#!/usr/bin/env bash
# setup.sh — Installation complète VPS OVH (Ubuntu 24.04 LTS) — manahote.app
# Lancer en root via SSH : bash setup.sh
# Prérequis : être connecté en root par clé SSH (pas par mot de passe)
set -euo pipefail

# ─── Variables ────────────────────────────────────────────────────────────────
DOMAIN="www.manahote.app"
ADMIN_EMAIL="ruben@manahote.com"
APP_USER="deploy"
APP_DIR="/var/www/manahote-app"
PHP_VERSION="8.3"
DB_NAME="manahote"
DB_USER="manahote"
SECRETS_FILE="/root/.deploy-secrets"

# ─── 1. Mise à jour système ───────────────────────────────────────────────────
echo "==> [1/14] Mise à jour du système"
apt-get update -qq
DEBIAN_FRONTEND=noninteractive apt-get upgrade -y -qq


# ─── 2. Installation des paquets ──────────────────────────────────────────────
echo "==> [2/14] Installation des paquets"
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq \
    nginx \
    php${PHP_VERSION}-fpm \
    php${PHP_VERSION}-mysql \
    php${PHP_VERSION}-mbstring \
    php${PHP_VERSION}-xml \
    php${PHP_VERSION}-curl \
    php${PHP_VERSION}-zip \
    php${PHP_VERSION}-intl \
    php${PHP_VERSION}-bcmath \
    mysql-server \
    certbot python3-certbot-nginx \
    fail2ban \
    unattended-upgrades \
    curl \
    ufw

# ─── 3. UFW — pare-feu ───────────────────────────────────────────────────────
echo "==> [3/14] Configuration UFW"
ufw allow OpenSSH
ufw allow 'Nginx Full'
ufw --force enable

# ─── 4. fail2ban ─────────────────────────────────────────────────────────────
echo "==> [4/14] Configuration fail2ban"
cat > /etc/fail2ban/jail.local <<'EOF'
[DEFAULT]
bantime  = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true

[nginx-http-auth]
enabled = true
EOF
systemctl enable fail2ban --now

# ─── 5. unattended-upgrades ──────────────────────────────────────────────────
echo "==> [5/14] Mises à jour de sécurité automatiques"
echo 'Unattended-Upgrade::Automatic-Reboot "false";' \
    >> /etc/apt/apt.conf.d/50unattended-upgrades
systemctl enable unattended-upgrades --now

# ─── 6. PHP-FPM — config prod ────────────────────────────────────────────────
echo "==> [6/14] Configuration PHP ${PHP_VERSION}-FPM"
PHP_INI="/etc/php/${PHP_VERSION}/fpm/php.ini"
sed -i 's/^display_errors = .*/display_errors = Off/'   "${PHP_INI}"
sed -i 's/^;log_errors = .*/log_errors = On/'           "${PHP_INI}"
sed -i 's/^upload_max_filesize = .*/upload_max_filesize = 20M/' "${PHP_INI}"
sed -i 's/^post_max_size = .*/post_max_size = 20M/'     "${PHP_INI}"
systemctl enable php${PHP_VERSION}-fpm --now

# ─── 7. MySQL — DB + utilisateur ─────────────────────────────────────────────
echo "==> [7/14] Configuration MySQL"
systemctl enable mysql --now

DB_PASS=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 24)

mysql <<SQL
CREATE DATABASE IF NOT EXISTS ${DB_NAME}
    CHARACTER SET utf8mb4
    COLLATE utf8mb4_unicode_ci;

CREATE USER IF NOT EXISTS '${DB_USER}'@'localhost'
    IDENTIFIED BY '${DB_PASS}';

