#!/usr/bin/env bash
# /usr/local/bin/zroc-setup
# Interactive first-boot configuration wizard for the zROC appliance.
set -euo pipefail

INSTALL_DIR=/opt/zroc
ENV_FILE="$INSTALL_DIR/.env"
CERTS_DIR="$INSTALL_DIR/certs"

CYAN='\033[0;36m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
RED='\033[0;31m';  BOLD='\033[1m';     RESET='\033[0m'

header() { echo -e "\n${CYAN}${BOLD}$*${RESET}"; }
ok()     { echo -e "${GREEN}✓ $*${RESET}"; }
warn()   { echo -e "${YELLOW}⚠ $*${RESET}"; }
err()    { echo -e "${RED}✗ $*${RESET}"; }
step()   { echo -e "\n${BOLD}Step $*${RESET}"; echo "$(printf '─%.0s' {1..55})"; }

clear
echo -e "${CYAN}"
cat << 'BANNER'
  ███████╗██████╗  ██████╗  ██████╗
  ╚══███╔╝██╔══██╗██╔═══██╗██╔════╝
    ███╔╝ ██████╔╝██║   ██║██║
   ███╔╝  ██╔══██╗██║   ██║██║
  ███████╗██║  ██║╚██████╔╝╚██████╗
  ╚══════╝╚═╝  ╚═╝ ╚═════╝  ╚═════╝

  Setup Wizard — Zerto Resiliency Observation Console
BANNER
echo -e "${RESET}"

# Step 1: Network
step "1/6  Network Configuration"
CURRENT_IP=$(hostname -I | awk '{print $1}')
echo "Current IP: ${BOLD}$CURRENT_IP${RESET} (DHCP)"
read -rp "Keep DHCP? [Y/n]: " NET_CHOICE
NET_CHOICE="${NET_CHOICE:-Y}"
PUBLIC_URL="https://$CURRENT_IP"
ok "Using $CURRENT_IP"

# Step 2: TLS
step "2/6  HTTPS / TLS Certificate"
echo "Using self-signed certificate (default)"
TLS_MODE="internal"
ok "Self-signed certificate will be generated by Caddy"

# Step 3: Admin password
step "3/6  zROC Admin Account"
while true; do
  read -rsp "Admin password (min 12 chars): " ADMIN_PASS; echo
  read -rsp "Confirm password: " ADMIN_PASS2; echo
  if [[ "$ADMIN_PASS" != "$ADMIN_PASS2" ]]; then err "Passwords do not match.";
  elif [[ ${#ADMIN_PASS} -lt 12 ]]; then err "Password must be at least 12 characters.";
  else ok "Admin password set"; break; fi
done

# Step 4: ZVM Site 1
step "4/6  Zerto ZVM Configuration — Site 1"
read -rp "ZVM Hostname or IP: " ZVM_HOST
read -rp "ZVM Username [admin]: " ZVM_USER; ZVM_USER="${ZVM_USER:-admin}"
read -rsp "ZVM Password: " ZVM_PASS; echo
read -rp "vCenter Hostname (optional): " VCENTER_HOST

# Step 5: Second site
step "5/6  Second ZVM Site (optional)"
read -rp "Monitor a second site? [y/N]: " SITE2; SITE2="${SITE2:-N}"

# Step 6: Enterprise IdP
step "6/6  Enterprise Identity Provider (optional)"
echo "Using local Authentik accounts (default)"

# Generate secrets
SESSION_SECRET=$(openssl rand -hex 32)
AUTHENTIK_PG_PASS=$(openssl rand -hex 24)
AUTHENTIK_SECRET_KEY=$(openssl rand -hex 48)
OIDC_CLIENT_ID="zroc-dashboard"
OIDC_CLIENT_SECRET=$(openssl rand -hex 32)

# Write .env
cat > "$ENV_FILE" << EOF
PUBLIC_URL=$PUBLIC_URL
ZVM_HOST=$ZVM_HOST
ZVM_USERNAME=$ZVM_USER
ZVM_PASSWORD=$ZVM_PASS
VCENTER_HOST=${VCENTER_HOST:-}
SESSION_SECRET=$SESSION_SECRET
AUTHENTIK_PG_PASS=$AUTHENTIK_PG_PASS
AUTHENTIK_SECRET_KEY=$AUTHENTIK_SECRET_KEY
AUTHENTIK_CLIENT_ID=$OIDC_CLIENT_ID
AUTHENTIK_CLIENT_SECRET=$OIDC_CLIENT_SECRET
ZROC_OIDC_CLIENT_ID=$OIDC_CLIENT_ID
ZROC_OIDC_CLIENT_SECRET=$OIDC_CLIENT_SECRET
ZROC_PUBLIC_URL=$PUBLIC_URL
AUTHENTIK_ADMIN_TOKEN=PENDING_FIRST_START
GRAFANA_PASSWORD=$ADMIN_PASS
PROMETHEUS_URL=http://prometheus:9090
EOF

chmod 600 "$ENV_FILE"
ok ".env written to $ENV_FILE"

# Start services
echo "Starting zROC services..."
cd "$INSTALL_DIR"
docker compose up -d 2>&1 | tail -20

systemctl disable zroc-firstboot.service 2>/dev/null || true

echo -e "${GREEN}${BOLD}"
echo "  ✅  zROC is ready!"
echo "  Dashboard:  $PUBLIC_URL"
echo -e "${RESET}"
