#!/bin/bash
# Configure Cloudflare Tunnel on VM 100
# Run this script from Proxmox host (root@pve)

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"

# Load environment variables
if [ -f "$PROJECT_ROOT/.env" ]; then
    set -a
    source <(grep -v '^#' "$PROJECT_ROOT/.env" | grep -v '^$' | sed 's/#.*$//' | grep '=')
    set +a
else
    echo "Error: .env file not found at $PROJECT_ROOT/.env"
    exit 1
fi

VMID=100
VM_USER="ubuntu"
VM_IP="192.168.1.60"

echo "========================================="
echo "Cloudflare Tunnel Configuration for VM 100"
echo "========================================="
echo ""

# Check if we can SSH to VM
echo "Checking SSH access to VM 100..."
if ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 "$VM_USER@$VM_IP" "echo 'SSH OK'" 2>/dev/null; then
    echo "✓ SSH access available"
    USE_SSH=true
else
    echo "✗ SSH access not available"
    echo "  You'll need to access VM 100 via Proxmox Console"
    USE_SSH=false
fi

echo ""
echo "Configuration will be prepared for:"
echo "  Domain: $CLOUDFLARE_DOMAIN"
echo "  Account ID: $CLOUDFLARE_ACCOUNT_ID"
echo ""

if [ "$USE_SSH" = true ]; then
    echo "Configuring via SSH..."
    
    # Create directories and user
    ssh -o StrictHostKeyChecking=no "$VM_USER@$VM_IP" <<EOF
sudo mkdir -p /etc/cloudflared
sudo useradd -r -s /bin/false cloudflared 2>/dev/null || true
sudo chown cloudflared:cloudflared /etc/cloudflared
EOF

    # Create config file
    ssh -o StrictHostKeyChecking=no "$VM_USER@$VM_IP" "sudo tee /etc/cloudflared/config.yml > /dev/null" <<CONFIGEOF
tunnel: $CLOUDFLARE_TUNNEL_TOKEN
credentials-file: /etc/cloudflared/credentials.json

ingress:
  - hostname: grafana.$CLOUDFLARE_DOMAIN
    service: http://192.168.1.82:3000
  - hostname: prometheus.$CLOUDFLARE_DOMAIN
    service: http://192.168.1.82:9090
  - hostname: git.$CLOUDFLARE_DOMAIN
    service: http://192.168.1.121:3000
  - hostname: proxmox-ml110.$CLOUDFLARE_DOMAIN
    service: https://192.168.1.206:8006
    originRequest:
      noTLSVerify: true
  - hostname: proxmox-r630.$CLOUDFLARE_DOMAIN
    service: https://192.168.1.49:8006
    originRequest:
      noTLSVerify: true
  - service: http_status:404
CONFIGEOF

    # Create credentials file
    ssh -o StrictHostKeyChecking=no "$VM_USER@$VM_IP" "sudo tee /etc/cloudflared/credentials.json > /dev/null" <<CREDEOF
{
  "AccountTag": "$CLOUDFLARE_ACCOUNT_ID",
  "TunnelSecret": "$CLOUDFLARE_TUNNEL_TOKEN"
}
CREDEOF

    # Set permissions
    ssh -o StrictHostKeyChecking=no "$VM_USER@$VM_IP" <<EOF
sudo chown cloudflared:cloudflared /etc/cloudflared/config.yml /etc/cloudflared/credentials.json
sudo chmod 600 /etc/cloudflared/config.yml /etc/cloudflared/credentials.json
EOF

    # Create systemd service
    ssh -o StrictHostKeyChecking=no "$VM_USER@$VM_IP" "sudo tee /etc/systemd/system/cloudflared.service > /dev/null" <<SERVICEEOF
[Unit]
Description=Cloudflare Tunnel
After=network.target

[Service]
Type=simple
User=cloudflared
ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run
Restart=on-failure
RestartSec=10s
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target
SERVICEEOF

