#!/bin/bash
# ==============================================================================
# Wallarm Bulletproof Deployer - Banking Hardened Edition
# ==============================================================================

YELLOW='\033[1;33m'
GREEN='\033[0;32m'
RED='\033[0;31m'
NC='\033[0m'

# --- 1. PRE-FLIGHT: CONNECTIVITY & ENGINE ---

check_connectivity() {
    echo -e "\n${YELLOW}[1/5] Checking Connectivity & Registry...${NC}"
    
    # Cloud Selection
    read -p "Wallarm Cloud (US/EU) [US]: " CLOUD; CLOUD=${CLOUD^^}; CLOUD=${CLOUD:-US}
    API_HOST=$([[ "$CLOUD" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")
    
    # Test Wallarm API
    curl -skI --connect-timeout 5 "https://$API_HOST" > /dev/null 2>&1 || \
        { echo -e "${RED}[WARN]${NC} Wallarm Cloud unreachable. Ensure proxy is set."; }

    # Test Docker Hub
    REGISTRY_REACHABLE=true
    curl -skI --connect-timeout 5 "https://registry-1.docker.io/v2/" > /dev/null 2>&1 || REGISTRY_REACHABLE=false
    
    if [ "$REGISTRY_REACHABLE" = false ]; then
        echo -e "${RED}[ALERT]${NC} Docker Hub is CLOSED."
        if ls *.tar >/dev/null 2>&1; then
            echo -e "${GREEN}[INFO]${NC} Local .tar found. Will attempt 'docker load'."
        else
            echo -e "${RED}[ERROR]${NC} No internet and no local .tar image found. Cannot proceed."; exit 1
        fi
    fi
}

setup_service() {
    echo -e "\n${YELLOW}[2/5] Hardening Docker Service...${NC}"
    # Ensure the systemd unit exists for the manual binaries
    sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit]
Description=Docker Application Container Engine
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP \$MAINPID
TimeoutStartSec=0
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity

[Install]
WantedBy=multi-user.target
EOF

    sudo systemctl daemon-reload
    sudo systemctl enable --now docker
    sudo docker info > /dev/null 2>&1 || { echo -e "${RED}[FAIL]${NC} Docker Engine failed."; exit 1; }
}

# --- 2. CONFIGURATION ---

get_params() {
    echo -e "\n${YELLOW}[3/5] Instance Setup...${NC}"
    read -p "Wallarm Token: " TOKEN
    read -p "Instance ID [1]: " ID; ID=${ID:-1}
    read -p "App IP [127.0.0.1]: " APP_IP; APP_IP=${APP_IP:-127.0.0.1}
    read -p "App Port [80]: " APP_PORT; APP_PORT=${APP_PORT:-80}

    INSTANCE_DIR="/opt/wallarm/$ID"
    sudo mkdir -p "$INSTANCE_DIR"
}

# --- 3. ARTIFACTS & REBOOT SURVIVAL ---

generate_artifacts() {
    echo -e "\n${YELLOW}[4/5] Building Persistence Layers...${NC}"

    # Nginx Conf
    sudo tee "$INSTANCE_DIR/nginx.conf" > /dev/null <<EOF
server {
    listen 80;
    wallarm_mode monitoring;
    location / {
        proxy_pass http://$APP_IP:$APP_PORT;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
}
server { listen 90; location /wallarm-status { wallarm_status on; } }
EOF

    # The "Always-Up" Start Script
    sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
#!/bin/bash
# Force cleanup of zombie containers
sudo docker rm -f wallarm-node-$ID 2>/dev/null

# Start with 'always' restart policy for reboot survival
sudo docker run -d \\
  --name wallarm-node-$ID \\
  --restart always \\
  -p 80:80 -p 90