#!/bin/bash
# ============================================
# MakLinkApp – server-setup/setup.sh
# One-time server provisioning script
# Tested on: Ubuntu 22.04 LTS / 24.04 LTS
# Run as root or with sudo
# Usage: bash setup.sh
# ============================================

set -e
RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'
info()    { echo -e "${GREEN}[INFO]${NC} $1"; }
warn()    { echo -e "${YELLOW}[WARN]${NC} $1"; }
success() { echo -e "${GREEN}[✓]${NC} $1"; }

echo ""
echo "  ┌─────────────────────────────────────────┐"
echo "  │  MakLinkApp – TFSBD Server Setup        │"
echo "  │  maklinkapp.tfsbd.com                   │"
echo "  └─────────────────────────────────────────┘"
echo ""

# ---- 1. Update system ----
info "Updating system packages..."
apt-get update -qq && apt-get upgrade -y -qq
success "System updated"

# ---- 2. Install Docker ----
if ! command -v docker &> /dev/null; then
  info "Installing Docker..."
  curl -fsSL https://get.docker.com | sh
  systemctl enable --now docker
  success "Docker installed: $(docker --version)"
else
  success "Docker already installed: $(docker --version)"
fi

# ---- 3. Install Docker Compose ----
if ! command -v docker compose &> /dev/null; then
  info "Installing Docker Compose plugin..."
  apt-get install -y docker-compose-plugin
  success "Docker Compose installed"
else
  success "Docker Compose already available"
fi

# ---- 4. Create deploy user ----
if ! id "deploy" &>/dev/null; then
  info "Creating deploy user..."
  useradd -m -s /bin/bash deploy
  usermod -aG docker deploy
  mkdir -p /home/deploy/.ssh
  chmod 700 /home/deploy/.ssh
  # Paste your public key here or add via CI/CD secret
  # echo "ssh-rsa AAAA... deploy@tfsbd" >> /home/deploy/.ssh/authorized_keys
  chmod 600 /home/deploy/.ssh/authorized_keys 2>/dev/null || true
  chown -R deploy:deploy /home/deploy/.ssh
  success "Deploy user created"
else
  success "Deploy user already exists"
fi

# ---- 5. Create app directory ----
info "Creating app directory /opt/maklinkapp..."
mkdir -p /opt/maklinkapp/{uploads,logs,ssl}
chown -R deploy:deploy /opt/maklinkapp
chmod 750 /opt/maklinkapp
success "App directory ready"

# ---- 6. Install Certbot (SSL) ----
if ! command -v certbot &> /dev/null; then
  info "Installing Certbot for SSL..."
  apt-get install -y certbot
  success "Certbot installed"
fi

# ---- 7. Firewall ----
info "Configuring UFW firewall..."
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 80/tcp
ufw allow 443/tcp
ufw --force enable
success "Firewall configured (SSH, HTTP, HTTPS)"

# ---- 8. Fail2ban ----
info "Installing Fail2ban..."
apt-get install -y fail2ban
systemctl enable --now fail2ban
success "Fail2ban active"

# ---- 9. System hardening ----
info "Applying system hardening..."
# Disable password auth for SSH
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/'   /etc/ssh/sshd_config
systemctl reload sshd
success "SSH password auth disabled"

# ---- 10. Log rotation ----
cat > /etc/logrotate.d/maklinkapp << 'EOF'
/opt/maklinkapp/logs/*.log {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    notifempty
    sharedscripts
    postrotate
        docker exec maklinkapp nginx -s reopen 2>/dev/null || true
    endscript
}
EOF
success "Log rotation configured"

# ---- 11. Summary ----
echo ""
echo "  ┌──────────────────────────────────────────────────┐"
echo "  │         ✅  Server Setup Complete                │"
echo "  ├──────────────────────────────────────────────────┤"
echo "  │  Next steps:                                     │"
echo "  │                                                  │"
echo "  │  1. Add deploy SSH public key:                   │"
echo "  │     nano /home/deploy/.ssh/authorized_keys       │"
echo "  │                                                  │"
echo "  │  2. Issue SSL certificate:                       │"
echo "  │     certbot certonly --standalone \\              │"
echo "  │       -d maklinkapp.tfsbd.com                   │"
echo "  │     cp /etc/letsencrypt/live/maklinkapp.tfsbd.com/│"
echo "  │        *.pem /opt/maklinkapp/ssl/                │"
echo "  │                                                  │"
echo "  │  3. Clone repo and configure .env:               │"
echo "  │     cd /opt/maklinkapp                           │"
echo "  │     git clone https://github.com/tfsbd/maklinkapp│"
echo "  │     cp .env.example .env && nano .env            │"
echo "  │                                                  │"
echo "  │  4. Launch:                                      │"
echo "  │     docker compose up -d                         │"
echo "  │     curl http://localhost/health                 │"
echo "  │                                                  │"
echo "  │  5. Set GitHub Secrets (see README.md)           │"
echo "  │     Then push to main → auto-deploy fires        │"
echo "  └──────────────────────────────────────────────────┘"
echo ""