#!/usr/bin/env bash
set -euo pipefail

VERSION="latest"
INSTALL_DIR="${HOME}/eriol-streaming-server"
PUBLIC_HOST=""
HTTP_PORT="8080"
SRT_PORT="5000"
UDP_PORT_MIN="10000"
UDP_PORT_MAX="10100"
RECORDINGS_DIR=""
AUTH_USER=""
AUTH_PASS=""
TLS_MODE=""
CERT_SOURCE=""
KEY_SOURCE=""
START_NOW="no"
DRY_RUN="no"

print_help() {
  cat <<'EOF'
Eriol Streaming Server installer

Usage:
  curl -fsSL https://get.eriol.io/install.sh | bash -s -- [options]

Options:
  --host <domain|ip>         Public host for clients (required)
  --install-dir <path>       Install directory (default: ~/eriol-streaming-server)
  --http-port <port>         HTTP API port (default: 8080)
  --srt-port <port>          SRT ingest UDP port (default: 5000)
  --udp-min <port>           WebRTC UDP port min (default: 10000)
  --udp-max <port>           WebRTC UDP port max (default: 10100)
  --tls <self-signed|existing>
  --cert-path <path>         Existing cert path (host path)
  --key-path <path>          Existing key path (host path)
  --auth-user <user>         WHIP auth username
  --auth-pass <pass>         WHIP auth password
  --version <tag>            Docker image tag (default: latest)
  --start                     Start the server after install
  --dry-run                   Print actions without changing the system
  -h, --help                 Show this help
EOF
}

while [[ $# -gt 0 ]]; do
  case "$1" in
    --host)
      PUBLIC_HOST="$2"
      shift 2
      ;;
    --install-dir)
      INSTALL_DIR="$2"
      shift 2
      ;;
    --http-port)
      HTTP_PORT="$2"
      shift 2
      ;;
    --srt-port)
      SRT_PORT="$2"
      shift 2
      ;;
    --udp-min)
      UDP_PORT_MIN="$2"
      shift 2
      ;;
    --udp-max)
      UDP_PORT_MAX="$2"
      shift 2
      ;;
    --tls)
      TLS_MODE="$2"
      shift 2
      ;;
    --cert-path)
      CERT_SOURCE="$2"
      shift 2
      ;;
    --key-path)
      KEY_SOURCE="$2"
      shift 2
      ;;
    --auth-user)
      AUTH_USER="$2"
      shift 2
      ;;
    --auth-pass)
      AUTH_PASS="$2"
      shift 2
      ;;
    --version)
      VERSION="$2"
      shift 2
      ;;
    --dry-run)
      DRY_RUN="yes"
      shift 1
      ;;
    --start)
      START_NOW="yes"
      shift 1
      ;;
    -h|--help)
      print_help
      exit 0
      ;;
    *)
      echo "Unknown option: $1"
      print_help
      exit 1
      ;;
  esac
done

if [[ "${DRY_RUN}" == "no" ]]; then
  if ! command -v docker >/dev/null 2>&1; then
    echo "Docker is required. Please install Docker first."
    exit 1
  fi

  if docker compose version >/dev/null 2>&1; then
    COMPOSE_CMD=("docker" "compose")
  elif command -v docker-compose >/dev/null 2>&1; then
    COMPOSE_CMD=("docker-compose")
  else
    echo "Docker Compose is required. Please install docker compose or docker-compose."
    exit 1
  fi
else
  COMPOSE_CMD=("docker" "compose")
fi

run_cmd() {
  if [[ "${DRY_RUN}" == "yes" ]]; then
    echo "[dry-run] $*"
    return 0
  fi
  "$@"
}

prompt_default() {
  local prompt="$1"
  local default="$2"
  local var
  read -rp "${prompt} [${default}]: " var
  if [[ -z "${var}" ]]; then
    echo "${default}"
  else
    echo "${var}"
  fi
}

if [[ -z "${PUBLIC_HOST}" ]]; then
  read -rp "Public host (domain or IP): " PUBLIC_HOST
fi

if [[ -z "${PUBLIC_HOST}" ]]; then
  echo "Public host is required."
  exit 1
fi

INSTALL_DIR="$(prompt_default "Install directory" "${INSTALL_DIR}")"
HTTP_PORT="$(prompt_default "HTTP port" "${HTTP_PORT}")"
SRT_PORT="$(prompt_default "SRT ingest port (UDP)" "${SRT_PORT}")"
RECORDINGS_DIR="${INSTALL_DIR}/recordings"

