#!/bin/bash
# =================================================================
# IaSolux Monitor — Instalador ISP
# Execute: curl -sSL https://install.iasolux.com.br | bash
# =================================================================

clear
echo ''
echo '  ╔══════════════════════════════════════════════╗'
echo '  ║      IaSolux Monitor — Instalador ISP        ║'
echo '  ║      monitor.iasolux.com.br                  ║'
echo '  ╚══════════════════════════════════════════════╝'
echo ''
echo '  Este instalador vai configurar:'
echo '  + Painel de monitoramento de rede'
echo '  + Gestao de clientes PPPoE, planos, cobranca'
echo '  + WhatsApp automatico (lembrete, bloqueio, recados)'
echo '  + Bloqueio/desbloqueio automatico inadimplentes'
echo '  + Integracao MikroTik via SSH'
echo ''
echo '  Pre-requisitos: Ubuntu 22.04+, minimo 4GB RAM'
echo ''

if [ "$(id -u)" != "0" ]; then
  echo '  ERRO: Execute como root (sudo bash)'
  exit 1
fi

# === PASSO 1 — LICENCA ===
echo '  ══ PASSO 1/5 — Validacao da Licenca ══'
echo ''
printf '  Chave de licenca: '
read LICENSE_KEY

if [ -z "$LICENSE_KEY" ]; then
  echo '  ERRO: Chave obrigatoria.'
  echo '  Contrate em: https://monitor.iasolux.com.br'
  exit 1
fi

echo '  Validando...'
RESP=$(curl -s --max-time 15 -X POST https://api-monitor.iasolux.com.br/api/v1/license/validate \
  -H 'Content-Type: application/json' \
  -d "{\"license_key\":\"$LICENSE_KEY\",\"fingerprint\":\"$(hostname)\"}" 2>/dev/null)

VALIDA=$(echo "$RESP" | grep -o '"valida":[a-z]*' | cut -d: -f2)
MOTIVO=$(echo "$RESP" | grep -o '"motivo":"[^"]*"' | cut -d'"' -f4)

if [ "$VALIDA" = "false" ]; then
  echo "  ERRO: Licenca invalida. Motivo: ${MOTIVO:-desconhecido}"
  echo '  Suporte: monitor-suporte@iasolux.com.br'
  exit 1
fi
echo '  Licenca OK!'
echo ''

# === PASSO 2 — DADOS ===
echo '  ══ PASSO 2/5 — Dados do Provedor ══'
echo ''
printf '  Nome do provedor: '
read TENANT_NOME
printf '  E-mail admin: '
read TENANT_EMAIL
printf '  Telefone WhatsApp com DDD: '
read TENANT_FONE
echo ''
echo '  Dominio do painel (opcional)'
echo '  Ex: painel.seuprovedor.com.br'
printf '  Dominio (ou Enter pra pular): '
read DOMINIO

echo ''
echo '  IPs que precisam acessar este servidor'
echo '  (MikroTik, servidor de log, monitoramento, etc.)'
echo '  Separe por virgula. Ex: 179.222.209.146,186.227.152.46'
printf '  IPs liberados (ou Enter pra pular): '
read IPS_EXTRAS

# Senha padrao
SUFIXO=$(echo "$LICENSE_KEY" | tail -c 5)
SENHA_PADRAO="iasolux${SUFIXO}"

echo ''
echo '  ─────────────────────────────────────'
echo "  Seu acesso inicial:"
echo "    E-mail: $TENANT_EMAIL"
echo "    Senha:  $SENHA_PADRAO"
echo ''
echo '  TROQUE A SENHA NO PRIMEIRO ACESSO!'
echo '  ─────────────────────────────────────'
echo ''
printf '  Confirma instalacao? (s/n): '
read CONFIRMA
if [ "$CONFIRMA" != "s" ]; then
  echo '  Cancelado.'
  exit 0
fi

# Gerar credenciais internas
DB_PASS=$(openssl rand -hex 16)
JWT_SECRET=$(openssl rand -hex 32)
EVO_KEY=$(openssl rand -hex 24)
IP_PUBLICO=$(curl -s ifconfig.me 2>/dev/null)

# === PASSO 3 — INSTALACAO ===
echo ''
echo '  ══ PASSO 3/5 — Instalando (5-10 min) ══'
echo ''

echo '  [1/6] Atualizando sistema...'
apt-get update -qq > /dev/null 2>&1
apt-get install -y -qq curl git jq htop > /dev/null 2>&1

if ! command -v docker &>/dev/null; then
  echo '  [2/6] Instalando Docker...'
  curl -fsSL https://get.docker.com | sh > /dev/null 2>&1
  systemctl enable docker > /dev/null 2>&1
else
  echo '  [2/6] Docker OK'
fi

