#!/bin/bash
# One-time server setup. Run as root on a fresh server.
# Creates padelnomics_service user, installs system dependencies,
# and registers systemd services that run as that user.
#
# Usage:
#   sudo bash infra/setup_server.sh

set -euo pipefail

APP_DIR="/opt/padelnomics"
SERVICE_USER="padelnomics_service"
SERVICE_HOME="/home/${SERVICE_USER}"
KEY_PATH="${SERVICE_HOME}/.ssh/padelnomics_deploy"

# Ensure running as root
if [ "$(id -u)" -ne 0 ]; then
    echo "Error: must run as root (use sudo)" >&2
    exit 1
fi

# Create service user if not present
if ! id "$SERVICE_USER" &>/dev/null; then
    useradd --system --create-home --shell /usr/sbin/nologin "$SERVICE_USER"
    echo "Created user $SERVICE_USER"
else
    echo "User $SERVICE_USER already exists, skipping"
fi

# Add service user to docker group (needed for deploy.sh)
usermod -aG docker "$SERVICE_USER"
echo "Added $SERVICE_USER to docker group"

# Create app directory owned by service user
mkdir -p "$APP_DIR"
if [ "$(stat -c '%U' "$APP_DIR")" != "$SERVICE_USER" ]; then
    chown "$SERVICE_USER:$SERVICE_USER" "$APP_DIR"
fi
echo "Created $APP_DIR"

# Generate deploy key as service user if not present
if [ ! -f "$KEY_PATH" ]; then
    sudo -u "$SERVICE_USER" mkdir -p "${SERVICE_HOME}/.ssh"
    sudo -u "$SERVICE_USER" ssh-keygen -t ed25519 -f "$KEY_PATH" -N "" -C "padelnomics-server"
    chmod 700 "${SERVICE_HOME}/.ssh"
    chmod 600 "$KEY_PATH"
    chmod 644 "${KEY_PATH}.pub"

    # Configure SSH to use this key for gitlab.com
    if ! grep -q "# padelnomics" "${SERVICE_HOME}/.ssh/config" 2>/dev/null; then
        sudo -u "$SERVICE_USER" tee -a "${SERVICE_HOME}/.ssh/config" > /dev/null <<EOF

# padelnomics
Host gitlab.com
    IdentityFile $KEY_PATH
EOF
        chmod 600 "${SERVICE_HOME}/.ssh/config"
    fi

    echo "Generated deploy key: $KEY_PATH"
else
    echo "Deploy key already exists, skipping"
fi

# Install rclone system-wide (we are root, no sudo needed)
if ! command -v rclone &>/dev/null; then
    echo "Installing rclone..."
    curl -fsSL https://rclone.org/install.sh | bash
    echo "Installed rclone $(rclone --version | head -1)"
else
    echo "rclone already installed, skipping"
fi

# Create data directories owned by service user
mkdir -p /data/padelnomics/landing
if [ "$(stat -c '%U' /data/padelnomics)" != "$SERVICE_USER" ]; then
    chown -R "$SERVICE_USER:$SERVICE_USER" /data/padelnomics
fi
echo "Created /data/padelnomics/landing"

# Install and enable systemd services
cp "$APP_DIR/infra/landing-backup/padelnomics-landing-backup.service" /etc/systemd/system/
cp "$APP_DIR/infra/landing-backup/padelnomics-landing-backup.timer" /etc/systemd/system/
cp "$APP_DIR/infra/supervisor/padelnomics-supervisor.service" /etc/systemd/system/
systemctl daemon-reload
systemctl enable --now padelnomics-landing-backup.timer
echo "Enabled landing backup timer (every 30 min)"
systemctl enable --now padelnomics-supervisor.service
echo "Enabled supervisor service"

echo ""
echo "=== Next steps ==="
echo "1. Add this deploy key to GitLab (Settings → Repository → Deploy Keys, read-only):"
echo ""
cat "${KEY_PATH}.pub"
echo ""
echo "2. Clone the repo as $SERVICE_USER:"
echo "   sudo -u $SERVICE_USER git clone git@gitlab.com:deemanone/padelnomics.git $APP_DIR"
echo ""
echo "3. Deploy (first run generates server age keypair — follow the printed instructions):"
echo "   sudo -u $SERVICE_USER bash $APP_DIR/deploy.sh"