#!/bin/bash

set -e

LOGFILE="/tmp/ogcore-installer.log"
exec > >(tee -a "$LOGFILE") 2>&1

log() {
  echo "$1" | tee -a "$LOGFILE"
}

log "Inicio instalación ogcore: $(date)"

# Mediciones iniciales
log "Tamaño inicial del disco:" && df -h /
log "Carga inicial CPU:" && uptime

NFS_SERVER="ognartefactos.evlt.uma.es"
LOCAL_MOUNT="/mnt"

# Montar NFS
if ! mountpoint -q "$LOCAL_MOUNT"; then
  mkdir -p "$LOCAL_MOUNT"
  mount -t nfs "$NFS_SERVER:/" "$LOCAL_MOUNT"
fi

# Cargar variables desde el archivo .env
ENV_FILE="../.env"

if [ ! -f "$ENV_FILE" ]; then
  echo "ERROR: No se encontró el archivo .env"
  exit 1
fi

export $(grep -v '^#' "$ENV_FILE" | xargs)

# Ejemplo de uso
echo "OGLOG se instalará en: $OGLOG_IP"
echo "Base de datos OGCORE en: $OGCORE_IP"

# Validar la contraseña
if [[ ${#OPENSEARCH_INITIAL_ADMIN_PASSWORD} -lt 12 || \
  ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [A-Z] || \
  ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [0-9] || \
  ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [^a-zA-Z0-9] ]]; then
  log "ERROR: La contraseña OPENSEARCH_INITIAL_ADMIN_PASSWORD no cumple los requisitos."
  exit 1
fi

# Actualizar hosts
echo "$OGCORE_IP oglog-jrem.mytld" >> /etc/hosts

# Instalar dependencias
apt-get update
apt-get install -y prometheus-node-exporter systemd-journal-remote

log "Generando certificados para ogcore con subdominio $SUBDOMAIN..."

# Suponemos que el script de generación ya está descargado en /tmp o incluido en la instalación
./mkcerts.sh "$SUBDOMAIN" "$OPENSEARCH_INITIAL_ADMIN_PASSWORD"

# Helper
get_cert_name() {
  echo "oglog-$1.$SUBDOMAIN"
}

# Directorio base
CA_DIR="./CA"
CERT_NAME=$(get_cert_name "server")
# Copiar certificados generados
cp "$CA_DIR/certs/ca.crt.pem" /etc/ssl/certs/
cp "$CA_DIR/certs/$CERT_NAME.crt.pem" /etc/ssl/certs/
cp "$CA_DIR/private/$CERT_NAME.key.nopass.pem" /etc/ssl/private/$CERT_NAME.key.pem
chmod 600 /etc/ssl/private/$CERT_NAME.key.pem

# Copiar contenido de CA_DIR a LOCAL_MOUNT
DEST_DIR="$LOCAL_MOUNT/srv/artefactos/oglog/CA"
mkdir -p "$DEST_DIR"
cp -r "$CA_DIR/"* "$DEST_DIR/"

# Reemplazar certificados en el directorio de filebeat
FILEBEAT_DIR="/opt/opengnsys/ogclone-engine/ogclient/lib/filebeat"

cp "$CA_DIR/certs/ca.crt.pem" "$FILEBEAT_DIR/ca.crt.pem"
cp "$CA_DIR/certs/$CERT_NAME.crt.pem" "$FILEBEAT_DIR/oglog-agent-fb.opengnsys.crt.pem"
cp "$CA_DIR/private/$CERT_NAME.key.nopass.pem" "$FILEBEAT_DIR/oglog-agent-fb.opengnsys.key.pem"

chmod 600 "$FILEBEAT_DIR/oglog-agent-fb.opengnsys.key.pem"
chown -R opengnsys:opengnsys "$FILEBEAT_DIR"

# Configuración journal-upload
sed -i -e '/DynamicUser/s/.*/DynamicUser=no/' \
       -e '/User/s/.*/User=root/' \
       /usr/lib/systemd/system/systemd-journal-upload.service

systemctl daemon-reload

cat >/etc/systemd/journal-upload.conf <<EOF
[Upload]
URL=https://$(get_cert_name jrem):19532
ServerKeyFile=/etc/ssl/private/$CERT_NAME.key.pem
ServerCertificateFile=/etc/ssl/certs/$CERT_NAME.crt.pem
TrustedCertificateFile=/etc/ssl/certs/ca.crt.pem
EOF

# Activar servicio robustamente
reiniciar_servicio() {
  systemctl restart "$1"
  log "Esperando que $1 esté activo..."
  for i in {1..10}; do
    if systemctl is-active --quiet "$1"; then
      log "$1 activo."
      return
    fi
    sleep 2
  done
  log "ERROR: $1 no arrancó correctamente."
  exit 1
}

reiniciar_servicio "systemd-journal-upload"

# Mediciones finales
log "Tamaño final del disco:" && df -h /
log "Carga final CPU:" && uptime

log "Instalación ogcore finalizada: $(date)"