#!/usr/bin/env bash
# ════════════════════════════════════════════════════════════════════════════
# IDros bootstrap — instala IDros do zero num Rock virgem (ou VM Ubuntu)
# ════════════════════════════════════════════════════════════════════════════
#
# Fluxo:
#   1. Instala tailscale + conecta no Headscale (vira device da tailnet)
#   2. Baixa IDros tarball do artifact server VIA TAILNET
#   3. Extrai em /opt/idros + cria venv + instala deps Python
#   4. Cria manifest.json com identidade do robô
#   5. Configura systemd → IDros sobe automático no boot
#
# USO (no Rock virgem com Ubuntu/Debian + acesso root):
#   curl -fsSL https://bootstrap.idtrack.net | sudo sh -s -- \
#       --authkey="<pre-auth key do headscale>" \
#       --robot-id="robo-001" \
#       --hostname="hospital-recepcao-1" \
#       --robot-type="reeman_t5"
#
# Args opcionais:
#   --idros-version=<version>   pin de versão (default: latest)
#   --tenant-id=<uuid>          tenant Cortex (default: prod)
#   --headscale-url=<url>       servidor Headscale (default: nosso)
#   --artifact-server=<url>     URL do artifact server (default: http://100.64.0.1:8080)
#
# Pre-req:
#   - Pre-auth key gerada antes:
#     ssh deploy@droplet 'cd /opt/idtrack && bash infra/scripts/headscale.sh \
#       preauthkeys create --user idtrack --reusable --expiration 8760h'

set -euo pipefail

# ─── Defaults ───────────────────────────────────────────────────────────────
HEADSCALE_URL="https://headscale.idtrack.net"
ARTIFACT_SERVER="http://100.64.0.1:8080"
TENANT_ID="2d97f2e4-8955-4970-a29a-20054611be49"
MQTT_HOST="157.245.133.96"
MQTT_PORT="1883"
IDROS_VERSION="latest"
ROBOT_TYPE=""
ROBOT_ID=""
HOSTNAME_OVERRIDE=""
TS_AUTHKEY=""

INSTALL_DIR="/opt/idros"
MANIFEST_PATH="${INSTALL_DIR}/manifest.json"

# ─── Parse args ─────────────────────────────────────────────────────────────
while [[ $# -gt 0 ]]; do
  case "$1" in
    --authkey=*)         TS_AUTHKEY="${1#*=}"; shift ;;
    --authkey)           TS_AUTHKEY="$2"; shift 2 ;;
    --robot-id=*)        ROBOT_ID="${1#*=}"; shift ;;
    --robot-id)          ROBOT_ID="$2"; shift 2 ;;
    --hostname=*)        HOSTNAME_OVERRIDE="${1#*=}"; shift ;;
    --hostname)          HOSTNAME_OVERRIDE="$2"; shift 2 ;;
    --robot-type=*)      ROBOT_TYPE="${1#*=}"; shift ;;
    --robot-type)        ROBOT_TYPE="$2"; shift 2 ;;
    --idros-version=*)   IDROS_VERSION="${1#*=}"; shift ;;
    --idros-version)     IDROS_VERSION="$2"; shift 2 ;;
    --tenant-id=*)       TENANT_ID="${1#*=}"; shift ;;
    --tenant-id)         TENANT_ID="$2"; shift 2 ;;
    --headscale-url=*)   HEADSCALE_URL="${1#*=}"; shift ;;
    --headscale-url)     HEADSCALE_URL="$2"; shift 2 ;;
    --artifact-server=*) ARTIFACT_SERVER="${1#*=}"; shift ;;
    --artifact-server)   ARTIFACT_SERVER="$2"; shift 2 ;;
    -h|--help)
      sed -n '/^# USO/,/^# Pre-req/p' "$0"
      exit 0 ;;
    *)
      echo "Arg desconhecido: $1" >&2
      exit 1 ;;
  esac
done