    # Enable and start service
    ssh -o StrictHostKeyChecking=no "$VM_USER@$VM_IP" <<EOF
sudo systemctl daemon-reload
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sleep 3
sudo systemctl status cloudflared --no-pager
EOF

    echo ""
    echo "✓ Configuration complete via SSH"
    
else
    echo ""
    echo "========================================="
    echo "Manual Configuration Required"
    echo "========================================="
    echo ""
    echo "Since SSH is not available, please:"
    echo ""
    echo "1. Access VM 100 via Proxmox Console:"
    echo "   - Go to: https://192.168.1.206:8006"
    echo "   - Navigate to: VM 100 → Console"
    echo "   - Login as: ubuntu"
    echo ""
    echo "2. Run these commands on VM 100:"
    echo ""
    cat <<'MANUAL'
# Create directories and user
sudo mkdir -p /etc/cloudflared
sudo useradd -r -s /bin/false cloudflared 2>/dev/null || true
sudo chown cloudflared:cloudflared /etc/cloudflared

# Create config file
sudo tee /etc/cloudflared/config.yml > /dev/null << 'CONFIGEOF'
tunnel: CLOUDFLARE_TUNNEL_TOKEN
credentials-file: /etc/cloudflared/credentials.json

ingress:
  - hostname: grafana.CLOUDFLARE_DOMAIN
    service: http://192.168.1.82:3000
  - hostname: prometheus.CLOUDFLARE_DOMAIN
    service: http://192.168.1.82:9090
  - hostname: git.CLOUDFLARE_DOMAIN
    service: http://192.168.1.121:3000
  - hostname: proxmox-ml110.CLOUDFLARE_DOMAIN
    service: https://192.168.1.206:8006
    originRequest:
      noTLSVerify: true
  - hostname: proxmox-r630.CLOUDFLARE_DOMAIN
    service: https://192.168.1.49:8006
    originRequest:
      noTLSVerify: true
  - service: http_status:404
CONFIGEOF

# Replace placeholders (run these with actual values from .env)
sudo sed -i "s/CLOUDFLARE_TUNNEL_TOKEN/$CLOUDFLARE_TUNNEL_TOKEN/g" /etc/cloudflared/config.yml
sudo sed -i "s/CLOUDFLARE_DOMAIN/$CLOUDFLARE_DOMAIN/g" /etc/cloudflared/config.yml

# Create credentials file
sudo tee /etc/cloudflared/credentials.json > /dev/null << CREDEOF
{
  "AccountTag": "CLOUDFLARE_ACCOUNT_ID",
  "TunnelSecret": "CLOUDFLARE_TUNNEL_TOKEN"
}
CREDEOF

# Replace placeholders
sudo sed -i "s/CLOUDFLARE_ACCOUNT_ID/$CLOUDFLARE_ACCOUNT_ID/g" /etc/cloudflared/credentials.json
sudo sed -i "s/CLOUDFLARE_TUNNEL_TOKEN/$CLOUDFLARE_TUNNEL_TOKEN/g" /etc/cloudflared/credentials.json

# Set permissions
sudo chown cloudflared:cloudflared /etc/cloudflared/config.yml /etc/cloudflared/credentials.json
sudo chmod 600 /etc/cloudflared/config.yml /etc/cloudflared/credentials.json

# Create systemd service
sudo tee /etc/systemd/system/cloudflared.service > /dev/null << 'SERVICEEOF'
[Unit]
Description=Cloudflare Tunnel
After=network.target

[Service]
Type=simple
User=cloudflared
ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yml run
Restart=on-failure
RestartSec=10s
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target
SERVICEEOF

# Enable and start service
sudo systemctl daemon-reload
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
systemctl status cloudflared
MANUAL

    echo ""
    echo "Note: Replace CLOUDFLARE_TUNNEL_TOKEN, CLOUDFLARE_DOMAIN, and CLOUDFLARE_ACCOUNT_ID"
    echo "      with actual values from your .env file"
    echo ""
    echo "Or source the .env file first:"
    echo "  source /path/to/.env"
    echo ""
fi

echo ""
echo "========================================="
echo "Configuration Complete"
echo "========================================="
echo ""
echo "Next steps:"
echo "1. Verify service: systemctl status cloudflared"
echo "2. View logs: journalctl -u cloudflared -f"
echo "3. Configure DNS records in Cloudflare Dashboard"
echo ""