#!/bin/bash

# Comprobar que las variables de entorno están definidas
if [[ -z "$IP_MAQUINA" || -z "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" ]]; then
  echo "ERROR: Las variables de entorno IP_MAQUINA y OPENSEARCH_INITIAL_ADMIN_PASSWORD deben estar definidas."
  exit 1
fi

# Validar la contraseña cumple con los requisitos
if [[ ${#OPENSEARCH_INITIAL_ADMIN_PASSWORD} -lt 12 ||       ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [A-Z] ||       ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [0-9] ||       ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [^a-zA-Z0-9] ]]; then
  echo "ERROR: La contraseña OPENSEARCH_INITIAL_ADMIN_PASSWORD no cumple con los requisitos:"
  echo "- Mínimo 12 caracteres."
  echo "- Al menos una mayúscula, un número y un carácter especial."
  exit 1
fi

# Actualizar /etc/hosts con los nombres de dominio
cat >>/etc/hosts <<EOF
$IP_MAQUINA oglog-os.mytld
$IP_MAQUINA oglog-osdb.mytld
$IP_MAQUINA oglog-jb.mytld
$IP_MAQUINA oglog-jrem.mytld
$IP_MAQUINA oglog-prom.mytld
$IP_MAQUINA oglog-graf.mytld
EOF

# Instalar dependencias iniciales
apt-get update
apt-get -y install     ca-certificates     gnupg2     lsb-release     systemd-journal-remote

# Ejecutar el script mkcerts.sh
bash ./mkcerts.sh

# Configuración de certificados SSL en el sistema
cp CA/certs/ca.crt.pem /etc/ssl/certs/
ln -s /etc/ssl/certs/ca.crt.pem /etc/ssl/certs/"$(openssl x509 -in /etc/ssl/certs/ca.crt.pem -hash -noout).0"

# Configurar repositorios y llaves para OpenSearch
curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" > /etc/apt/sources.list.d/opensearch-2.x.list
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" > /etc/apt/sources.list.d/opensearch-dashboards-2.x.list
apt-get update
apt-get install -y opensearch opensearch-dashboards

# Configurar OpenSearch con los certificados y la IP
cp CA/certs/ca.crt.pem /etc/opensearch/
cp CA/certs/oglog-os.mytld.crt.pem /etc/opensearch/
cp CA/private/oglog-os.mytld.key.nopass.pem /etc/opensearch/oglog-os.mytld.key.pem
chown opensearch:opensearch /etc/opensearch/{ca.crt.pem,oglog-os.mytld.crt.pem,oglog-os.mytld.key.pem}

cp CA/certs/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/
cp CA/private/oglog-osdb.mytld.key.nopass.pem /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
chown opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/oglog-osdb.key.pem

sed -i -e '/^plugins.security.ssl.http.pemcert_filepath:/      s/: .*/: oglog-os.mytld.crt.pem/'  /etc/opensearch/opensearch.yml
sed -i -e '/^plugins.security.ssl.http.pemkey_filepath:/       s/: .*/: oglog-os.mytld.key.pem/'  /etc/opensearch/opensearch.yml
sed -i -e '/^plugins.security.ssl.http.pemtrustedcas_filepath:/s/: .*/: ca.crt.pem/'              /etc/opensearch/opensearch.yml
sed -i -e '/^#network.host/                                    s/.*/network.host: '"$IP_MAQUINA"'/' /etc/opensearch/opensearch.yml

cat >>/etc/opensearch/opensearch.yml <<EOF

discovery.type: single-node
compatibility.override_main_response_version: true
plugins.security.ssl.http.clientauth_mode: REQUIRE
plugins.security.ssl_cert_reload_enabled: true
EOF

# Configurar OpenSearch Dashboards
cp -a /etc/opensearch-dashboards/opensearch_dashboards.yml /etc/opensearch-dashboards/opensearch_dashboards.yml.dist
cat >/etc/opensearch-dashboards/opensearch_dashboards.yml <<EOF
server.host: 0.0.0.0
opensearch.hosts: ["https://oglog-os.mytld:9200"]
opensearch.username: "admin"
opensearch.password: "$OPENSEARCH_INITIAL_ADMIN_PASSWORD"
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
server.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
opensearch.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
opensearch.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
opensearch.ssl.verificationMode: full
opensearch.ssl.certificateAuthorities: [ "/etc/ssl/certs/ca.crt.pem" ]
opensearch.ssl.alwaysPresentCertificate: true
EOF