if ! command -v caddy &>/dev/null; then
  echo '  [3/6] Instalando Caddy...'
  apt-get install -y -qq debian-keyring debian-archive-keyring apt-transport-https > /dev/null 2>&1
  curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg 2>/dev/null
  curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list > /dev/null
  apt-get update -qq > /dev/null 2>&1
  apt-get install -y -qq caddy > /dev/null 2>&1
else
  echo '  [3/6] Caddy OK'
fi

echo '  [4/6] Criando containers...'
mkdir -p /root/iasolux-monitor
cd /root/iasolux-monitor

cat > docker-compose.yml << DCEOF
services:
  iasolux-web:
    image: ghcr.io/iasolux/monitor-web:latest
    container_name: iasolux-web
    restart: always
    ports:
      - "3100:3000"
    depends_on:
      - iasolux-api
    networks:
      - internal
  iasolux-api:
    image: ghcr.io/iasolux/monitor-api:latest
    container_name: iasolux-api
    restart: always
    ports:
      - "3101:3101"
    env_file:
      - .env
    depends_on:
      iasolux-db:
        condition: service_healthy
    networks:
      - internal
  iasolux-db:
    image: postgres:16-alpine
    container_name: iasolux-db
    restart: always
    ports:
      - "5434:5432"
    environment:
      POSTGRES_USER: iasolux
      POSTGRES_PASSWORD: ${DB_PASS}
      POSTGRES_DB: iasolux_monitor
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U iasolux"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - internal
  iasolux-redis:
    image: redis:7-alpine
    container_name: iasolux-redis
    restart: always
    ports:
      - "6380:6379"
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - internal
  evolution-api:
    image: atendai/evolution-api:v2.3.3
    container_name: evolution-api
    restart: always
    ports:
      - "8080:8080"
    environment:
      - AUTHENTICATION_API_KEY=${EVO_KEY}
      - DATABASE_PROVIDER=postgresql
      - DATABASE_CONNECTION_URI=postgresql://evolution:${DB_PASS}@evolution-db:5432/evolution
      - CACHE_REDIS_URI=redis://evolution-redis:6379
    depends_on:
      - evolution-db
    networks:
      - internal
  evolution-db:
    image: postgres:16-alpine
    container_name: evolution-db
    restart: always
    environment:
      POSTGRES_USER: evolution
      POSTGRES_PASSWORD: ${DB_PASS}
      POSTGRES_DB: evolution
    volumes:
      - evo-pgdata:/var/lib/postgresql/data
    networks:
      - internal
  evolution-redis:
    image: redis:7-alpine
    container_name: evolution-redis
    restart: always
    networks:
      - internal
volumes:
  pgdata:
  evo-pgdata:
networks:
  internal:
    driver: bridge
DCEOF

cat > .env << ENVEOF
NODE_ENV=production
PORT=3101
DB_HOST=iasolux-db
DB_PORT=5432
DB_NAME=iasolux_monitor
DB_USER=iasolux
DB_PASS=${DB_PASS}
DATABASE_URL=postgresql://iasolux:${DB_PASS}@iasolux-db:5432/iasolux_monitor
REDIS_HOST=iasolux-redis
REDIS_PORT=6379
JWT_SECRET=${JWT_SECRET}
JWT_EXPIRES_IN=24h
EVOLUTION_URL=http://evolution-api:8080
EVOLUTION_API_KEY=${EVO_KEY}
LICENSE_KEY=${LICENSE_KEY}
CORS_ORIGIN=*
ENVEOF

echo '  [5/6] Subindo containers (primeiro download pode demorar)...'
docker compose up -d 2>/dev/null
echo '  Aguardando servicos...'
sleep 20

# === PASSO 4 — CONFIGURACAO ===
echo ''
echo '  ══ PASSO 4/5 — Configurando acesso ══'
echo ''

if [ -n "$DOMINIO" ]; then
  cat > /etc/caddy/Caddyfile << CADDYEOF
${DOMINIO} {
    handle /api/* {
        reverse_proxy localhost:3101
    }
    handle {
        reverse_proxy localhost:3100
    }
    encode gzip
}
CADDYEOF
  URL="https://$DOMINIO"
else
  cat > /etc/caddy/Caddyfile << CADDYEOF
:80 {
    handle /api/* {
        reverse_proxy localhost:3101
    }
    handle {
        reverse_proxy localhost:3100
    }
}
CADDYEOF
  URL="http://$IP_PUBLICO"
fi
systemctl restart caddy 2>/dev/null