GRANT ALL PRIVILEGES ON ${DB_NAME}.* TO '${DB_USER}'@'localhost';
FLUSH PRIVILEGES;
SQL

# Sauvegarder le mot de passe généré
touch "${SECRETS_FILE}"
chmod 600 "${SECRETS_FILE}"
echo "DB_NAME=${DB_NAME}"     >> "${SECRETS_FILE}"
echo "DB_USER=${DB_USER}"     >> "${SECRETS_FILE}"
echo "DB_PASS=${DB_PASS}"     >> "${SECRETS_FILE}"
echo "DOMAIN=${DOMAIN}"       >> "${SECRETS_FILE}"

echo "  Mot de passe DB généré et sauvegardé dans ${SECRETS_FILE}"

# ─── 8. Composer ─────────────────────────────────────────────────────────────
echo "==> [8/14] Installation Composer"
curl -sS https://getcomposer.org/installer \
    | php -- --install-dir=/usr/local/bin --filename=composer --quiet

# ─── 9. Utilisateur deploy + clé SSH ─────────────────────────────────────────
echo "==> [9/14] Création de l'utilisateur ${APP_USER}"
if ! id "${APP_USER}" &>/dev/null; then
    adduser --disabled-password --gecos "" "${APP_USER}"
fi
usermod -aG www-data "${APP_USER}"

# Copier la clé SSH depuis l'utilisateur qui a lancé sudo (ubuntu) vers deploy
# Sur les images cloud Infomaniak/AWS, la clé est dans /home/ubuntu/.ssh/
SUDO_USER_HOME="/home/${SUDO_USER:-ubuntu}"
AUTHORIZED_KEYS_SRC="${SUDO_USER_HOME}/.ssh/authorized_keys"

mkdir -p /home/${APP_USER}/.ssh
chmod 700 /home/${APP_USER}/.ssh

if [ -f "${AUTHORIZED_KEYS_SRC}" ]; then
    cp "${AUTHORIZED_KEYS_SRC}" /home/${APP_USER}/.ssh/authorized_keys
    chown -R ${APP_USER}:${APP_USER} /home/${APP_USER}/.ssh
    chmod 600 /home/${APP_USER}/.ssh/authorized_keys
    echo "  Clé SSH copiée depuis root vers ${APP_USER}"
else
    echo "  AVERTISSEMENT : /root/.ssh/authorized_keys introuvable."
    echo "  Ajouter manuellement une clé publique dans /home/${APP_USER}/.ssh/authorized_keys"
    echo "  AVANT de continuer pour ne pas vous bloquer hors du serveur."
    read -r -p "  Continuer quand même ? (yes/no) : " confirm
    [ "${confirm}" = "yes" ] || exit 1
fi

# Autoriser reload php-fpm sans mot de passe
echo "${APP_USER} ALL=(root) NOPASSWD: /bin/systemctl reload php${PHP_VERSION}-fpm" \
    > /etc/sudoers.d/deploy-php-reload
chmod 440 /etc/sudoers.d/deploy-php-reload

# ─── 10. Durcissement SSH (après avoir sécurisé la clé deploy) ───────────────
echo "==> [10/14] Durcissement SSH"
SSHD_CONF="/etc/ssh/sshd_config"
sed -i 's/^#*PermitRootLogin .*/PermitRootLogin prohibit-password/' "${SSHD_CONF}"
sed -i 's/^#*PasswordAuthentication .*/PasswordAuthentication no/'  "${SSHD_CONF}"
sed -i 's/^#*PubkeyAuthentication .*/PubkeyAuthentication yes/'     "${SSHD_CONF}"
systemctl reload ssh
echo "  SSH : root password désactivé, clé SSH obligatoire."

