#!/usr/bin/env bash
set -euo pipefail

# Vigilar Home Security — Installation Script
# Supports Debian/Ubuntu (apt) and Arch Linux (pacman).

VIGILAR_USER="vigilar"
VIGILAR_GROUP="vigilar"
INSTALL_DIR="/opt/vigilar"
VENV_DIR="${INSTALL_DIR}/venv"
CONFIG_DIR="/etc/vigilar"
DATA_DIR="/var/vigilar"
SYSTEMD_DIR="/etc/systemd/system"
MOSQUITTO_CONF_DIR="/etc/mosquitto/conf.d"

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------

info()  { printf '\033[1;34m[INFO]\033[0m  %s\n' "$*"; }
warn()  { printf '\033[1;33m[WARN]\033[0m  %s\n' "$*"; }
ok()    { printf '\033[1;32m[ OK ]\033[0m  %s\n' "$*"; }
fail()  { printf '\033[1;31m[FAIL]\033[0m  %s\n' "$*" >&2; exit 1; }

need_cmd() {
    command -v "$1" &>/dev/null || fail "Required command not found: $1"
}

detect_pkg_manager() {
    if command -v apt-get &>/dev/null; then
        echo "apt"
    elif command -v pacman &>/dev/null; then
        echo "pacman"
    else
        fail "Unsupported package manager. This script supports apt (Debian/Ubuntu) and pacman (Arch)."
    fi
}

# ---------------------------------------------------------------------------
# 1. System dependencies
# ---------------------------------------------------------------------------

install_system_deps() {
    local pkg_mgr
    pkg_mgr="$(detect_pkg_manager)"
    info "Detected package manager: ${pkg_mgr}"

    case "$pkg_mgr" in
        apt)
            sudo apt-get update -qq
            sudo apt-get install -y -qq \
                ffmpeg mosquitto python3 python3-venv python3-pip nut-client
            ;;
        pacman)
            sudo pacman -Sy --needed --noconfirm \
                ffmpeg mosquitto python python-virtualenv nut
            ;;
    esac
    ok "System dependencies installed"
}

# ---------------------------------------------------------------------------
# 2. System user & group
# ---------------------------------------------------------------------------

create_user() {
    if id "$VIGILAR_USER" &>/dev/null; then
        ok "User '${VIGILAR_USER}' already exists"
        return
    fi
    info "Creating system user '${VIGILAR_USER}'"
    sudo useradd --system --home-dir "$INSTALL_DIR" --shell /usr/sbin/nologin \
        --create-home "$VIGILAR_USER"
    ok "User '${VIGILAR_USER}' created"
}

# ---------------------------------------------------------------------------
# 3. Directories & permissions
# ---------------------------------------------------------------------------

create_directories() {
    info "Creating directories"

    # Data directories — owned by vigilar
    sudo mkdir -p "${DATA_DIR}/data" "${DATA_DIR}/recordings" "${DATA_DIR}/hls"
    sudo chown -R "${VIGILAR_USER}:${VIGILAR_GROUP}" "$DATA_DIR"
    sudo chmod -R 0750 "$DATA_DIR"

    # Config directories
    sudo mkdir -p "${CONFIG_DIR}/secrets" "${CONFIG_DIR}/certs"
    sudo chown root:root "${CONFIG_DIR}"
    sudo chmod 0755 "${CONFIG_DIR}"

    # Secrets — root-owned, restricted
    sudo chown root:root "${CONFIG_DIR}/secrets"
    sudo chmod 0700 "${CONFIG_DIR}/secrets"

    # Certs — readable by vigilar
    sudo chown root:"${VIGILAR_GROUP}" "${CONFIG_DIR}/certs"
    sudo chmod 0750 "${CONFIG_DIR}/certs"

