#!/bin/bash
set -e

GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m'

echo -e "${YELLOW}=== Preparando Infraestrutura de Deployment Sittax ===${NC}\n"

# 1. Elevação de privilégio
if [ "$EUID" -ne 0 ]; then
  SUDO="sudo"
else
  SUDO=""
fi

# 2. Instala dependências básicas
$SUDO apt-get update
$SUDO apt-get install -y ca-certificates curl gnupg lsb-release jq git unzip wget apt-transport-https

# 3. Instala o Docker Engine e Compose se não tiver
if ! command -v docker &> /dev/null
then
    echo -e "${YELLOW}Instalando Docker Engine e Compose Plugin...${NC}"
    $SUDO install -m 0755 -d /etc/apt/keyrings
    $SUDO curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
    $SUDO chmod a+r /etc/apt/keyrings/docker.asc
    
    echo \
      "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
      $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
      $SUDO tee /etc/apt/sources.list.d/docker.list > /dev/null
    
    $SUDO apt-get update
    $SUDO apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
    
    $SUDO systemctl enable docker
    $SUDO systemctl start docker
else
    echo -e "${GREEN}Docker já está instalado.${NC}"
fi

# 4. Habilita Swarm se não estiver habilitado
if ! $SUDO docker info | grep -q "Swarm: active"; then
  echo -e "${YELLOW}Iniciando Docker Swarm (Manager)...${NC}"
  $SUDO docker swarm init || echo -e "${YELLOW}Swarm já pode estar inicializado.${NC}"
fi

WORK_DIR="/opt/sittax/deployment"
$SUDO mkdir -p "$WORK_DIR/traefik/dynamic"
$SUDO mkdir -p "$WORK_DIR/portainer"
cd "$WORK_DIR"

# 5. Configuração da Rede (Opcional Externa)
read -p "Deseja conectar a uma rede externa existente (ex: stx)? (s/n) [default: n]: " USE_EXT_NET </dev/tty
if [[ "$USE_EXT_NET" =~ ^[SsYy]$ ]]; then
    read -p "Nome da rede externa [default: stx]: " APP_NETWORK </dev/tty
    if [ -z "$APP_NETWORK" ]; then APP_NETWORK="stx"; fi
    
    if ! $SUDO docker network ls | grep -wq "$APP_NETWORK"; then
      echo -e "${YELLOW}Criando rede externa '$APP_NETWORK' (overlay)...${NC}"
      $SUDO docker network create --driver overlay --attachable "$APP_NETWORK"
    fi
    NET_CONFIG="${APP_NETWORK}:\n    external: true\n    name: ${APP_NETWORK}"
else
    APP_NETWORK="proxy_internal"
    NET_CONFIG="${APP_NETWORK}:\n    driver: overlay\n    attachable: true"
fi

# 6. SETUP INTERATIVO
echo -e "\n${YELLOW}=== Escolha os serviços para instalar ===${NC}"
read -p "[1] Traefik + CrowdSec (Proxy Reverso e Segurança)? (s/n) [default: n]: " USE_TRAEFIK </dev/tty
read -p "[2] Portainer CE (Interface de Gestão)? (s/n) [default: n]: " USE_PORTAINER </dev/tty
read -p "[3] Azure DevOps Deployment Agent (Agente de CD)? (s/n) [default: n]: " USE_AZURE </dev/tty

# ==========================================
# TRAEFIK + CROWDSEC
# ==========================================
if [[ "$USE_TRAEFIK" =~ ^[SsYy]$ ]]; then
  echo -e "\n${YELLOW}--- Configuração Traefik ---${NC}"
  read -p "Nome da Stack para Traefik [default: proxy]: " TRAEFIK_STACK </dev/tty
  if [ -z "$TRAEFIK_STACK" ]; then TRAEFIK_STACK="proxy"; fi

  read -p "Email para SSL (Let's Encrypt) [default: administrador@sittax.com.br]: " SSL_EMAIL </dev/tty
  if [ -z "$SSL_EMAIL" ]; then SSL_EMAIL="administrador@sittax.com.br"; fi
  
  read -p "Domínio para o Dashboard do Traefik [default: traefikservice.sittax.com.br]: " TRAEFIK_HOST </dev/tty
  if [ -z "$TRAEFIK_HOST" ]; then TRAEFIK_HOST="traefikservice.sittax.com.br"; fi

  echo -e "${YELLOW}Gerando Chave de API do CrowdSec...${NC}"
  LAPI_KEY=$(openssl rand -hex 16)

  $SUDO bash -c "cat << EOF | tee traefik/dynamic/connection-ip.yml > /dev/null
http:
  middlewares:
    inject-connection-ip:
      headers:
        customRequestHeaders:
          X-Connection-IP: \"{client.ip}\"
EOF
"

