#!/bin/bash
# Copyright (C) 2026 Cédric Abonnel
# License: GNU Affero General Public License v3

set -euo pipefail

# --- Configuration ---
BASE_DIR="/opt/monitoring"
CONF_DIR="${BASE_DIR}/conf"
LOG_DIR="/var/log/monitoring"
STATE_DIR="/var/lib/monitoring"
LOCK_DIR="/var/lock/monitoring"
TMP_DIR="/tmp/monitoring-install"

UPDATE_BASE_URL="https://git.abonnel.fr/cedricAbonnel/scripts-bash/raw/branch/main/servers/linux/monitoring"
MANIFEST_URL="${UPDATE_BASE_URL}/manifest.txt"

INSTALL_DEPS="${INSTALL_DEPS:-true}"

# --- Fonctions ---

require_root() {
    if [ "${EUID}" -ne 0 ]; then
        echo "ERREUR: Ce script doit être exécuté en root." >&2
        exit 1
    fi
}

install_deps() {
    if [ "${INSTALL_DEPS}" != "true" ]; then
        return 0
    fi

    echo "--- Installation des dépendances ---"
    if command -v apt-get >/dev/null 2>&1; then
        apt-get update
        apt-get install -y curl coreutils findutils grep sed gawk util-linux ca-certificates
        # Ajout des modules PHP nécessaires pour vos scripts (curl pour ntfy)
        apt-get install -y php-cli php-curl php-common
    else
        echo "AVERTISSEMENT: Gestionnaire de paquets apt non détecté. Assurez-vous que php-cli et php-curl sont installés."
    fi
}

prepare_dirs() {
    echo "--- Préparation des répertoires ---"
    mkdir -p "${BASE_DIR}/bin" "${BASE_DIR}/lib" "${CONF_DIR}" "${LOG_DIR}" "${STATE_DIR}" "${LOCK_DIR}" "${TMP_DIR}"
    chmod 755 "${BASE_DIR}" "${CONF_DIR}" "${LOG_DIR}" "${STATE_DIR}" "${LOCK_DIR}"
}

fetch_manifest() {
    echo "--- Récupération du manifeste ---"
    curl -fsS "${MANIFEST_URL}" -o "${TMP_DIR}/manifest.txt"
}

validate_manifest() {
    # Validation du format : Hash Mode Chemin
    # Exemple : a1b2... 755 bin/script.php
    awk '
        NF == 3 &&
        $1 ~ /^[0-9a-fA-F]{64}$/ &&
        $2 ~ /^(644|755|600)$/ &&
        $3 ~ /^(bin|lib|conf)\/[A-Za-z0-9._\/-]+$/ &&
        $3 !~ /\.\./
    ' "${TMP_DIR}/manifest.txt"
}

download_one() {
    local expected_hash="$1"
    local mode="$2"
    local rel_path="$3"

    local url="${UPDATE_BASE_URL}/${rel_path}"
    local dst="${BASE_DIR}/${rel_path}"
    
    # On ignore le téléchargement si c'est un fichier de conf qui existe déjà
    if [[ "$rel_path" == conf/* ]] && [ -f "$dst" ]; then
        echo "Skip: $rel_path (existe déjà)"
        return 0
    fi

    echo "Téléchargement: $rel_path"
    local tmp_file
    tmp_file="$(mktemp "${TMP_DIR}/file.XXXXXX")"

    if ! curl -fsS "$url" -o "$tmp_file"; then
        echo "ERREUR: Échec du téléchargement de ${url}" >&2
        rm -f "$tmp_file"
        return 1
    fi

    local got_hash
    got_hash="$(sha256sum "$tmp_file" | awk '{print $1}')"

    if [ "$got_hash" != "$expected_hash" ]; then
        echo "ERREUR: Hash invalide pour ${rel_path}" >&2
        rm -f "$tmp_file"
        return 1
    fi

    mkdir -p "$(dirname "$dst")"
    mv -f "$tmp_file" "$dst"
    chmod "$mode" "$dst"
}

install_from_manifest() {
    echo "--- Installation des fichiers ---"
    while read -r hash mode rel_path; do
        [ -n "${hash:-}" ] || continue
        download_one "$hash" "$mode" "$rel_path"
    done < "${TMP_DIR}/manifest-valid.txt"
}

show_next_steps() {
    cat <<EOF

Installation terminée avec succès dans ${BASE_DIR}.

Étapes suivantes :
1. Configurez vos alertes :
   cp ${CONF_DIR}/alert-engine.conf.php ${CONF_DIR}/alert-engine.local.conf.php
   nano ${CONF_DIR}/alert-engine.local.conf.php

2. Initialisez la configuration globale :
   cp ${CONF_DIR}/monitoring.conf.php ${CONF_DIR}/monitoring.local.conf.php

3. Lancez un audit des configurations :
   php ${BASE_DIR}/bin/monitoring-update-config.php

4. Planifiez les tâches (cron) :
   */5 * * * * php ${BASE_DIR}/bin/alert-engine.php
   10 3 * * * php ${BASE_DIR}/bin/monitoring-update.php
EOF
}

# --- Main ---

main() {
    require_root
    install_deps
    prepare_dirs
    fetch_manifest

    if ! validate_manifest > "${TMP_DIR}/manifest-valid.txt"; then
        echo "ERREUR: Le manifeste est invalide ou corrompu." >&2
        exit 1
    fi

    install_from_manifest
    
    # Nettoyage
    rm -rf "${TMP_DIR}"
    
    show_next_steps
}

main "$@"