padelnomics/infra/setup_server.sh

#!/bin/bash
# One-time server setup: create app directory and GitLab deploy key.
# Run as root on a fresh server before deploying.
#
# Usage:
#   bash infra/setup_server.sh

set -euo pipefail

APP_DIR="/opt/padelnomics"
KEY_PATH="$HOME/.ssh/padelnomics_deploy"

# Create app directory
mkdir -p "$APP_DIR"
echo "Created $APP_DIR"

# Generate deploy key if not already present
if [ ! -f "$KEY_PATH" ]; then
    mkdir -p "$HOME/.ssh"
    ssh-keygen -t ed25519 -f "$KEY_PATH" -N "" -C "padelnomics-server"
    chmod 700 "$HOME/.ssh"
    chmod 600 "$KEY_PATH"
    chmod 644 "$KEY_PATH.pub"

    # Configure SSH to use this key for gitlab.com
    if ! grep -q "# padelnomics" "$HOME/.ssh/config" 2>/dev/null; then
        cat >> "$HOME/.ssh/config" <<EOF

# padelnomics
Host gitlab.com
    IdentityFile $KEY_PATH
EOF
        chmod 600 "$HOME/.ssh/config"
    fi

    echo "Generated deploy key: $KEY_PATH"
else
    echo "Deploy key already exists, skipping"
fi

# Install sops + age (encrypted secrets)
AGE_KEY_FILE="$APP_DIR/age-key.txt"
ARCH=$(uname -m)
case "$ARCH" in
    x86_64)  ARCH_SOPS="amd64"; ARCH_AGE="amd64" ;;
    aarch64) ARCH_SOPS="arm64"; ARCH_AGE="arm64" ;;
    *) echo "Unsupported architecture: $ARCH"; exit 1 ;;
esac

if ! command -v age &>/dev/null; then
    echo "Installing age..."
    AGE_VERSION="v1.3.1"
    curl -fsSL "https://dl.filippo.io/age/${AGE_VERSION}?for=linux/${ARCH_AGE}" -o /tmp/age.tar.gz
    tar -xzf /tmp/age.tar.gz -C /usr/local/bin --strip-components=1 age/age age/age-keygen
    chmod +x /usr/local/bin/age /usr/local/bin/age-keygen
    rm /tmp/age.tar.gz
    echo "Installed age $(age --version)"
else
    echo "age already installed, skipping"
fi

if ! command -v sops &>/dev/null; then
    echo "Installing sops..."
    SOPS_VERSION="v3.12.1"
    curl -fsSL "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${ARCH_SOPS}" -o /usr/local/bin/sops
    chmod +x /usr/local/bin/sops
    echo "Installed sops $(sops --version)"
else
    echo "sops already installed, skipping"
fi

# Generate age keypair for this server (used by deploy.sh to decrypt secrets)
if [ ! -f "$AGE_KEY_FILE" ]; then
    age-keygen -o "$AGE_KEY_FILE" 2>&1
    chmod 600 "$AGE_KEY_FILE"
    echo "Generated age key: $AGE_KEY_FILE"
else
    echo "Age key already exists: $AGE_KEY_FILE"
fi

# Install rclone (landing zone backup to R2)
if ! command -v rclone &>/dev/null; then
    echo "Installing rclone..."
    curl -fsSL https://rclone.org/install.sh | bash
    echo "Installed rclone $(rclone version --check | head -1)"
else
    echo "rclone already installed, skipping"
fi

# Create landing data directory
mkdir -p /data/padelnomics/landing
echo "Created /data/padelnomics/landing"

# Install and enable landing backup timer
cp "$APP_DIR/infra/landing-backup/padelnomics-landing-backup.service" /etc/systemd/system/
cp "$APP_DIR/infra/landing-backup/padelnomics-landing-backup.timer" /etc/systemd/system/
systemctl daemon-reload
systemctl enable --now padelnomics-landing-backup.timer
echo "Enabled landing backup timer (every 30 min)"

# Install and enable supervisor service
cp "$APP_DIR/infra/supervisor/padelnomics-supervisor.service" /etc/systemd/system/
systemctl daemon-reload
systemctl enable --now padelnomics-supervisor.service
echo "Enabled supervisor service"

echo ""
echo "=== Next steps ==="
echo "1. Add this deploy key to GitLab (Settings → Repository → Deploy Keys, read-only):"
echo ""
cat "$KEY_PATH.pub"
echo ""
echo "2. Add this server's age public key to .sops.yaml (comma-separated with existing keys):"
echo ""
grep "public key:" "$AGE_KEY_FILE" | awk '{print $NF}'
echo ""
echo "   Then re-encrypt prod secrets: sops updatekeys .env.prod.sops"
echo ""
echo "3. Clone the repo:"
echo "   git clone git@gitlab.com:YOUR_USER/padelnomics.git $APP_DIR"
echo ""
echo "4. Deploy:"
echo "   cd $APP_DIR && bash deploy.sh"