# ─── Validação ──────────────────────────────────────────────────────────────
if [[ $EUID -ne 0 ]]; then
  echo "ERRO: precisa rodar como root (sudo)." >&2
  exit 1
fi
if [[ -z "${TS_AUTHKEY}" ]]; then
  echo "ERRO: --authkey obrigatório. Gere via headscale.sh preauthkeys create." >&2
  exit 1
fi
if [[ -z "${ROBOT_ID}" ]]; then
  echo "ERRO: --robot-id obrigatório (ex: robo-001)." >&2
  exit 1
fi
if [[ -z "${ROBOT_TYPE}" ]]; then
  echo "ERRO: --robot-type obrigatório (fake | reeman_t5)." >&2
  exit 1
fi
HOSTNAME_OVERRIDE="${HOSTNAME_OVERRIDE:-${ROBOT_ID}}"

echo "═══════════════════════════════════════════════════════════════════"
echo "IDros bootstrap"
echo "═══════════════════════════════════════════════════════════════════"
echo "  Robot ID:        ${ROBOT_ID}"
echo "  Hostname:        ${HOSTNAME_OVERRIDE}"
echo "  Robot type:      ${ROBOT_TYPE}"
echo "  IDros version:   ${IDROS_VERSION}"
echo "  Tenant:          ${TENANT_ID}"
echo "  Headscale:       ${HEADSCALE_URL}"
echo "  Artifact server: ${ARTIFACT_SERVER}"
echo "  Install dir:     ${INSTALL_DIR}"
echo "═══════════════════════════════════════════════════════════════════"
echo ""

# ─── 1. Instala deps de sistema ─────────────────────────────────────────────
echo "→ [1/8] Instalando dependências de sistema (apt)..."
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get install -y -qq \
  python3 python3-venv python3-pip \
  curl ca-certificates jq \
  > /dev/null
echo "✓ deps instaladas"

# ─── 2. Instala tailscale (se ainda não) ────────────────────────────────────
echo ""
echo "→ [2/8] Instalando tailscale client..."
if ! command -v tailscale &> /dev/null; then
  curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg \
    | tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null
  curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.tailscale-keyring.list \
    | tee /etc/apt/sources.list.d/tailscale.list > /dev/null
  apt-get update -qq
  apt-get install -y -qq tailscale > /dev/null
  echo "✓ tailscale instalado: $(tailscale version | head -1)"
else
  echo "✓ tailscale já instalado: $(tailscale version | head -1)"
fi
systemctl enable --now tailscaled

# ─── 3. Conecta na tailnet ──────────────────────────────────────────────────
echo ""
echo "→ [3/8] Conectando na tailnet IDtrack como '${HOSTNAME_OVERRIDE}'..."
tailscale up \
  --login-server="${HEADSCALE_URL}" \
  --authkey="${TS_AUTHKEY}" \
  --hostname="${HOSTNAME_OVERRIDE}" \
  --accept-routes=false \
  --reset

TS_IP=$(tailscale ip -4)
echo "✓ Tailnet IP: ${TS_IP}"

# ─── 4. Baixa IDros tarball via tailnet ─────────────────────────────────────
echo ""
echo "→ [4/8] Baixando IDros via tailnet..."

# Resolve versão (latest ou pinada)
if [[ "${IDROS_VERSION}" == "latest" ]]; then
  LATEST_JSON=$(curl -fsSL "${ARTIFACT_SERVER}/idros/latest.json")
  IDROS_VERSION=$(echo "${LATEST_JSON}" | jq -r '.current_version')
  TARBALL_URL=$(echo "${LATEST_JSON}" | jq -r '.tarball_url')
  EXPECTED_SHA=$(echo "${LATEST_JSON}" | jq -r '.sha256')
else
  TARBALL_URL="${ARTIFACT_SERVER}/idros/idros-${IDROS_VERSION}.tar.gz"
  EXPECTED_SHA=""
fi
echo "  Versão: ${IDROS_VERSION}"
echo "  URL:    ${TARBALL_URL}"

TMP_TARBALL="/tmp/idros-${IDROS_VERSION}.tar.gz"
curl -fsSL "${TARBALL_URL}" -o "${TMP_TARBALL}"

# Verifica sha256 se conhecido
if [[ -n "${EXPECTED_SHA}" ]]; then
  GOT_SHA=$(sha256sum "${TMP_TARBALL}" | awk '{print $1}')
  if [[ "${GOT_SHA}" != "${EXPECTED_SHA}" ]]; then
    echo "ERRO: sha256 mismatch" >&2
    echo "  Esperado: ${EXPECTED_SHA}" >&2
    echo "  Recebido: ${GOT_SHA}" >&2
    exit 1
  fi
  echo "✓ sha256 OK"
fi

