#!/bin/bash
# setup_production.sh
# Script d'installation automatique pour la production

set -e

echo "========================================"
echo "RPA Vision V3 - Setup Production"
echo "========================================"
echo ""

# Vérifier root
if [ "$EUID" -ne 0 ]; then 
    echo "⚠️  Ce script doit être exécuté en tant que root"
    echo "   Utilisez: sudo ./setup_production.sh"
    exit 1
fi

# Variables
read -p "Nom de domaine pour l'API (ex: api.votre-domaine.com): " API_DOMAIN
read -p "Nom de domaine pour le Dashboard (ex: dashboard.votre-domaine.com): " DASHBOARD_DOMAIN
read -p "Email pour Let's Encrypt: " LETSENCRYPT_EMAIL
read -sp "Password de chiffrement: " ENCRYPTION_PASSWORD
echo ""

# Vérifier les domaines
echo ""
echo "Vérification DNS..."
if ! nslookup "$API_DOMAIN" > /dev/null 2>&1; then
    echo "⚠️  ATTENTION: $API_DOMAIN ne résout pas correctement"
    read -p "Continuer quand même? (y/N): " CONTINUE
    if [ "$CONTINUE" != "y" ]; then
        exit 1
    fi
fi

# 1. Installer Nginx
echo ""
echo "📦 Installation de Nginx..."
apt update
apt install -y nginx

# 2. Installer Certbot
echo ""
echo "🔒 Installation de Certbot..."
apt install -y certbot python3-certbot-nginx

# 3. Créer configuration Nginx pour l'API
echo ""
echo "⚙️  Configuration Nginx pour l'API..."
cat > /etc/nginx/sites-available/rpa-api << EOF
server {
    listen 80;
    server_name $API_DOMAIN;
    
    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        
        client_max_body_size 100M;
        client_body_timeout 300s;
        proxy_connect_timeout 300s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;
    }
}
EOF

# 4. Créer configuration Nginx pour le Dashboard
echo ""
echo "⚙️  Configuration Nginx pour le Dashboard..."
cat > /etc/nginx/sites-available/rpa-dashboard << EOF
server {
    listen 80;
    server_name $DASHBOARD_DOMAIN;
    
    location / {
        proxy_pass http://127.0.0.1:5001;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
EOF

# 5. Activer les sites
ln -sf /etc/nginx/sites-available/rpa-api /etc/nginx/sites-enabled/
ln -sf /etc/nginx/sites-available/rpa-dashboard /etc/nginx/sites-enabled/

# Tester la config
nginx -t

# Recharger Nginx
systemctl reload nginx

# 6. Obtenir les certificats SSL
echo ""
echo "🔒 Obtention des certificats SSL..."
certbot --nginx -d "$API_DOMAIN" --non-interactive --agree-tos --email "$LETSENCRYPT_EMAIL" --redirect
certbot --nginx -d "$DASHBOARD_DOMAIN" --non-interactive --agree-tos --email "$LETSENCRYPT_EMAIL" --redirect

# 7. Créer le service systemd pour l'API
echo ""
echo "⚙️  Configuration service API..."

# Détecter le chemin du projet
PROJECT_DIR=$(dirname $(dirname $(readlink -f "$0")))
VENV_DIR="$PROJECT_DIR/venv_v3"

cat > /etc/systemd/system/rpa-api.service << EOF
[Unit]
Description=RPA Vision V3 - API Upload
After=network.target

[Service]
Type=simple
User=$SUDO_USER
WorkingDirectory=$PROJECT_DIR/server
Environment="ENCRYPTION_PASSWORD=$ENCRYPTION_PASSWORD"
Environment="PATH=$VENV_DIR/bin:/usr/local/bin:/usr/bin:/bin"
ExecStart=$VENV_DIR/bin/uvicorn api_upload:app --host 127.0.0.1 --port 8000
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF

# 8. Créer le service systemd pour le Dashboard
echo ""
echo "⚙️  Configuration service Dashboard..."
cat > /etc/systemd/system/rpa-dashboard.service << EOF
[Unit]
Description=RPA Vision V3 - Dashboard Web
After=network.target

[Service]
Type=simple
User=$SUDO_USER
WorkingDirectory=$PROJECT_DIR/web_dashboard
Environment="PATH=$VENV_DIR/bin:/usr/local/bin:/usr/bin:/bin"
ExecStart=$VENV_DIR/bin/python app.py
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF

# 9. Activer et démarrer les services
echo ""
echo "🚀 Démarrage des services..."
systemctl daemon-reload
systemctl enable rpa-api
systemctl enable rpa-dashboard
systemctl start rpa-api
systemctl start rpa-dashboard

# 10. Configurer le firewall
echo ""
echo "🔥 Configuration firewall..."
ufw allow 80/tcp
ufw allow 443/tcp
ufw deny 8000/tcp
ufw deny 5001/tcp
echo "y" | ufw enable

# 11. Vérifier tout
echo ""
echo "========================================"
echo "✅ Installation terminée!"
echo "========================================"
echo ""
echo "📊 Statut des services:"
systemctl status rpa-api --no-pager | head -5
systemctl status rpa-dashboard --no-pager | head -5
echo ""
echo "🔒 Certificats SSL:"
certbot certificates | grep -E "Certificate Name|Domains|Expiry"
echo ""
echo "🌐 URLs:"
echo "  API:       https://$API_DOMAIN"
echo "  Dashboard: https://$DASHBOARD_DOMAIN"
echo ""
echo "🔑 Password chiffrement: ****** (configuré)"
echo ""
echo "📝 Commandes utiles:"
echo "  sudo systemctl status rpa-api"
echo "  sudo systemctl status rpa-dashboard"
echo "  sudo journalctl -u rpa-api -f"
echo "  sudo certbot renew --dry-run"
echo ""
echo "✅ Prêt pour la production!"