#!/bin/bash

# Check if script is run as root
if [ "$EUID" -ne 0 ]; then 
    echo "Please run as root"
    exit 1
fi

# Variables
CLOUDPANEL_PORT="8443"
SSH_PORT="22"
SFTP_PORT="22"
DB_PATH="/home/clp/htdocs/app/data/db.sq3"
NGINX_CONF="/home/clp/services/nginx/sites-enabled/cloudpanel.conf"
MAX_TRIES=12

# Prompt for ZeroTier Network ID
echo -n "Please enter your ZeroTier Network ID: "
read ZEROTIER_NETWORK_ID

# Validate Network ID format (16 character hex)
if ! [[ $ZEROTIER_NETWORK_ID =~ ^[0-9a-fA-F]{16}$ ]]; then
    echo "Error: Invalid ZeroTier Network ID format. It should be a 16-character hexadecimal string."
    echo "Example: a1b2c3d4e5f67890"
    exit 1
fi

echo "Using ZeroTier Network ID: $ZEROTIER_NETWORK_ID"

# Install ZeroTier if not already installed
if ! command -v zerotier-cli &> /dev/null; then
    echo "Installing ZeroTier..."
    curl -s https://install.zerotier.com | bash
fi

# Join ZeroTier network if not already joined
if ! zerotier-cli listnetworks | grep -q "$ZEROTIER_NETWORK_ID"; then
    echo "Joining ZeroTier network..."
    zerotier-cli join $ZEROTIER_NETWORK_ID
fi

# Function to get ZeroTier IP - using multiple methods
get_zerotier_ip() {
    # Method 1: Direct interface check
    local ip1=$(ip addr show zt0 2>/dev/null | grep -Po 'inet \K[\d.]+')
    
    # Method 2: ZeroTier CLI check
    local ip2=$(zerotier-cli listnetworks | grep $ZEROTIER_NETWORK_ID | grep -Po '\s\K[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
    
    # Return the first successful result
    if [ ! -z "$ip1" ]; then
        echo "$ip1"
    elif [ ! -z "$ip2" ]; then
        echo "$ip2"
    else
        echo ""
    fi
}

# Debug information
echo "Current ZeroTier Status:"
zerotier-cli status
echo -e "\nNetwork Information:"
zerotier-cli listnetworks
echo -e "\nInterface Information:"
ip addr show zt0
echo -e "\nWaiting for ZeroTier IP assignment..."

# Wait for network connection and IP assignment
ZEROTIER_IP=""
COUNTER=0

while [ -z "$ZEROTIER_IP" ] && [ $COUNTER -lt $MAX_TRIES ]; do
    ZEROTIER_IP=$(get_zerotier_ip)
    if [ -z "$ZEROTIER_IP" ]; then
        echo "Attempt $((COUNTER+1))/$MAX_TRIES: Waiting for IP assignment..."
        echo "Please make sure to authorize this node in your ZeroTier Central dashboard!"
        sleep 10
        COUNTER=$((COUNTER+1))
    else
        echo "Found ZeroTier IP: $ZEROTIER_IP"
    fi
done

if [ -z "$ZEROTIER_IP" ]; then
    echo "Failed to get ZeroTier IP after $MAX_TRIES attempts."
    echo "Current network status:"
    zerotier-cli listnetworks
    echo -e "\nPlease verify:"
    echo "1. Network ID is correct: $ZEROTIER_NETWORK_ID"
    echo "2. Node is authorized in ZeroTier Central"
    echo "3. Network interface exists:"
    ip link show zt0
    exit 1
fi

# Confirm with user before proceeding
echo -e "\nFound ZeroTier IP: $ZEROTIER_IP"
echo "Would you like to proceed with the firewall and nginx configuration? (y/n)"
read -r response

if [[ ! $response =~ ^[Yy]$ ]]; then
    echo "Setup cancelled by user"
    exit 0
fi

# Backup original files
echo "Creating backups..."
cp "$NGINX_CONF" "${NGINX_CONF}.backup.$(date +%Y%m%d%H%M%S)"
sqlite3 "$DB_PATH" ".backup '${DB_PATH}.backup.$(date +%Y%m%d%H%M%S)'"

# Update CloudPanel nginx configuration
echo "Updating nginx configuration..."
sed -i.bak "s/listen 8443 ssl;/listen $ZEROTIER_IP:8443 ssl;/" "$NGINX_CONF"

# Update firewall rules in SQLite database
echo "Updating firewall rules..."
sqlite3 "$DB_PATH" << EOF
BEGIN TRANSACTION;

-- Remove existing rules for these ports
DELETE FROM firewall_rule WHERE port_range IN ('22', '80', '443', '8443');

-- Add new rules for SSH (ZeroTier only)
INSERT INTO firewall_rule (created_at, updated_at, port_range, source, description) 
VALUES 
(datetime('now'), datetime('now'), '22', '${ZEROTIER_IP}/32', 'SSH via ZeroTier');

-- Add new rules for HTTP/HTTPS (open to all)
INSERT INTO firewall_rule (created_at, updated_at, port_range, source, description) 
VALUES 
(datetime('now'), datetime('now'), '80', '0.0.0.0/0', 'HTTP open to all'),
(datetime('now'), datetime('now'), '443', '0.0.0.0/0', 'HTTPS open to all');

-- Add new rule for CloudPanel UI (ZeroTier only)
INSERT INTO firewall_rule (created_at, updated_at, port_range, source, description) 
VALUES 
(datetime('now'), datetime('now'), '8443', '${ZEROTIER_IP}/32', 'CloudPanel UI via ZeroTier');

COMMIT;
EOF

# Restart services
echo "Restarting services..."
systemctl restart nginx
systemctl restart ufw

# Final status check
echo -e "\nFinal ZeroTier Status:"
zerotier-cli status
echo -e "\nNetwork Status:"
zerotier-cli listnetworks

echo -e "\nSetup complete! Please verify the following:"
echo "1. SSH access via ZeroTier IP: ${ZEROTIER_IP}"
echo "2. CloudPanel UI access: https://${ZEROTIER_IP}:8443"
echo "3. HTTP/HTTPS (80/443) are open to all IPs"
echo ""
echo "Backup files created:"
echo "- Nginx config: ${NGINX_CONF}.backup.*"
echo "- Database: ${DB_PATH}.backup.*"