# Extrai em /opt/idros
echo "→ [5/8] Extraindo em ${INSTALL_DIR}..."
mkdir -p "${INSTALL_DIR}"
tar -xzf "${TMP_TARBALL}" -C "${INSTALL_DIR}"
rm "${TMP_TARBALL}"
echo "✓ extraído"

# ─── 6. Cria venv + instala deps Python ─────────────────────────────────────
echo ""
echo "→ [6/8] Criando venv Python + instalando deps..."
python3 -m venv "${INSTALL_DIR}/.venv"
"${INSTALL_DIR}/.venv/bin/pip" install -q --upgrade pip
"${INSTALL_DIR}/.venv/bin/pip" install -q \
  -r "${INSTALL_DIR}/apps/ros/requirements.txt" \
  -e "${INSTALL_DIR}/python-libs/capability-sdk"
echo "✓ venv pronto: ${INSTALL_DIR}/.venv"

# ─── 7. Cria manifest.json (se ainda não existir) ───────────────────────────
echo ""
echo "→ [7/8] Configurando manifest..."
if [[ -f "${MANIFEST_PATH}" ]]; then
  echo "✓ manifest já existe em ${MANIFEST_PATH} (preservado — não sobrescrevo)"
else
  cat > "${MANIFEST_PATH}" <<EOF
{
  "robot": {
    "id": "${ROBOT_ID}",
    "name": "${HOSTNAME_OVERRIDE}",
    "type": "${ROBOT_TYPE}",
    "cortex_id": null
  },
  "cortex": {
    "mqtt_host": "${MQTT_HOST}",
    "mqtt_port": ${MQTT_PORT},
    "tenant_id": "${TENANT_ID}"
  },
  "os": {
    "telemetry_api_port": 8099,
    "heartbeat_interval": 30,
    "pose_interval": 2
  },
  "capabilities": [],
  "meeting_points": [],
  "safety": {
    "battery_minimum": 15,
    "connectivity_timeout": 120,
    "emergency_button_inverted": true
  },
  "timeouts": {
    "zone_navigation": 180,
    "zone_scan": 300,
    "return_to_base": 240
  },
  "hardware": {
    "connection_type": "http",
    "api_url": "",
    "charge_flag_docked": 2,
    "charge_flag_docking": 8,
    "map_to_location": {},
    "discovered_maps": [],
    "rfid_reader": null
  }
}
EOF
  echo "✓ manifest criado em ${MANIFEST_PATH}"
fi

# Cria dir de identity (sobreviver restart)
mkdir -p "${INSTALL_DIR}/identity"

# ─── 8. Instala systemd unit ────────────────────────────────────────────────
echo ""
echo "→ [8/8] Configurando systemd..."

# Cria user dedicado se não existir
if ! id -u idros &> /dev/null; then
  useradd --system --no-create-home --shell /usr/sbin/nologin idros
fi
chown -R idros:idros "${INSTALL_DIR}"

# Copia o unit file (foi extraído junto com o tarball em apps/ros/)
install -m 644 "${INSTALL_DIR}/apps/ros/systemd/idros.service" /etc/systemd/system/idros.service

systemctl daemon-reload
systemctl enable idros.service
systemctl restart idros.service

# Espera ~3s + valida que tá rodando
sleep 3
if systemctl is-active --quiet idros.service; then
  echo "✓ idros.service rodando (PID $(systemctl show idros -p MainPID --value))"
else
  echo "⚠ idros.service não subiu — logs:"
  journalctl -u idros --no-pager -n 30
  exit 1
fi

# ─── Pronto ─────────────────────────────────────────────────────────────────
echo ""
echo "═══════════════════════════════════════════════════════════════════"
echo "✓ IDros instalado e rodando"
echo "═══════════════════════════════════════════════════════════════════"
echo ""
echo "Tailnet IP:    ${TS_IP}"
echo "Robot ID:      ${ROBOT_ID}"
echo "IDros version: ${IDROS_VERSION}"
echo "Logs:          sudo journalctl -u idros -f"
echo "Status:        sudo systemctl status idros"
echo "Manifest:      ${MANIFEST_PATH}"
echo ""
echo "O robô deve aparecer no Hub /executors em ~60s (heartbeat inicial)."