#!/usr/bin/env bash
# Reconfigure Vault Cluster to use ${NETWORK_192_168_11_0:-192.168.11.0}/24 instead of VLAN 160
# Assigns IPs from main network without VLAN tagging

set -euo pipefail

# Load IP configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true


# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1"; }

# Configuration
PROXMOX_HOST_1="${PROXMOX_HOST_1:-192.168.11.11}"
PROXMOX_HOST_2="${PROXMOX_HOST_2:-192.168.11.12}"

# New IP assignments (using ${NETWORK_192_168_11_0:-192.168.11.0}/24)
VAULT_NODE_1_VMID=8640
VAULT_NODE_1_IP="${IP_SERVICE_200:-${IP_SERVICE_200:-192.168.11.200}}"
VAULT_NODE_2_VMID=8641
VAULT_NODE_2_IP="${IP_SERVICE_21:-${IP_SERVICE_21:-${IP_SERVICE_21:-${IP_SERVICE_21:-${IP_SERVICE_21:-192.168.11.21}}}}}5"
VAULT_NODE_3_VMID=8642
VAULT_NODE_3_IP="${IP_SERVICE_202:-${IP_SERVICE_202:-192.168.11.202}}"

GATEWAY="${NETWORK_GATEWAY:-192.168.11.1}"

echo "═══════════════════════════════════════════════════════════"
echo "  Vault Cluster Network Reconfiguration"
echo "═══════════════════════════════════════════════════════════"
echo ""
log_info "Reconfiguring from VLAN 160 (10.160.0.x) to ${NETWORK_192_168_11_0:-192.168.11.0}/24"
echo ""

# Function to reconfigure container network
reconfigure_node() {
    local vmid=$1
    local new_ip=$2
    local proxmox_host=$3
    local hostname=$4
    
    log_info "Reconfiguring Node $vmid ($hostname) to $new_ip..."
    
    # Stop container
    log_info "Stopping container $vmid..."
    ssh root@"$proxmox_host" "pct stop $vmid" || log_warn "Container may already be stopped"
    sleep 2
    
    # Get current network config
    CURRENT_NET=$(ssh root@"$proxmox_host" "pct config $vmid | grep '^net0:'")
    log_info "Current network: $CURRENT_NET"
    
    # Reconfigure network (remove VLAN tag, use ${NETWORK_192_168_11_0:-192.168.11.0}/24)
    log_info "Updating network configuration..."
    ssh root@"$proxmox_host" "pct set $vmid --net0 name=eth0,bridge=vmbr0,ip=$new_ip/24,gw=$GATEWAY" || {
        log_error "Failed to update network configuration"
        return 1
    }
    
    log_success "Network configuration updated for $vmid"
    
    # Start container
    log_info "Starting container $vmid..."
    ssh root@"$proxmox_host" "pct start $vmid" || {
        log_error "Failed to start container"
        return 1
    }
    
    sleep 5
    
    # Verify IP
    ACTUAL_IP=$(ssh root@"$proxmox_host" "pct exec $vmid -- ip addr show eth0 | grep 'inet ' | awk '{print \$2}' | cut -d/ -f1")
    if [ "$ACTUAL_IP" = "$new_ip" ]; then
        log_success "IP verified: $new_ip"
    else
        log_warn "IP mismatch: expected $new_ip, got $ACTUAL_IP"
    fi
    
    return 0
}

# Phase 1: Reconfigure Network
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Phase 1: Reconfiguring Container Networks"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

reconfigure_node $VAULT_NODE_1_VMID $VAULT_NODE_1_IP $PROXMOX_HOST_1 "vault-phoenix-1"
reconfigure_node $VAULT_NODE_2_VMID $VAULT_NODE_2_IP $PROXMOX_HOST_2 "vault-phoenix-2"
reconfigure_node $VAULT_NODE_3_VMID $VAULT_NODE_3_IP $PROXMOX_HOST_1 "vault-phoenix-3"

echo ""

# Phase 2: Update Vault Configuration
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Phase 2: Updating Vault Configuration Files"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

