#!/usr/bin/env bash
# install.sh — one-shot installer for the vetting orchestrator on a
# Proxmox LXC (or any Debian/Ubuntu host).
#
# What it does:
#   1. apt-installs runtime dependencies (dnsmasq, iperf3, ca-certs).
#   2. Creates the `vetting` system user with /var/lib/vetting homedir.
#   3. Copies the pre-built `vetting` binary into /usr/local/bin.
#   4. Drops the systemd unit and example config into /etc/vetting.
#   5. Reminds the operator to edit the config before enabling
#      the service — we don't auto-start because the default bind
#      is loopback-only and needs at least a tweak to be useful.
#
# What it deliberately does NOT do:
#   - Build the orchestrator (this script assumes you ran
#     `make orchestrator-linux` beforehand and that bin/vetting-linux-amd64
#     exists alongside this script, or pass --binary to locate it).
#   - Install the live image or TFTP payloads — those are separate,
#     since most operators want to build them from a pinned CI artifact
#     rather than on the LXC itself.
#
# Usage:
#   sudo ./install.sh [--binary PATH] [--config-dir /etc/vetting]
#
set -euo pipefail

BINARY=""
CONFIG_DIR="/etc/vetting"
STATE_DIR="/var/lib/vetting"
LOG_DIR="/var/log/vetting"
SERVICE_USER="vetting"

usage() {
    cat <<EOF
Usage: $0 [--binary PATH] [--config-dir DIR]

  --binary PATH       Path to a pre-built vetting binary (default:
                      auto-detect ../bin/vetting-linux-amd64 relative to
                      this script).
  --config-dir DIR    Where to install vetting.yaml + systemd unit drop
                      (default: /etc/vetting).
  -h, --help          Print this message.
EOF
}

while [[ $# -gt 0 ]]; do
    case "$1" in
        --binary)     BINARY="$2"; shift 2 ;;
        --config-dir) CONFIG_DIR="$2"; shift 2 ;;
        -h|--help)    usage; exit 0 ;;
        *)            echo "unknown arg: $1" >&2; usage; exit 2 ;;
    esac
done

if [[ $EUID -ne 0 ]]; then
    echo "install.sh must be run as root (try: sudo $0)" >&2
    exit 1
fi

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"

if [[ -z "${BINARY}" ]]; then
    for cand in \
        "${REPO_ROOT}/bin/vetting-linux-amd64" \
        "${REPO_ROOT}/bin/vetting" \
        "${SCRIPT_DIR}/vetting"; do
        if [[ -x "${cand}" ]]; then BINARY="${cand}"; break; fi
    done
fi
if [[ -z "${BINARY}" || ! -x "${BINARY}" ]]; then
    echo "could not find a vetting binary to install; pass --binary PATH or run 'make orchestrator-linux' first" >&2
    exit 1
fi

echo "==> installing runtime dependencies"
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get install -y --no-install-recommends \
    ca-certificates dnsmasq iperf3

echo "==> creating ${SERVICE_USER} user"
if ! id -u "${SERVICE_USER}" >/dev/null 2>&1; then
    useradd --system \
            --home-dir "${STATE_DIR}" \
            --shell /usr/sbin/nologin \
            "${SERVICE_USER}"
fi

echo "==> preparing directories"
install -d -m 0755 -o "${SERVICE_USER}" -g "${SERVICE_USER}" "${STATE_DIR}"
install -d -m 0755 -o "${SERVICE_USER}" -g "${SERVICE_USER}" "${LOG_DIR}"
install -d -m 0755 "${CONFIG_DIR}"

echo "==> installing binary"
install -m 0755 "${BINARY}" /usr/local/bin/vetting

echo "==> installing config and systemd unit"
# vetting.production.yaml uses absolute /var/lib/vetting + /var/log/vetting
# paths that match the systemd unit's ReadWritePaths. vetting.example.yaml
# uses ./var/... relatives and is only correct for `make run` in a dev tree.
if [[ ! -f "${CONFIG_DIR}/vetting.yaml" ]]; then
    install -m 0640 -o root -g "${SERVICE_USER}" \
        "${SCRIPT_DIR}/vetting.production.yaml" \
        "${CONFIG_DIR}/vetting.yaml"
    echo "   -> installed default config at ${CONFIG_DIR}/vetting.yaml"
else
    echo "   -> preserving existing ${CONFIG_DIR}/vetting.yaml"
fi
install -m 0644 "${SCRIPT_DIR}/vetting.service" /etc/systemd/system/vetting.service

# Disable the distro's dnsmasq so only the orchestrator-supervised
# instance owns DHCP/TFTP. Operators who want to keep dnsmasq for
# something else can re-enable it after configuring a disjoint listen
# address.
if systemctl is-enabled --quiet dnsmasq 2>/dev/null; then
    echo "==> disabling distro dnsmasq (orchestrator supervises its own)"
    systemctl disable --now dnsmasq
fi

systemctl daemon-reload

cat <<EOF

vetting is installed but not yet enabled.

Next steps:
  1. Edit ${CONFIG_DIR}/vetting.yaml and set:
       - server.bind                 (127.0.0.1:8080 by default; switch to
                                     0.0.0.0:8080 once you're ready to expose
                                     it on the LAN)
       - server.public_url           (the URL you'll browse to)
       - pxe.* if you want PXE boot support
       - notifiers + routes          (optional)
  2. Start the service:
       systemctl enable --now vetting
  3. Watch the logs:
       journalctl -fu vetting

The UI has no built-in auth — it trusts the LAN. If you need a
password, front the service with a reverse proxy (Caddy/nginx
basic-auth) instead.

EOF