#!/usr/bin/env bash
# /usr/local/bin/zroc-setup
# Interactive first-boot configuration wizard for the zROC appliance.
set -euo pipefail

INSTALL_DIR=/opt/zroc
ENV_FILE="$INSTALL_DIR/.env"
CERTS_DIR="$INSTALL_DIR/certs"

CYAN='\033[0;36m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
RED='\033[0;31m';  BOLD='\033[1m';     RESET='\033[0m'

header() { echo -e "\n${CYAN}${BOLD}$*${RESET}"; }
ok()     { echo -e "${GREEN}✓ $*${RESET}"; }
warn()   { echo -e "${YELLOW}⚠ $*${RESET}"; }
err()    { echo -e "${RED}✗ $*${RESET}"; }
step()   { echo -e "\n${BOLD}Step $*${RESET}"; echo "$(printf '─%.0s' {1..55})"; }

clear
echo -e "${CYAN}"
cat << 'BANNER'
  ███████╗██████╗  ██████╗  ██████╗
  ╚══███╔╝██╔══██╗██╔═══██╗██╔════╝
    ███╔╝ ██████╔╝██║   ██║██║
   ███╔╝  ██╔══██╗██║   ██║██║
  ███████╗██║  ██║╚██████╔╝╚██████╗
  ╚══════╝╚═╝  ╚═╝ ╚═════╝  ╚═════╝

  Setup Wizard — Zerto Resiliency Observation Console
BANNER
echo -e "${RESET}"

# Step 0: Change default zroc password
step "1/7  Change Appliance Password"
echo "The default 'zroc' user password must be changed."
while true; do
  read -rsp "New password for 'zroc' (min 8 chars): " NEW_PW; echo
  read -rsp "Confirm password: " NEW_PW2; echo
  if [[ "$NEW_PW" != "$NEW_PW2" ]]; then err "Passwords do not match.";
  elif [[ ${#NEW_PW} -lt 8 ]]; then err "Password must be at least 8 characters.";
  else
    echo "zroc:$NEW_PW" | chpasswd
    ok "Appliance password changed"
    break
  fi
done

# Step 2: Network
step "2/7  Network Configuration"
CURRENT_IP=$(hostname -I | awk '{print $1}')
echo "Current IP: ${BOLD}$CURRENT_IP${RESET} (DHCP)"
read -rp "Keep DHCP? [Y/n]: " NET_CHOICE
NET_CHOICE="${NET_CHOICE:-Y}"
PUBLIC_URL="https://$CURRENT_IP"
ok "Using $CURRENT_IP"

# Step 2: TLS
step "3/7  HTTPS / TLS Certificate"
echo "Using self-signed certificate (default)"
TLS_MODE="internal"
ok "Self-signed certificate will be generated by Caddy"

# Step 3: Admin password
step "4/7  zROC Admin Account"
while true; do
  read -rsp "Admin password (min 12 chars): " ADMIN_PASS; echo
  read -rsp "Confirm password: " ADMIN_PASS2; echo
  if [[ "$ADMIN_PASS" != "$ADMIN_PASS2" ]]; then err "Passwords do not match.";
  elif [[ ${#ADMIN_PASS} -lt 12 ]]; then err "Password must be at least 12 characters.";
  else ok "Admin password set"; break; fi
done

# Step 4: ZVM Site 1
step "5/7  Zerto ZVM Configuration — Site 1"
read -rp "ZVM Hostname or IP: " ZVM_HOST
read -rp "ZVM Username [admin]: " ZVM_USER; ZVM_USER="${ZVM_USER:-admin}"
read -rsp "ZVM Password: " ZVM_PASS; echo
read -rp "vCenter Hostname (optional): " VCENTER_HOST

# Step 5: Second site
step "6/7  Second ZVM Site (optional)"
read -rp "Monitor a second site? [y/N]: " SITE2; SITE2="${SITE2:-N}"

# Step 6: Enterprise IdP
step "7/7  Enterprise Identity Provider (optional)"
echo "Using local Authentik accounts (default)"

# Generate secrets
SESSION_SECRET=$(openssl rand -hex 32)
AUTHENTIK_PG_PASS=$(openssl rand -hex 24)
AUTHENTIK_SECRET_KEY=$(openssl rand -hex 48)
OIDC_CLIENT_ID="zroc-dashboard"
OIDC_CLIENT_SECRET=$(openssl rand -hex 32)

# Write .env
cat > "$ENV_FILE" << EOF
PUBLIC_URL=$PUBLIC_URL
ZVM_HOST=$ZVM_HOST
ZVM_USERNAME=$ZVM_USER
ZVM_PASSWORD=$ZVM_PASS
VCENTER_HOST=${VCENTER_HOST:-}
SESSION_SECRET=$SESSION_SECRET
AUTHENTIK_PG_PASS=$AUTHENTIK_PG_PASS
AUTHENTIK_SECRET_KEY=$AUTHENTIK_SECRET_KEY
AUTHENTIK_CLIENT_ID=$OIDC_CLIENT_ID
AUTHENTIK_CLIENT_SECRET=$OIDC_CLIENT_SECRET
ZROC_OIDC_CLIENT_ID=$OIDC_CLIENT_ID
ZROC_OIDC_CLIENT_SECRET=$OIDC_CLIENT_SECRET
ZROC_PUBLIC_URL=$PUBLIC_URL
AUTHENTIK_ADMIN_TOKEN=PENDING_FIRST_START
GRAFANA_PASSWORD=$ADMIN_PASS
PROMETHEUS_URL=http://prometheus:9090
EOF

chmod 600 "$ENV_FILE"
ok ".env written to $ENV_FILE"

# Start services
echo "Starting zROC services..."
cd "$INSTALL_DIR"
docker compose up -d 2>&1 | tail -20

# Remove the getty override so normal login resumes after reboot
rm -f /etc/systemd/system/getty@tty1.service.d/zroc-firstboot.conf
systemctl daemon-reload

echo -e "${GREEN}${BOLD}"
echo "  ✅  zROC is ready!"
echo "  Dashboard:  $PUBLIC_URL"
echo -e "${RESET}"
