#!/bin/bash
# ==============================================================================
# WALLARM NODE DEPLOYMENT SCRIPT - V1.1 (STEALTH PROXY EDITION)
# ==============================================================================
# Features:
# - Stealth Binary Pull via ct.sechpoint.app (Proxy to download.docker.com)
# - Stealth Image Pull via hub.ct.sechpoint.app (Proxy to registry-1.docker.io)
# - Automatic Architecture Detection & Path Mapping
# - Image Normalization (Re-tagging for internal compatibility)
# - OS-agnostic deployment (Ubuntu, Debian, CentOS, RHEL, Alpine, etc.)
# ==============================================================================

# Color definitions for better UX
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
BOLD='\033[1m'
NC='\033[0m'

# SECHPOINT STEALTH CONFIGURATION
BASE_DOMAIN="ct.sechpoint.app"
HUB_DOMAIN="hub.ct.sechpoint.app"
DOCKER_VERSION="29.2.1" # Verified stable via Proxy

# Cloud endpoints (from Wallarm documentation)
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com")
US_DATA_NODES=("us1.api.wallarm.com" "node-data.us1.wallarm.com")

LOG_FILE="/var/log/wallarm-deployment.log"

# --- HELPER FUNCTIONS ---

log_message() {
    local level="$1"
    local message="$2"
    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
    echo -e "${timestamp} [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null
    
    case "$level" in
        "INFO")    echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;;
        "SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;;
        "WARNING") echo -e "${YELLOW}${BOLD}[WARNING]${NC} ${message}" ;;
        "ERROR")   echo -e "${RED}${BOLD}[ERROR]${NC} ${message}" ;;
    esac
}

fail_with_remediation() {
    local error="$1"
    local remediation="$2"
    log_message "ERROR" "$error"
    echo -e "\n${RED}${BOLD}REMEDIATION:${NC} ${remediation}\n"
    exit 1
}

# --- SYSTEM CHECKS ---

check_pre_flight() {
    log_message "INFO" "Starting pre-flight checks..."
    
    # Root check
    if [[ $EUID -ne 0 ]]; then
        fail_with_remediation "Script must be run as root/sudo" "Try: sudo ./$(basename "$0")"
    fi

    # Architecture check & mapping
    ARCH=$(uname -m)
    case "$ARCH" in
        x86_64)  D_ARCH="x86_64" ;;
        aarch64) D_ARCH="aarch64" ;;
        *) fail_with_remediation "Unsupported architecture: $ARCH" "Contact Sechpoint Support for custom binaries." ;;
    esac
    
    # Internet / Proxy check
    log_message "INFO" "Checking connectivity to Stealth Proxy ($BASE_DOMAIN)..."
    if ! curl -Is --connect-timeout 5 "https://$BASE_DOMAIN" > /dev/null; then
        fail_with_remediation "Proxy Unreachable" "Check firewall rules for outbound HTTPS to $BASE_DOMAIN"
    fi
}

# --- DOCKER ENGINE SETUP ---

setup_docker_engine() {
    log_message "INFO" "Deploying Docker Engine via Stealth Proxy..."

    if command -v docker >/dev/null 2>&1; then
        log_message "SUCCESS" "Docker engine already installed."
        return 0
    fi

    local binary_file="docker-$DOCKER_VERSION.tgz"
    # Target Path on Zoraxy maps /linux/ to download.docker.com/linux/
    local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file"

    log_message "INFO" "Fetching binaries from $download_url"
    
    curl -fL "$download_url" -o "/tmp/$binary_file"
    if [[ $? -ne 0 ]]; then
        fail_with_remediation "Binary download failed" "Verify Zoraxy mapping for /linux/ to download.docker.com"
    fi

    tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null
    sudo cp /tmp/docker/* /usr/bin/
    rm -rf /tmp/docker "/tmp/$binary_file"

    # Create stealth systemd service
    sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit]
Description=Docker Engine
After=network.target
[Service]
ExecStart=/usr/bin/dockerd --group docker
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

    sudo systemctl daemon-reload
    sudo systemctl enable --now docker
    log_message "SUCCESS" "Docker Engine is live."
}

# --- WALLARM NODE DEPLOYMENT ---

deploy_wallarm_node() {
    log_message "INFO" "Fetching Wallarm Filtering Node via Stealth Registry..."

    # Source through our proxy subdomain
    local proxy_img="$HUB_DOMAIN/wallarm/node:latest"
    # Destination name expected by standard configs
    local local_img="wallarm/node:latest"

    log_message "INFO" "Pulling $proxy_img..."
    if ! sudo docker pull "$proxy_img"; then
        fail_with_remediation "Image Pull Failed" "Verify hub.ct.sechpoint.app points to registry-1.docker.io"
    fi

    # Normalize Image Tag
    log_message "INFO" "Normalizing image tags..."
    sudo docker tag "$proxy_img" "$local_img"
    sudo docker rmi "$proxy_img"
    
    log_message "SUCCESS" "Wallarm Node Image Ready."
}

# --- MAIN EXECUTION ---

main() {
    clear
    echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
    echo -e "${CYAN}${BOLD}║           SECHPOINT WALLARM STEALTH DEPLOYER V1.1          ║${NC}"
    echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"

    check_pre_flight
    setup_docker_engine
    deploy_wallarm_node

    log_message "INFO" "Deployment complete. Finalizing environment..."
    
    # Create the persistent start script (Optional logic based on your previous file)
    # Ensure it uses the normalized 'wallarm/node:latest' name
    
    echo -e "\n${GREEN}${BOLD}STEALTH DEPLOYMENT SUCCESSFUL${NC}"
    echo -e "Docker: $(docker --version)"
    echo -e "Image:  $(docker images wallarm/node --format '{{.Repository}}:{{.Tag}}')"
}

main "$@"