#!/usr/bin/env bash
# Full setup script for Digital Ocean droplet as Vigilar reverse proxy
# Run this on a fresh Ubuntu 24.04 LTS droplet.
#
# What it does:
# 1. Installs WireGuard, nginx, certbot
# 2. Configures WireGuard tunnel (interactive key exchange)
# 3. Deploys nginx reverse proxy config
# 4. Sets up TLS with Let's Encrypt
# 5. Configures firewall

set -euo pipefail

echo "============================================"
echo "  Vigilar — Droplet Reverse Proxy Setup"
echo "============================================"
echo ""

# Require root
if [[ $EUID -ne 0 ]]; then
    echo "Run as root: sudo bash setup_droplet.sh"
    exit 1
fi

# --- Step 1: Install packages ---
echo "[1/6] Installing packages..."
apt update
apt install -y wireguard nginx certbot python3-certbot-nginx ufw

# --- Step 2: WireGuard ---
echo ""
echo "[2/6] Setting up WireGuard..."

if [[ -f /etc/wireguard/wg0.conf ]]; then
    echo "  WireGuard already configured. Skipping."
else
    # Generate keys
    PRIV_KEY=$(wg genkey)
    PUB_KEY=$(echo "$PRIV_KEY" | wg pubkey)

    echo ""
    echo "  Droplet PUBLIC key (give this to your home server):"
    echo "  $PUB_KEY"
    echo ""
    read -p "  Enter home server's PUBLIC key: " HOME_PUB_KEY

    cat > /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 10.99.0.1/32
ListenPort = 51820
PrivateKey = $PRIV_KEY

[Peer]
PublicKey = $HOME_PUB_KEY
AllowedIPs = 10.99.0.2/32
EOF

    chmod 600 /etc/wireguard/wg0.conf
    systemctl enable --now wg-quick@wg0
    echo "  WireGuard started. Tunnel IP: 10.99.0.1"
fi

# --- Step 3: Firewall ---
echo ""
echo "[3/6] Configuring firewall..."
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp      # SSH
ufw allow 80/tcp      # HTTP (certbot + redirect)
ufw allow 443/tcp     # HTTPS
ufw allow 51820/udp   # WireGuard
ufw --force enable
echo "  Firewall configured."

# --- Step 4: Nginx ---
echo ""
echo "[4/6] Configuring nginx..."

read -p "  Enter your domain (e.g., vigilar.yourdomain.com): " DOMAIN

# Create cache directory
mkdir -p /var/cache/nginx/vigilar_hls

# Deploy config
NGINX_CONF="/etc/nginx/sites-available/vigilar"
if [[ -f "$NGINX_CONF" ]]; then
    cp "$NGINX_CONF" "${NGINX_CONF}.bak.$(date +%s)"
fi

# Copy template and replace domain
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
if [[ -f "$SCRIPT_DIR/nginx/vigilar.conf" ]]; then
    sed "s/vigilar.yourdomain.com/$DOMAIN/g" "$SCRIPT_DIR/nginx/vigilar.conf" > "$NGINX_CONF"
else
    echo "  ERROR: nginx/vigilar.conf not found in $SCRIPT_DIR"
    echo "  Copy it manually to /etc/nginx/sites-available/vigilar"
    exit 1
fi

# Enable site
ln -sf "$NGINX_CONF" /etc/nginx/sites-enabled/vigilar
rm -f /etc/nginx/sites-enabled/default

# Test config (will fail on TLS certs — that's OK, certbot fixes it)
echo "  Testing nginx config (cert errors expected before certbot)..."
nginx -t 2>/dev/null || true

# --- Step 5: TLS with Let's Encrypt ---
echo ""
echo "[5/6] Setting up TLS..."
echo "  Running certbot for $DOMAIN"
echo "  Note: DNS must already point $DOMAIN to this droplet's IP."
echo ""

# Temporarily remove SSL directives so nginx starts
# Create a minimal config for certbot
cat > /etc/nginx/sites-available/vigilar-temp <<EOF
server {
    listen 80;
    server_name $DOMAIN;
    location / {
        proxy_pass http://10.99.0.2:49735;
    }
}
EOF
ln -sf /etc/nginx/sites-available/vigilar-temp /etc/nginx/sites-enabled/vigilar-temp
rm -f /etc/nginx/sites-enabled/vigilar
nginx -t && systemctl reload nginx

# Run certbot
certbot --nginx -d "$DOMAIN" --non-interactive --agree-tos --register-unsafely-without-email || {
    echo ""
    echo "  Certbot failed. Make sure DNS for $DOMAIN points to this server."
    echo "  You can retry manually: certbot --nginx -d $DOMAIN"
}

# Remove temp config, restore full config
rm -f /etc/nginx/sites-enabled/vigilar-temp /etc/nginx/sites-available/vigilar-temp
ln -sf "$NGINX_CONF" /etc/nginx/sites-enabled/vigilar

# Update the config with certbot's cert paths
sed -i "s|ssl_certificate .*|ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;|" "$NGINX_CONF"
sed -i "s|ssl_certificate_key .*|ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;|" "$NGINX_CONF"

nginx -t && systemctl reload nginx

# --- Step 6: Verify ---
echo ""
echo "[6/6] Verifying setup..."
echo ""

# Check WireGuard
if wg show wg0 &>/dev/null; then
    echo "  [OK] WireGuard interface wg0 is up"
else
    echo "  [!!] WireGuard not running"
fi

# Check nginx
if systemctl is-active --quiet nginx; then
    echo "  [OK] nginx is running"
else
    echo "  [!!] nginx is not running"
fi

# Check cert
if [[ -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]]; then
    echo "  [OK] TLS certificate present"
else
    echo "  [!!] TLS certificate missing — run certbot manually"
fi

echo ""
echo "============================================"
echo "  Setup complete!"
echo ""
echo "  Droplet WireGuard IP: 10.99.0.1"
echo "  Home server should be: 10.99.0.2"
echo "  Web URL: https://$DOMAIN"
echo ""
echo "  Next steps:"
echo "  1. Configure WireGuard on your home server"
echo "  2. Test: ping 10.99.0.2 (from this droplet)"
echo "  3. Start Vigilar on home server"
echo "  4. Access https://$DOMAIN"
echo "============================================"