    # Install dir
    sudo mkdir -p "$INSTALL_DIR"
    sudo chown "${VIGILAR_USER}:${VIGILAR_GROUP}" "$INSTALL_DIR"

    ok "Directories created"
}

# ---------------------------------------------------------------------------
# 4. Python venv & package
# ---------------------------------------------------------------------------

install_venv() {
    if [[ -d "$VENV_DIR" ]]; then
        info "Venv already exists at ${VENV_DIR}, upgrading"
    else
        info "Creating Python venv at ${VENV_DIR}"
        sudo -u "$VIGILAR_USER" python3 -m venv "$VENV_DIR"
    fi

    info "Installing vigilar package into venv"
    sudo -u "$VIGILAR_USER" "${VENV_DIR}/bin/pip" install --upgrade pip setuptools wheel -q
    sudo -u "$VIGILAR_USER" "${VENV_DIR}/bin/pip" install "${PROJECT_DIR}" -q

    ok "Vigilar installed into ${VENV_DIR}"
}

# ---------------------------------------------------------------------------
# 5. Storage encryption key
# ---------------------------------------------------------------------------

generate_storage_key() {
    local key_file="${CONFIG_DIR}/secrets/storage.key"
    if [[ -f "$key_file" ]]; then
        ok "Storage encryption key already exists"
        return
    fi
    info "Generating storage encryption key"
    sudo dd if=/dev/urandom bs=32 count=1 2>/dev/null | sudo tee "$key_file" > /dev/null
    sudo chmod 0600 "$key_file"
    sudo chown root:root "$key_file"
    ok "Storage key written to ${key_file}"
}

# ---------------------------------------------------------------------------
# 6. Sample config
# ---------------------------------------------------------------------------

install_config() {
    local dest="${CONFIG_DIR}/vigilar.toml"
    if [[ -f "$dest" ]]; then
        ok "Config already exists at ${dest}"
        return
    fi
    info "Copying sample config"
    sudo cp "${PROJECT_DIR}/config/vigilar.toml" "$dest"
    sudo chmod 0644 "$dest"
    sudo chown root:"${VIGILAR_GROUP}" "$dest"
    ok "Config installed to ${dest}"
}

# ---------------------------------------------------------------------------
# 7. Systemd units
# ---------------------------------------------------------------------------

install_systemd() {
    info "Installing systemd service"
    sudo cp "${PROJECT_DIR}/systemd/vigilar.service" "${SYSTEMD_DIR}/vigilar.service"
    sudo chmod 0644 "${SYSTEMD_DIR}/vigilar.service"
    sudo systemctl daemon-reload
    sudo systemctl enable vigilar.service
    ok "vigilar.service enabled"
}

# ---------------------------------------------------------------------------
# 8. Mosquitto configuration
# ---------------------------------------------------------------------------

configure_mosquitto() {
    local conf="${MOSQUITTO_CONF_DIR}/vigilar.conf"
    info "Configuring mosquitto for localhost-only"
    sudo mkdir -p "$MOSQUITTO_CONF_DIR"
    sudo cp "${PROJECT_DIR}/systemd/vigilar-mosquitto.conf" "$conf"
    sudo chmod 0644 "$conf"

    sudo systemctl enable mosquitto.service
    sudo systemctl restart mosquitto.service
    ok "Mosquitto configured and restarted"
}

# ---------------------------------------------------------------------------
# Main
# ---------------------------------------------------------------------------

main() {
    info "=== Vigilar Home Security — Installer ==="
    info "Project dir: ${PROJECT_DIR}"
    echo

    install_system_deps
    create_user
    create_directories
    install_venv
    generate_storage_key
    install_config
    install_systemd
    configure_mosquitto

    echo
    ok "=== Installation complete ==="
    echo
    info "Summary:"
    info "  Service user:   ${VIGILAR_USER}"
    info "  Venv:           ${VENV_DIR}"
    info "  Config:         ${CONFIG_DIR}/vigilar.toml"
    info "  Data:           ${DATA_DIR}/"
    info "  Secrets:        ${CONFIG_DIR}/secrets/"
    info "  Systemd unit:   ${SYSTEMD_DIR}/vigilar.service"
    echo
    info "Next steps:"
    info "  1. Edit /etc/vigilar/vigilar.toml — set camera RTSP URLs, passwords, etc."
    info "  2. Run: sudo ${SCRIPT_DIR}/gen_cert.sh      — generate TLS certs"
    info "  3. Run: sudo ${SCRIPT_DIR}/gen_vapid_keys.sh — generate VAPID keys for push"
    info "  4. Run: sudo ${SCRIPT_DIR}/setup_nut.sh      — configure UPS monitoring"
    info "  5. Start: sudo systemctl start vigilar"
    info "  6. Open: https://vigilar.local:49735"
}

main "$@"