  $SUDO touch traefik/acme.json
  $SUDO chmod 600 traefik/acme.json

  $SUDO bash -c "cat << EOF | tee traefik/docker-compose.yml > /dev/null
services:
  traefik:
    image: \"traefik:latest\"
    command:
      - --providers.file.directory=/etc/traefik/dynamic
      - --providers.file.watch=true
      - --experimental.plugins.crowdsec.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      - --experimental.plugins.crowdsec.version=v1.3.3
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik/access.log
      - --entrypoints.web.http.middlewares=inject-connection-ip@file,crowdsec-bouncer@docker
      - --entrypoints.websecure.http.middlewares=inject-connection-ip@file,crowdsec-bouncer@docker
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --api
      - --api.dashboard=true
      - --providers.docker
      - --providers.swarm=true
      - --providers.docker.exposedbydefault=false
      - --log.level=ERROR
      - --certificatesresolvers.leresolver.acme.httpchallenge=true
      - --certificatesresolvers.leresolver.acme.email=${SSL_EMAIL}
      - --certificatesresolvers.leresolver.acme.storage=./acme.json
      - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web
      - --providers.docker.network=${APP_NETWORK}
    ports:
      - \"80:80\"
      - \"443:443\"
    networks:
      - ${APP_NETWORK}
    volumes:
      - \"/var/run/docker.sock:/var/run/docker.sock:ro\"
      - \"./acme.json:/acme.json\"
      - \"./dynamic:/etc/traefik/dynamic:ro\"
      - \"traefik-logs:/var/log/traefik\"
    deploy:
      mode: replicated
      replicas: 1
      update_config:
        parallelism: 1
      placement:
        constraints:
          - node.role == manager
      labels:
        - \"traefik.enable=true\"
        - \"traefik.http.routers.http-catchall.rule=hostregexp(\`{host:.+}\`)\"
        - \"traefik.http.routers.http-catchall.entrypoints=web\"
        - \"traefik.http.routers.http-catchall.middlewares=redirect-to-https\"
        - \"traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https\"
        - \"traefik.http.routers.traefik-dashboard.rule=Host(\`${TRAEFIK_HOST}\`)\"
        - \"traefik.http.services.traefik.loadbalancer.server.port=8080\"
        - \"traefik.http.routers.traefik-dashboard.entrypoints=websecure\"
        - \"traefik.http.routers.traefik-dashboard.service=api@internal\"
        - \"traefik.http.routers.traefik-dashboard.tls.certresolver=leresolver\"
        - \"traefik.http.middlewares.traefik-auth.basicauth.users=sittax:\$\$2y\$\$05\$\$TZByLIKsOHkYhzJLfkJYv.k.wce0ytyS3FoIwj/ItTcdledkRhoKC\"
        - \"traefik.http.routers.traefik-dashboard.middlewares=traefik-auth\"
        - \"traefik.http.middlewares.crowdsec-bouncer.plugin.crowdsec.enabled=true\"
        - \"traefik.http.middlewares.crowdsec-bouncer.plugin.crowdsec.lapiurl=http://crowdsec:8080\"
        - \"traefik.http.middlewares.crowdsec-bouncer.plugin.crowdsec.lapikey=${LAPI_KEY}\"

  crowdsec:
    image: crowdsecurity/crowdsec:latest
    environment:
      - COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors
    networks:
      - ${APP_NETWORK}
    volumes:
      - crowdsec-config:/etc/crowdsec
      - crowdsec-data:/var/lib/crowdsec/data
      - traefik-logs:/var/log/traefik:ro
    deploy:
      mode: replicated
      replicas: 1
      update_config:
        parallelism: 1
      placement:
        constraints:
          - node.role == manager
      labels:
        - \"traefik.enable=true\"
        - \"traefik.http.routers.crowdsec-api.rule=Host(\`crowdsecservice.sittax.com.br\`)\"
        - \"traefik.http.routers.crowdsec-api.entrypoints=websecure\"
        - \"traefik.http.routers.crowdsec-api.tls.certresolver=leresolver\"
        - \"traefik.http.services.crowdsec-api.loadbalancer.server.port=8080\"
        - \"traefik.http.routers.crowdsec-api.middlewares=traefik-auth\"

volumes:
  traefik-logs:
  crowdsec-config:
  crowdsec-data:

networks:
  $NET_CONFIG
EOF
"

  echo -e "${YELLOW}Iniciando Traefik e CrowdSec ($TRAEFIK_STACK)...${NC}"
  cd traefik && $SUDO docker stack deploy -c docker-compose.yml $TRAEFIK_STACK && cd ..
fi