# ─── 11. Répertoire application ──────────────────────────────────────────────
echo "==> [11/14] Répertoire application"
mkdir -p "${APP_DIR}"
chown "${APP_USER}:www-data" "${APP_DIR}"
chmod 750 "${APP_DIR}"

mkdir -p /var/log/manahote
chown "${APP_USER}:www-data" /var/log/manahote
chmod 755 /var/log/manahote

# ─── 12. Nginx — vhost ───────────────────────────────────────────────────────
echo "==> [12/14] Configuration nginx"
systemctl enable nginx --now

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
cp "${SCRIPT_DIR}/nginx/manahote.conf" /etc/nginx/sites-available/manahote
sed -i "s|DOMAIN_PLACEHOLDER|${DOMAIN}|g"           /etc/nginx/sites-available/manahote
sed -i "s|APP_DIR_PLACEHOLDER|${APP_DIR}|g"         /etc/nginx/sites-available/manahote
sed -i "s|PHP_VERSION_PLACEHOLDER|${PHP_VERSION}|g" /etc/nginx/sites-available/manahote

ln -sf /etc/nginx/sites-available/manahote /etc/nginx/sites-enabled/manahote
rm -f /etc/nginx/sites-enabled/default
nginx -t && systemctl reload nginx

# SSL Let's Encrypt (non-bloquant : le DNS doit pointer vers ce serveur)
echo "==> Obtention du certificat SSL pour ${DOMAIN}"
if certbot --nginx -d "${DOMAIN}" --non-interactive --agree-tos -m "${ADMIN_EMAIL}"; then
    echo "  SSL OK"
else
    echo "  AVERTISSEMENT : certbot échoué (DNS pas encore propagé ?)."
    echo "  Relancer manuellement après propagation DNS :"
    echo "  certbot --nginx -d ${DOMAIN} --non-interactive --agree-tos -m ${ADMIN_EMAIL}"
fi

# ─── 13. logrotate ───────────────────────────────────────────────────────────
echo "==> [13/14] Configuration logrotate"
cat > /etc/logrotate.d/manahote <<'EOF'
/var/log/manahote/*.log {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    notifempty
    create 0640 deploy www-data
    sharedscripts
    postrotate
        systemctl reload nginx > /dev/null 2>&1 || true
    endscript
}
EOF

# ─── 14. Cron ────────────────────────────────────────────────────────────────
echo "==> [14/14] Installation des tâches cron"
crontab -u "${APP_USER}" - <<'EOF'
# Synchronisation iCal — toutes les heures
0 * * * * php /var/www/manahote-app/www/cron/ics_pull.php >> /var/log/manahote/ics_pull.log 2>&1

# Séquences email automatiques — tous les jours à 8h00
0 8 * * * php /var/www/manahote-app/www/cron/email_sequences.php >> /var/log/manahote/email_sequences.log 2>&1

# Sauvegarde base de données — tous les jours à 3h00
0 3 * * * /home/deploy/backup-db.sh >> /var/log/manahote/backup.log 2>&1
EOF

# ─── Résumé ───────────────────────────────────────────────────────────────────
echo ""
echo "════════════════════════════════════════════════════════"
echo " Setup terminé — ${DOMAIN}"
echo "════════════════════════════════════════════════════════"
echo ""
echo " Credentials DB (aussi dans ${SECRETS_FILE}) :"
echo "   DB_NAME : ${DB_NAME}"
echo "   DB_USER : ${DB_USER}"
echo "   DB_PASS : ${DB_PASS}"
echo ""
echo " Prochaines étapes :"
echo "   1. Renseigner VPS_HOST dans infra/deploy.sh"
echo "   2. Renseigner config/config.php (Stripe live, Brevo, DB_PASS ci-dessus)"
echo "   3. bash infra/deploy.sh  (depuis la machine locale)"
echo "   4. ssh deploy@${DOMAIN} 'cd /var/www/manahote-app && php vendor/bin/phinx migrate -c phinx.php'"
echo "   5. Copier infra/backup-db.sh dans /home/deploy/ et renseigner les variables"
echo ""
echo " Vérifications :"
echo "   curl -I https://${DOMAIN}           # doit retourner 200 ou 302"
echo "   ufw status                          # 22, 80, 443 ouverts"
echo "   crontab -u deploy -l                # 3 entrées"
echo "════════════════════════════════════════════════════════"