#!/bin/bash
# ==============================================================================
# Wallarm Bulletproof Deployer - Banking Hardened (Manual Binary Support)
# ==============================================================================

YELLOW='\033[1;33m'
GREEN='\033[0;32m'
RED='\033[0;31m'
NC='\033[0m'

# --- 1. PRE-FLIGHT: CONNECTIVITY & ENGINE ---

check_connectivity() {
    echo -e "\n${YELLOW}[1/5] Checking Connectivity & Registry...${NC}"
    
    # Cloud Selection
    read -p "Wallarm Cloud (US/EU) [US]: " CLOUD; CLOUD=${CLOUD^^}; CLOUD=${CLOUD:-US}
    API_HOST=$([[ "$CLOUD" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")
    
    # Test Docker Hub Reachability
    REGISTRY_REACHABLE=true
    curl -skI --connect-timeout 5 "https://registry-1.docker.io/v2/" > /dev/null 2>&1 || REGISTRY_REACHABLE=false
    
    if [ "$REGISTRY_REACHABLE" = false ]; then
        echo -e "${RED}[ALERT]${NC} Docker Hub is CLOSED."
        if ls *.tar >/dev/null 2>&1; then
            echo -e "${GREEN}[INFO]${NC} Local .tar found. Will attempt 'docker load'."
        else
            echo -e "${RED}[ERROR]${NC} No internet and no local .tar image found. Please upload the wallarm-node image."; exit 1
        fi
    else
        echo -e "${GREEN}[PASS]${NC} Docker Hub is reachable."
    fi
}

setup_engine() {
    echo -e "\n${YELLOW}[2/5] Hardening Container Engine...${NC}"
    
    # Check if Docker or Podman is already running
    if sudo docker info > /dev/null 2>&1; then
        ENGINE="docker"
        echo -e "${GREEN}[INFO]${NC} Existing Docker Engine detected."
    elif sudo podman info > /dev/null 2>&1; then
        ENGINE="podman"
        echo -e "${GREEN}[INFO]${NC} Existing Podman Engine detected."
    else
        # No engine found, configure the manual Docker binaries
        echo "No engine active. Setting up manual Docker Service..."
        if [ ! -f "/usr/bin/dockerd" ]; then
            echo -e "${RED}[FAIL]${NC} /usr/bin/dockerd not found. Ensure binaries were moved."; exit 1
        fi

        sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit]
Description=Docker Engine
After=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
[Install]
WantedBy=multi-user.target
EOF
        sudo systemctl daemon-reload
        sudo systemctl enable --now docker
        ENGINE="docker"
    fi
}

# --- 2. CONFIGURATION ---

get_params() {
    echo -e "\n${YELLOW}[3/5] Instance Configuration...${NC}"
    read -p "Wallarm Token: " TOKEN
    read -p "Instance ID [1]: " ID; ID=${ID:-1}
    read -p "App IP [127.0.0.1]: " APP_IP; APP_IP=${APP_IP:-127.0.0.1}
    read -p "App Port [80]: " APP_PORT; APP_PORT=${APP_PORT:-80}

    INSTANCE_DIR="/opt/wallarm/$ID"
    sudo mkdir -p "$INSTANCE_DIR"
}

# --- 3. PERSISTENCE ARTIFACTS ---

generate_artifacts() {
    echo -e "\n${YELLOW}[4/5] Building Persistence Layers...${NC}"

    # Nginx Conf
    sudo tee "$INSTANCE_DIR/nginx.conf" > /dev/null <<EOF
server {
    listen 80;
    wallarm_mode monitoring;
    location / {
        proxy_pass http://$APP_IP:$APP_PORT;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
    }
}
server { listen 90; location /wallarm-status { wallarm_status on; } }
EOF

    # Shell Start Script (The Persistence Logic)
    sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
#!/bin/bash
echo "Cleaning old containers..."
sudo $ENGINE rm -f wallarm-node-$ID 2>/dev/null

echo "Launching Wallarm Node..."
sudo $ENGINE run -d \\
  --name wallarm-node-$ID \\
  --restart always \\
  -p 80:80 -p 90:90 \\
  -e WALLARM_API_TOKEN=$TOKEN \\
  -e WALLARM_API_HOST=$API_HOST \\
  -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \\
  wallarm/node:latest
EOF
    sudo chmod +x "$INSTANCE_DIR/start.sh"
}

# --- 4. EXECUTION ---

run_poc() {
    echo -e "\n${YELLOW}[5/5] Executing Deployment...${NC}"
    
    if [ "$REGISTRY_REACHABLE" = true ]; then
        echo "Pulling latest image..."
        sudo $ENGINE pull wallarm/node:latest
    else
        echo "Loading image from local storage..."
        sudo $ENGINE load < *.tar
    fi

    sudo "$INSTANCE_DIR/start.sh"

    sleep 15
    echo -n "Verifying Node Status... "
    if curl -s http://localhost:90/wallarm-status | grep -q "requests"; then
        echo -e "${GREEN}✅ POC ACTIVE${NC}"
    else
        echo -e "${RED}❌ FAILED${NC}. Check logs: sudo $ENGINE logs wallarm-node-$ID"
    fi
}

# --- RUN ---
check_connectivity
setup_engine
get_params
generate_artifacts
run_poc