# ==========================================
# PORTAINER
# ==========================================
if [[ "$USE_PORTAINER" =~ ^[SsYy]$ ]]; then
  echo -e "\n${YELLOW}--- Configuração Portainer ---${NC}"
  read -p "Nome da Stack para Portainer [default: portainer]: " PORTAINER_STACK </dev/tty
  if [ -z "$PORTAINER_STACK" ]; then PORTAINER_STACK="portainer"; fi

  read -p "Domínio para o Portainer [default: portainerservice.sittax.com.br]: " PORTAINER_HOST </dev/tty
  if [ -z "$PORTAINER_HOST" ]; then PORTAINER_HOST="portainerservice.sittax.com.br"; fi

  $SUDO bash -c "cat << EOF | tee portainer/docker-compose.yml > /dev/null
services:
  portainer:
    image: portainer/portainer-ce:latest
    command: -H unix:///var/run/docker.sock
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    networks:
      - ${APP_NETWORK}
    deploy:
      mode: replicated
      replicas: 1
      update_config:
        parallelism: 1
      resources:
        limits:
          memory: 1G
      labels:
      - \"traefik.enable=true\"
      - \"traefik.http.routers.portainer.rule=Host(\`${PORTAINER_HOST}\`)\"
      - \"traefik.http.routers.portainer.entrypoints=websecure\"
      - \"traefik.http.services.portainer.loadbalancer.server.port=9000\"
      - \"traefik.http.routers.portainer.service=portainer\"
      - \"traefik.http.routers.portainer.tls.certresolver=leresolver\"
      - \"traefik.http.routers.edge.rule=Host(\`edgeservice.sittax.com.br\`)\"
      - \"traefik.http.routers.edge.entrypoints=websecure\"
      - \"traefik.http.services.edge.loadbalancer.server.port=8000\"
      - \"traefik.http.routers.edge.service=edge\"
      - \"traefik.http.routers.edge.tls.certresolver=leresolver\"

volumes:
  portainer_data:

networks:
  $NET_CONFIG
EOF
"

  echo -e "${YELLOW}Iniciando Portainer ($PORTAINER_STACK)...${NC}"
  cd portainer && $SUDO docker stack deploy -c docker-compose.yml $PORTAINER_STACK && cd ..
fi

# ==========================================
# AZURE DEVOPS AGENT
# ==========================================
if [[ "$USE_AZURE" =~ ^[SsYy]$ ]]; then
  echo -e "\n${YELLOW}--- Configuração Azure DevOps Agent ---${NC}"
  read -p "URL da Organização [default: https://dev.azure.com/Sittax/]: " AZ_URL </dev/tty
  if [ -z "$AZ_URL" ]; then AZ_URL="https://dev.azure.com/Sittax/"; fi
  
  read -p "Nome do Projeto [default: Sittax]: " AZ_PROJECT </dev/tty
  if [ -z "$AZ_PROJECT" ]; then AZ_PROJECT="Sittax"; fi
  
  read -p "Nome do Deployment Group [default: ServiceServerProd]: " AZ_GROUP </dev/tty
  if [ -z "$AZ_GROUP" ]; then AZ_GROUP="ServiceServerProd"; fi
  
  read -s -p "Personal Access Token (PAT): " AZ_TOKEN </dev/tty
  echo ""

  AGENT_DIR="$WORK_DIR/azagent"
  $SUDO mkdir -p "$AGENT_DIR"
  cd "$AGENT_DIR"

  echo -e "${YELLOW}Baixando e extraindo Agente VSTS (Versão 4.270.0)...${NC}"
  $SUDO curl -fkSL -o vstsagent.tar.gz https://download.agent.dev.azure.com/agent/4.270.0/vsts-agent-linux-x64-4.270.0.tar.gz
  $SUDO tar -zxvf vstsagent.tar.gz

  echo -e "${YELLOW}Configurando Agente...${NC}"
  if [ -x "$(command -v systemctl)" ]; then
    ./config.sh --deploymentgroup --deploymentgroupname "$AZ_GROUP" --acceptteeeula --agent $HOSTNAME --url "$AZ_URL" --work _work --projectname "$AZ_PROJECT" --auth PAT --token "$AZ_TOKEN" --runasservice
    $SUDO ./svc.sh install
    $SUDO ./svc.sh start
  else
    ./config.sh --deploymentgroup --deploymentgroupname "$AZ_GROUP" --acceptteeeula --agent $HOSTNAME --url "$AZ_URL" --work _work --projectname "$AZ_PROJECT" --auth PAT --token "$AZ_TOKEN"
    ./run.sh &
  fi
  
  cd "$WORK_DIR"
fi

echo -e "\n${GREEN}Deployment finalizado com sucesso!${NC}"
echo "Verifique os serviços ativos com: sudo docker service ls"