#!/bin/bash
# setup-host.sh — Post-install script for opencode-devbox host VM
#
# Run this on a fresh Debian 13 or Ubuntu 24.04 VM to set up everything
# needed to run opencode-devbox containers.
#
# Usage:
#   curl -fsSL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/deploy/setup-host.sh | bash
#
# Or clone and run:
#   git clone https://gitea.jordbo.se/joakimp/opencode-devbox
#   cd opencode-devbox/deploy
#   ./setup-host.sh

set -euo pipefail

# ── Colors ──────────────────────────────────────────────────────────
BOLD="\033[1m"; GREEN="\033[32m"; YELLOW="\033[33m"; RED="\033[31m"; RESET="\033[0m"
info()  { echo -e "${BOLD}==>${RESET} $*"; }
ok()    { echo -e "${GREEN}${BOLD}✓${RESET} $*"; }
warn()  { echo -e "${YELLOW}${BOLD}!${RESET} $*"; }
err()   { echo -e "${RED}${BOLD}✗${RESET} $*" >&2; }

# ── Detect distro ──────────────────────────────────────────────────
if [[ ! -f /etc/os-release ]]; then
  err "Cannot detect Linux distribution — /etc/os-release missing"
  exit 1
fi

. /etc/os-release

case "$ID" in
  debian|ubuntu)
    info "Detected $PRETTY_NAME"
    ;;
  *)
    err "Unsupported distribution: $ID — this script only supports Debian and Ubuntu"
    exit 1
    ;;
esac

# ── Require sudo ────────────────────────────────────────────────────
if [[ $EUID -eq 0 ]]; then
  err "Do not run as root — use a regular user with sudo"
  exit 1
fi

if ! sudo -n true 2>/dev/null; then
  warn "This script needs sudo access. You may be prompted for your password."
fi

# ── Update packages ─────────────────────────────────────────────────
info "Updating package index..."
sudo apt-get update -qq

info "Installing base packages..."
sudo apt-get install -y --no-install-recommends \
  ca-certificates curl gnupg git tmux mosh ufw

# ── Docker ──────────────────────────────────────────────────────────
if command -v docker &>/dev/null; then
  ok "Docker already installed ($(docker --version))"
else
  info "Installing Docker from official repository..."
  sudo install -m 0755 -d /etc/apt/keyrings
  sudo curl -fsSL "https://download.docker.com/linux/${ID}/gpg" -o /etc/apt/keyrings/docker.asc
  sudo chmod a+r /etc/apt/keyrings/docker.asc

  echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/${ID} ${VERSION_CODENAME} stable" | \
    sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

  sudo apt-get update -qq
  sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

  ok "Docker installed: $(docker --version)"
fi

# ── Add user to docker group ────────────────────────────────────────
if groups | grep -q docker; then
  ok "User already in docker group"
else
  info "Adding $USER to docker group..."
  sudo usermod -aG docker "$USER"
  warn "You must log out and back in for docker group to take effect"
  warn "Or run: newgrp docker"
fi

# ── Firewall ────────────────────────────────────────────────────────
# Detect OpenStack — if running on OpenStack, skip ufw (security groups handle firewalling)
SKIP_UFW=false
if curl -s --connect-timeout 2 http://169.254.169.254/openstack/ &>/dev/null; then
  SKIP_UFW=true
  warn "OpenStack detected — skipping ufw (use security groups instead)"
  warn "Ensure your security group allows: SSH (22/tcp), mosh (60000-61000/udp)"
fi

if [[ "$SKIP_UFW" == "false" ]]; then
  info "Configuring firewall (ufw)..."
  sudo ufw default deny incoming >/dev/null
  sudo ufw default allow outgoing >/dev/null
  sudo ufw allow ssh >/dev/null
  sudo ufw allow 60000:61000/udp comment 'mosh' >/dev/null
  if ! sudo ufw status | grep -q "Status: active"; then
    sudo ufw --force enable
  fi
  ok "Firewall active — SSH and mosh allowed"
fi

# ── IPv4 preference for Docker Hub ──────────────────────────────────
if ! grep -q 'precedence ::ffff:0:0/96' /etc/gai.conf 2>/dev/null; then
  info "Setting IPv4 preference in /etc/gai.conf..."
  echo 'precedence ::ffff:0:0/96  100' | sudo tee -a /etc/gai.conf > /dev/null
  ok "IPv4 preferred for DNS resolution"
fi

# ── Create projects directory ───────────────────────────────────────
if [[ ! -d "$HOME/projects" ]]; then
  mkdir -p "$HOME/projects"
  ok "Created ~/projects"
fi

# ── Done ────────────────────────────────────────────────────────────
echo ""
ok "Host setup complete"
echo ""
cat <<EOF
${BOLD}Next steps:${RESET}

  1. If you weren't already in the docker group, log out and back in:
       exit
       ssh <your-user>@<this-host>

  2. Set up opencode-devbox:
       mkdir -p ~/opencode-devbox && cd ~/opencode-devbox
       curl -sL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/docker-compose.yml -o docker-compose.yml
       curl -sL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/.env.example -o .env

  3. Edit .env with your provider and API keys:
       vim .env

  4. Start and connect:
       docker compose up -d
       docker compose exec -u developer devbox opencode

EOF