# Node 1
log_info "Updating Vault config for Node 1..."
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_1_VMID -- bash" << CONFIG_EOF
cat > /etc/vault.d/vault.hcl << VAULT_CONFIG
ui = true
disable_mlock = true

listener "tcp" {
  address          = "0.0.0.0:8200"
  cluster_address  = "$VAULT_NODE_1_IP:8201"
  tls_disable      = 1
}

storage "raft" {
  path    = "/opt/vault/data"
  node_id = "vault-phoenix-1"
  
  retry_join {
    leader_api_addr = "http://$VAULT_NODE_1_IP:8200"
  }
  retry_join {
    leader_api_addr = "http://$VAULT_NODE_2_IP:8200"
  }
  retry_join {
    leader_api_addr = "http://$VAULT_NODE_3_IP:8200"
  }
}

api_addr = "http://$VAULT_NODE_1_IP:8200"
cluster_addr = "http://$VAULT_NODE_1_IP:8201"

log_level = "INFO"
log_file = "/var/log/vault/vault.log"
log_rotate_duration = "24h"
log_rotate_max_files = 30
VAULT_CONFIG
CONFIG_EOF
log_success "Node 1 configuration updated"

# Node 2
log_info "Updating Vault config for Node 2..."
ssh root@"$PROXMOX_HOST_2" "pct exec $VAULT_NODE_2_VMID -- bash" << CONFIG_EOF
cat > /etc/vault.d/vault.hcl << VAULT_CONFIG
ui = true
disable_mlock = true

listener "tcp" {
  address          = "0.0.0.0:8200"
  cluster_address  = "$VAULT_NODE_2_IP:8201"
  tls_disable      = 1
}

storage "raft" {
  path    = "/opt/vault/data"
  node_id = "vault-phoenix-2"
  
  retry_join {
    leader_api_addr = "http://$VAULT_NODE_1_IP:8200"
  }
  retry_join {
    leader_api_addr = "http://$VAULT_NODE_2_IP:8200"
  }
  retry_join {
    leader_api_addr = "http://$VAULT_NODE_3_IP:8200"
  }
}

api_addr = "http://$VAULT_NODE_2_IP:8200"
cluster_addr = "http://$VAULT_NODE_2_IP:8201"

log_level = "INFO"
log_file = "/var/log/vault/vault.log"
log_rotate_duration = "24h"
log_rotate_max_files = 30
VAULT_CONFIG
CONFIG_EOF
log_success "Node 2 configuration updated"

# Node 3
log_info "Updating Vault config for Node 3..."
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_3_VMID -- bash" << CONFIG_EOF
cat > /etc/vault.d/vault.hcl << VAULT_CONFIG
ui = true
disable_mlock = true

listener "tcp" {
  address          = "0.0.0.0:8200"
  cluster_address  = "$VAULT_NODE_3_IP:8201"
  tls_disable      = 1
}

storage "raft" {
  path    = "/opt/vault/data"
  node_id = "vault-phoenix-3"
  
  retry_join {
    leader_api_addr = "http://$VAULT_NODE_1_IP:8200"
  }
  retry_join {
    leader_api_addr = "http://$VAULT_NODE_2_IP:8200"
  }
  retry_join {
    leader_api_addr = "http://$VAULT_NODE_3_IP:8200"
  }
}

api_addr = "http://$VAULT_NODE_3_IP:8200"
cluster_addr = "http://$VAULT_NODE_3_IP:8201"

log_level = "INFO"
log_file = "/var/log/vault/vault.log"
log_rotate_duration = "24h"
log_rotate_max_files = 30
VAULT_CONFIG
CONFIG_EOF
log_success "Node 3 configuration updated"

echo ""

# Phase 3: Restart Vault Services
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Phase 3: Restarting Vault Services"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

log_info "Restarting Vault on all nodes..."
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_1_VMID -- systemctl restart vault" && log_success "Node 1 restarted"
ssh root@"$PROXMOX_HOST_2" "pct exec $VAULT_NODE_2_VMID -- systemctl restart vault" && log_success "Node 2 restarted"
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_3_VMID -- systemctl restart vault" && log_success "Node 3 restarted"

sleep 10

echo ""

# Phase 4: Verify Cluster
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Phase 4: Verifying Cluster Status"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

log_info "Checking cluster status..."
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_1_VMID -- bash -c 'export VAULT_ADDR=http://127.0.0.1:8200 && vault status'" || log_warn "Could not get status"

echo ""

# Summary
echo "═══════════════════════════════════════════════════════════"
echo "  Reconfiguration Summary"
echo "═══════════════════════════════════════════════════════════"
echo ""

log_success "Network reconfiguration complete!"
log_info "New IP assignments:"
log_info "  Node 1 (vault-phoenix-1): $VAULT_NODE_1_IP"
log_info "  Node 2 (vault-phoenix-2): $VAULT_NODE_2_IP"
log_info "  Node 3 (vault-phoenix-3): $VAULT_NODE_3_IP"
echo ""
log_warn "Note: Nodes may need to be unsealed after restart"
log_info "Unseal keys are stored in: .secure/vault-credentials/"

echo ""