# Habilitar servicios de OpenSearch
systemctl enable --now opensearch.service opensearch-dashboards.service

# Configurar systemd-journal-remote
cp CA/certs/oglog-jrem.mytld.crt.pem /etc/systemd/
cp CA/private/oglog-jrem.mytld.key.nopass.pem /etc/systemd/oglog-jrem.mytld.key.pem
chown systemd-journal-remote:systemd-journal-remote /etc/systemd/oglog-jrem.mytld.crt.pem /etc/systemd/oglog-jrem.mytld.key.pem
install --owner systemd-journal-remote --group systemd-journal-remote --mode 0750 --directory /var/log/journal/remote/
sed -i -e '/ServerKeyFile/        s%.*%ServerKeyFile=/etc/systemd/oglog-jrem.mytld.key.pem%'         /etc/systemd/journal-remote.conf
sed -i -e '/ServerCertificateFile/s%.*%ServerCertificateFile=/etc/systemd/oglog-jrem.mytld.crt.pem%' /etc/systemd/journal-remote.conf
systemctl enable --now systemd-journal-remote.service


# Configurar Prometheus
apt-get install -y prometheus
cp CA/certs/oglog-prom.mytld.crt.pem          /etc/prometheus/
cp CA/private/oglog-prom.mytld.key.nopass.pem /etc/prometheus/oglog-prom.mytld.key.pem
chown prometheus:prometheus /etc/prometheus/oglog-prom.mytld.crt.pem /etc/prometheus/oglog-prom.mytld.key.pem
cat >>/etc/prometheus/prometheus.yml <<EOF
  - job_name: ogserver
    static_configs:
      - targets: ['ogserver.mytld:9100']

  - job_name: ogagent
    static_configs:
      - targets: ['ogagent.mytld:9100']
EOF

cat >/etc/prometheus/web-config.yml <<EOF
tls_server_config:
  cert_file: /etc/prometheus/oglog-prom.mytld.crt.pem
  key_file: /etc/prometheus/oglog-prom.mytld.key.pem
EOF

sed -i -e '/^ARGS/s%"$%--web.config.file=/etc/prometheus/web-config.yml"%' /etc/default/prometheus
systemctl restart prometheus

# Configurar Journalbeat
wget https://artifacts.elastic.co/downloads/beats/journalbeat/journalbeat-oss-7.12.1-amd64.deb -P /tmp/
dpkg -i /tmp/journalbeat-oss-7.12.1-amd64.deb
cp CA/certs/oglog-jb.mytld.crt.pem          /etc/journalbeat/
cp CA/private/oglog-jb.mytld.key.nopass.pem /etc/journalbeat/oglog-jb.mytld.key.pem
cat >/etc/journalbeat/journalbeat.yml <<EOF
journalbeat.inputs:
- paths:
  - "/var/log/journal"
  - "/var/log/journal/remote"
  seek: cursor

setup.template.settings:
  index.number_of_shards: 1

output.elasticsearch:
  hosts: ["oglog-os.mytld:9200"]
  username: "admin"
  password: "$OPENSEARCH_INITIAL_ADMIN_PASSWORD"
  protocol: "https"
  ssl.enabled: true
  ssl.verification_mode: full
  ssl.certificate: "/etc/journalbeat/oglog-jb.mytld.crt.pem"
  ssl.key: "/etc/journalbeat/oglog-jb.mytld.key.pem"

processors:
  - add_docker_metadata: ~

seccomp.enabled: false
EOF

systemctl enable --now journalbeat

# Configurar Grafana
wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor >/etc/apt/keyrings/grafana.gpg
echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" >/etc/apt/sources.list.d/grafana.list
apt-get update
apt-get install --yes grafana

cp CA/certs/oglog-graf.mytld.crt.pem               /etc/grafana/
cp CA/private/oglog-graf.mytld.key.nopass.pem      /etc/grafana/oglog-graf.mytld.key.pem
chown grafana:grafana /etc/grafana/oglog-graf.mytld.crt.pem /etc/grafana/oglog-graf.mytld.key.pem

cp -a /etc/grafana/grafana.ini /etc/grafana/grafana.ini.dist
cat >/etc/grafana/grafana.ini <<EOF
[server]
protocol = https
cert_file = /etc/grafana/oglog-graf.mytld.crt.pem
cert_key = /etc/grafana/oglog-graf.mytld.key.pem

[analytics]
reporting_enabled = false
check_for_updates = false
check_for_plugin_updates = false

# Añadido para configurar Prometheus como fuente de datos
[database]
enabled = true
type = sqlite3
path = /var/lib/grafana/grafana.db

[auth]
disable_login_form = false

[datasources]
  [datasources.prometheus]
  name = Prometheus
  type = prometheus
  access = proxy
  url = https://oglog-prom.mytld:9090
  isDefault = true

# Descargar y configurar dashboard
[dashboardProviders]
  [dashboardProviders.default]
  enabled = true
  folder = /etc/grafana/dashboards
  type = file
  options = {}
  dashboard = /etc/grafana/dashboards/405.json
EOF

# Crear directorio y descargar el dashboard
mkdir -p /etc/grafana/dashboards
wget -O /etc/grafana/dashboards/405.json https://grafana.com/api/dashboards/405/revisions/8/download

systemctl enable --now grafana-server