python 3.3+
    else
        print_error "Unsupported package manager. Please install Python 3 and pip manually."
        exit 1
    fi
}

create_user() {
    print_status "Creating service user and group..."

    if ! getent group "$SERVICE_GROUP" > /dev/null 2>&1; then
        groupadd --system "$SERVICE_GROUP"
        print_status "Created group: $SERVICE_GROUP"
    else
        print_warning "Group $SERVICE_GROUP already exists"
    fi

    if ! getent passwd "$SERVICE_USER" > /dev/null 2>&1; then
        useradd --system --gid "$SERVICE_GROUP" --home-dir "$INSTALL_DIR" \
                --shell /bin/false --comment "Emergency Access Service" "$SERVICE_USER"
        print_status "Created user: $SERVICE_USER"
    else
        print_warning "User $SERVICE_USER already exists"
    fi
}

setup_directories() {
    print_status "Setting up directories..."

    # Create installation directory
    mkdir -p "$INSTALL_DIR"
    mkdir -p "$CONFIG_DIR"

    # Set ownership
    chown "$SERVICE_USER:$SERVICE_GROUP" "$INSTALL_DIR"
    chown "$SERVICE_USER:$SERVICE_GROUP" "$CONFIG_DIR"

    # Set permissions
    chmod 755 "$INSTALL_DIR"
    chmod 750 "$CONFIG_DIR"  # More restrictive for config

    print_status "Created directories with proper permissions"
}

install_application() {
    print_status "Installing application files..."

    # Copy application files
    cp main.py "$INSTALL_DIR/"
    cp config.py "$INSTALL_DIR/"
    cp requirements.txt "$INSTALL_DIR/"

    # Copy example config if config doesn't exist
    if [[ ! -f "$CONFIG_DIR/config.json" ]]; then
        cp config.json "$CONFIG_DIR/"
        print_status "Copied example configuration to $CONFIG_DIR/config.json"
        print_warning "Please edit $CONFIG_DIR/config.json with your backend names"
    else
        print_warning "Configuration file already exists, skipping copy"
    fi

    # Set permissions
    chown -R "$SERVICE_USER:$SERVICE_GROUP" "$INSTALL_DIR"
    chown "$SERVICE_USER:$SERVICE_GROUP" "$CONFIG_DIR/config.json"

    chmod 644 "$INSTALL_DIR"/*.py
    chmod 644 "$INSTALL_DIR/requirements.txt"
    chmod 640 "$CONFIG_DIR/config.json"  # Restrictive permissions for config
}

setup_python_environment() {
    print_status "Setting up Python virtual environment..."

    # Create virtual environment
    sudo -u "$SERVICE_USER" python3 -m venv "$INSTALL_DIR/venv"

    # Install dependencies
    sudo -u "$SERVICE_USER" "$INSTALL_DIR/venv/bin/pip" install --upgrade pip
    sudo -u "$SERVICE_USER" "$INSTALL_DIR/venv/bin/pip" install -r "$INSTALL_DIR/requirements.txt"

    print_status "Python environment setup complete"
}

setup_logging() {
    print_status "Setting up logging..."

    # Create log file
    touch "$LOG_FILE"
    chown "$SERVICE_USER:$SERVICE_GROUP" "$LOG_FILE"
    chmod 644 "$LOG_FILE"

    # Setup log rotation
    cat > /etc/logrotate.d/emergency-access << EOF
$LOG_FILE {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 644 $SERVICE_USER $SERVICE_GROUP
    postrotate
        systemctl reload emergency-access.service > /dev/null 2>&1 || true
    endscript
}
EOF

    print_status "Logging configuration complete"
}

install_systemd_service() {
    print_status "Installing systemd service..."

    # Copy service file
    cp emergency-access.service "$SERVICE_FILE"

    # Reload systemd
    systemctl daemon-reload

    print_status "Systemd service installed"
}

create_example_files() {
    print_status "Creating example key and dummy files..."

    # Create example key file
    if [[ ! -f "$CONFIG_DIR/key-part.txt" ]]; then
        echo "EXAMPLE_KEY_PART_$(openssl rand -hex 16)" > "$CONFIG_DIR/key-part.txt"
        chown "$SERVICE_USER:$SERVICE_GROUP" "$CONFIG_DIR/key-part.txt"
        chmod 600 "$CONFIG_DIR/key-part.txt"
        print_status "Created example key file: $CONFIG_DIR/key-part.txt"
        print_warning "Replace this with your actual key part!"
    fi

    # Create dummy file
    if [[ ! -f "$CONFIG_DIR/dummy.txt" ]]; then
        echo "system_healthy_$(date +%s)" > "$CONFIG_DIR/dummy.txt"
        chown "$SERVICE_USER:$SERVICE_GROUP" "$CONFIG_DIR/dummy.txt"
        chmod 644 "$CONFIG_DIR/dummy.txt"
        print_status "Created dummy file: $CONFIG_DIR/dummy.txt"
    fi
}



print_final_instructions() {
    print_status "Installation complete!"
    echo
    print_warning "IMPORTANT: Before starting the service:"
    echo "1. Edit $CONFIG_DIR/config.json with your backend names from global ntfy config"
    echo "2. Replace $CONFIG_DIR/key-part.txt with your actual key part"
    echo "3. Ensure your global ntfy configuration (~/.ntfy.yml) has the required backends"
    echo "4. Test the configuration"
    echo
    print_status "Service management commands:"
    echo "  Start service:    sudo systemctl start emergency-access"
    echo "  Enable at boot:   sudo systemctl enable emergency-access"
    echo "  Check status:     sudo systemctl status emergency-access"
    echo "  View logs:        sudo journalctl -u emergency-access -f"
    echo "  View log file:    sudo tail -f $LOG_FILE"
    echo
    print_status "Configuration files:"
    echo "  Service config:   $CONFIG_DIR/config.json"
    echo "  Key file:         $CONFIG_DIR/key-part.txt"
    echo "  Dummy file:       $CONFIG_DIR/dummy.txt"
    echo "  Log file:         $LOG_FILE"
    echo
    print_warning "Security note: This server provides access to sensitive key material."
    print_warning "Ensure proper network security and monitoring are in place."
}

main() {
    print_status "Starting Emergency Access Server installation..."

    check_root
    install_dependencies
    create_user
    setup_directories
    install_application
    setup_python_environment
    setup_logging
    install_systemd_service
    create_example_files
    print_final_instructions

    print_status "Installation completed successfully!"
}

# Run main function
main "$@"