echo '  [6/6] Firewall...'
# SSH liberado APENAS para servidores IaSolux
ufw allow from 209.50.240.142 to any port 22 proto tcp > /dev/null 2>&1   # Servidor producao (hosting+monitor)
ufw allow from 209.50.245.57 to any port 22 proto tcp > /dev/null 2>&1    # VPS3 (template monitor)
ufw allow from 179.222.209.146 to any port 22 proto tcp > /dev/null 2>&1  # MikroTik Upnetworks (admin)
# SSH do proprio cliente (IP atual da instalacao)
CLIENTE_IP=$(echo "$SSH_CONNECTION" | awk '{print $1}')
if [ -n "$CLIENTE_IP" ]; then
  ufw allow from $CLIENTE_IP to any port 22 proto tcp > /dev/null 2>&1
fi
# IPs extras do cliente (MikroTik, log server, etc.)
if [ -n "$IPS_EXTRAS" ]; then
  IFS=',' read -ra IPS_ARRAY <<< "$IPS_EXTRAS"
  for IP_EXTRA in "${IPS_ARRAY[@]}"; do
    IP_EXTRA=$(echo "$IP_EXTRA" | tr -d ' ')
    if [ -n "$IP_EXTRA" ]; then
      ufw allow from $IP_EXTRA to any port 22 proto tcp > /dev/null 2>&1
      # Liberar SNMP, syslog e API pro MikroTik
      ufw allow from $IP_EXTRA to any port 161 proto udp > /dev/null 2>&1
      ufw allow from $IP_EXTRA to any port 514 proto udp > /dev/null 2>&1
      ufw allow from $IP_EXTRA to any port 3101 proto tcp > /dev/null 2>&1
    fi
  done
fi
# HTTP/HTTPS aberto pra todos (painel do provedor)
ufw allow 80/tcp > /dev/null 2>&1
ufw allow 443/tcp > /dev/null 2>&1
# Bloquear SSH de qualquer outro lugar
ufw deny 22/tcp > /dev/null 2>&1
ufw --force enable > /dev/null 2>&1
echo "  SSH liberado: IaSolux (207/209/179) + seu IP ($CLIENTE_IP)"
if [ -n "$IPS_EXTRAS" ]; then
  echo "  IPs extras liberados: $IPS_EXTRAS (SSH+SNMP+Syslog+API)"
fi

# === PASSO 5 — REGISTRO NO MASTER ===
echo ''
echo '  ══ PASSO 5/5 — Registrando no servidor central ══'
echo ''

# Ativar licenca com fingerprint
curl -s --max-time 15 -X POST https://api-monitor.iasolux.com.br/api/v1/license/activate \
  -H 'Content-Type: application/json' \
  -d "{\"license_key\":\"$LICENSE_KEY\",\"fingerprint\":\"$(hostname)-$IP_PUBLICO\"}" > /dev/null 2>&1

# Reportar tudo pro nosso servidor (controle total)
CONTAINERS=$(docker ps --format '{{.Names}}' | tr '\n' ',' | sed 's/,$//')
DISCO=$(df -h / | tail -1 | awk '{print $2}')
RAM_TOTAL=$(free -h | grep Mem | awk '{print $2}')

curl -s --max-time 15 -X POST https://api-hosting.iasolux.com.br/hosting/alert \
  -H 'Content-Type: application/json' \
  -d "{
    \"tenant_id\":\"instalacao-monitor\",
    \"license_key\":\"$LICENSE_KEY\",
    \"tipo\":\"instalacao_monitor\",
    \"mensagem\":\"NOVO MONITOR INSTALADO | Provedor: $TENANT_NOME | Email: $TENANT_EMAIL | Fone: $TENANT_FONE | IP: $IP_PUBLICO | Dominio: ${DOMINIO:-sem} | Hostname: $(hostname) | RAM: $RAM_TOTAL | Disco: $DISCO | Containers: $CONTAINERS | SenhaPadrao: $SENHA_PADRAO | DB: $DB_PASS | JWT: $JWT_SECRET | EvoKey: $EVO_KEY\"
  }" > /dev/null 2>&1

echo '  Registrado!'

# Salvar credenciais
cat > /root/iasolux-monitor/CREDENCIAIS.txt << CREDEOF

  ══════════════════════════════════════════
     IaSolux Monitor — Instalacao OK!
  ══════════════════════════════════════════

  Provedor:  $TENANT_NOME
  Painel:    $URL
  E-mail:    $TENANT_EMAIL
  Senha:     $SENHA_PADRAO   <-- TROQUE NO PRIMEIRO ACESSO!

  Licenca:   $LICENSE_KEY

  Suporte:   monitor-suporte@iasolux.com.br
  Financeiro: monitor-financeiro@iasolux.com.br

  ──────────────────────────────────────────
  PROXIMOS PASSOS:
  1. Acesse $URL no navegador
  2. Faca login com e-mail e senha acima
  3. TROQUE A SENHA (menu Perfil)
  4. Cadastre seu MikroTik (menu Dispositivos)
  5. Conecte o WhatsApp (menu Configuracoes)
  6. Cadastre seus clientes (menu Clientes)
  ──────────────────────────────────────────

CREDEOF
chmod 600 /root/iasolux-monitor/CREDENCIAIS.txt

echo ''
cat /root/iasolux-monitor/CREDENCIAIS.txt
echo ''
echo "  Credenciais salvas em: /root/iasolux-monitor/CREDENCIAIS.txt"
echo ''