#!/usr/bin/env bash
# proxmox-install.sh — one-shot installer for a fresh Proxmox LXC (or
# any Debian/Ubuntu host). Fetches a prebuilt release bundle from the
# Gitea package registry, extracts it, and hands off to install.sh.
#
# Usage:
#   curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy/proxmox-install.sh | sudo bash
#
# To pin a specific build instead of "latest":
#   VETTING_VERSION=sha-abc1234 curl -fsSL .../proxmox-install.sh | sudo bash
#
# Env overrides:
#   REGISTRY_URL     base URL of the Gitea instance hosting the package
#                    registry (default: https://gitea.thewrightserver.net)
#   PACKAGE_OWNER    Gitea owner who owns the `vetting` package
#                    (default: josh)
#   VETTING_VERSION  package version — either "latest" (rolling) or
#                    "sha-<short-sha>" (immutable). Default: "latest".
set -euo pipefail

REGISTRY_URL="${REGISTRY_URL:-https://gitea.thewrightserver.net}"
PACKAGE_OWNER="${PACKAGE_OWNER:-josh}"
VETTING_VERSION="${VETTING_VERSION:-latest}"

BUNDLE_URL="${REGISTRY_URL}/api/packages/${PACKAGE_OWNER}/generic/vetting/${VETTING_VERSION}/vetting-bundle.tar.gz"

if [[ $EUID -ne 0 ]]; then
    echo "proxmox-install.sh must be run as root (try: sudo bash)" >&2
    exit 1
fi

echo "==> installing prerequisites"
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get install -y --no-install-recommends \
    curl ca-certificates

tmp="$(mktemp -d)"
trap 'rm -rf "${tmp}"' EXIT

echo "==> fetching bundle (${VETTING_VERSION}) from ${BUNDLE_URL}"
curl -fsSL "${BUNDLE_URL}" -o "${tmp}/vetting-bundle.tar.gz"

echo "==> extracting"
tar -C "${tmp}" -xzf "${tmp}/vetting-bundle.tar.gz"

# Bundle extracts to vetting-bundle-<sha>/; glob-match the single
# top-level directory.
shopt -s nullglob
candidates=( "${tmp}"/vetting-bundle-* )
shopt -u nullglob
if [[ ${#candidates[@]} -ne 1 || ! -d "${candidates[0]}" ]]; then
    echo "unexpected bundle layout: expected exactly one vetting-bundle-*/ dir" >&2
    exit 1
fi
bundle_dir="${candidates[0]}"

echo "==> handing off to install.sh (bundle ${bundle_dir##*/})"
cd "${bundle_dir}"
bash install.sh \
    --binary "${bundle_dir}/bin/vetting-linux-amd64" \
    --agent-binary "${bundle_dir}/bin/vetting-agent.linux-amd64"

cat <<EOF

vetting is installed from bundle $(cat "${bundle_dir}/VERSION" 2>/dev/null || echo unknown).

To upgrade later, just rerun this one-liner; it always pulls "latest"
unless VETTING_VERSION is set.

To pin a specific build:
    VETTING_VERSION=sha-abc1234 curl -fsSL \\
        ${REGISTRY_URL}/${PACKAGE_OWNER}/Vetting/raw/branch/main/deploy/proxmox-install.sh \\
        | sudo bash

For PXE support, the bundle also ships deploy/pxe-setup.sh — see
docs/operations.md for the flow.

EOF