# API authentication credentials
echo ""
echo "API authentication credentials:"
if [[ -z "${AUTH_USER}" ]]; then
  AUTH_USER="$(prompt_default "  Username" "admin")"
fi
if [[ -z "${AUTH_PASS}" ]]; then
  read -rsp "  Password [auto-generate]: " AUTH_PASS
  echo ""
  if [[ -z "${AUTH_PASS}" ]]; then
    AUTH_PASS="$(head -c 16 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 16)"
    echo "  Auto-generated password: ${AUTH_PASS}"
  fi
fi

if [[ -z "${TLS_MODE}" ]]; then
  echo "TLS certificates:"
  echo "  1) Auto-firmado (self-signed)"
  echo "  2) Usar certificados existentes"
  read -rp "Elegi una opcion [1-2]: " TLS_CHOICE
  case "${TLS_CHOICE}" in
    1) TLS_MODE="self-signed" ;;
    2) TLS_MODE="existing" ;;
    *) TLS_MODE="self-signed" ;;
  esac
fi

if [[ "${TLS_MODE}" == "existing" ]]; then
  if [[ -z "${CERT_SOURCE}" ]]; then
    read -rp "Ruta del certificado (fullchain.pem o .crt): " CERT_SOURCE
  fi
  if [[ -z "${KEY_SOURCE}" ]]; then
    read -rp "Ruta de la key privada (.key): " KEY_SOURCE
  fi
  if [[ "${DRY_RUN}" == "no" ]]; then
    if [[ ! -f "${CERT_SOURCE}" ]]; then
      echo "Cert file not found: ${CERT_SOURCE}"
      exit 1
    fi
    if [[ ! -f "${KEY_SOURCE}" ]]; then
      echo "Key file not found: ${KEY_SOURCE}"
      exit 1
    fi
  fi
else
  TLS_MODE="self-signed"
  if [[ "${DRY_RUN}" == "no" ]]; then
    if ! command -v openssl >/dev/null 2>&1; then
      echo "openssl is required for self-signed certificates."
      exit 1
    fi
  fi
fi

run_cmd mkdir -p "${INSTALL_DIR}/config" "${INSTALL_DIR}/certs" "${RECORDINGS_DIR}" "${INSTALL_DIR}/logs" "${INSTALL_DIR}/screenshots"

if [[ "${TLS_MODE}" == "self-signed" ]]; then
  CERT_SOURCE="${INSTALL_DIR}/certs/server.crt"
  KEY_SOURCE="${INSTALL_DIR}/certs/server.key"
  if [[ "${DRY_RUN}" == "yes" ]]; then
    echo "[dry-run] Generating self-signed certificate for ${PUBLIC_HOST} at ${CERT_SOURCE} / ${KEY_SOURCE}"
  else
    if [[ ! -f "${CERT_SOURCE}" || ! -f "${KEY_SOURCE}" ]]; then
      echo "Generating self-signed certificate for ${PUBLIC_HOST}..."
      openssl req -x509 -nodes -newkey rsa:4096 \
        -keyout "${KEY_SOURCE}" \
        -out "${CERT_SOURCE}" \
        -days 365 \
        -subj "/CN=${PUBLIC_HOST}" \
        -addext "subjectAltName=DNS:${PUBLIC_HOST}" >/dev/null 2>&1
    fi
  fi
fi

if [[ "${DRY_RUN}" == "yes" ]]; then
  echo "[dry-run] Writing ${INSTALL_DIR}/config/config.toml"
else
  cat > "${INSTALL_DIR}/config/config.toml" <<EOF
# Eriol Streaming Server Configuration

[server]
# Server bind address
bind = "0.0.0.0"
http_port = ${HTTP_PORT}
# Public host (domain or IP) used for logs and client connections
public_host = "${PUBLIC_HOST}"

# TLS certificates
cert_path = "/app/config/cert.pem"
key_path = "/app/config/key.pem"

[auth]
username = "${AUTH_USER}"
password = "${AUTH_PASS}"

[srt]
port = ${SRT_PORT}
latency_ms = 120

[session]
grace_period_secs = 30
keepalive_timeout_secs = 60
max_sessions = 1

[webrtc]
# ICE servers for NAT traversal
[[webrtc.ice_servers]]
urls = ["stun:stun.l.google.com:19302"]

udp_port_min = ${UDP_PORT_MIN}
udp_port_max = ${UDP_PORT_MAX}

[stream]
default_width = 1920
default_height = 1080
default_framerate = 30
default_bitrate = 6000000
default_audio_bitrate = 128000
keyframe_interval_ms = 2000

[recording]
enabled = true
base_path = "/app/recordings"
format = "mp4"

[logging]
level = "info"
format = "json"
EOF
fi

if [[ "${DRY_RUN}" == "yes" ]]; then
  echo "[dry-run] Writing ${INSTALL_DIR}/docker-compose.yml"
else
  cat > "${INSTALL_DIR}/docker-compose.yml" <<EOF
version: '3.8'

services:
  eriol-server:
    image: eriolapp/server-streaming:${VERSION}
    container_name: eriol-streaming-server
    restart: unless-stopped

    ports:
      - "${HTTP_PORT}:8080"
      - "${SRT_PORT}:${SRT_PORT}/udp"
      - "${UDP_PORT_MIN}-${UDP_PORT_MAX}:${UDP_PORT_MIN}-${UDP_PORT_MAX}/udp"

    volumes:
      - ./config/config.toml:/app/config/config.toml:ro
      - ./recordings:/app/recordings
      - ./screenshots:/app/screenshots
      - ./logs:/app/logs

    environment:
      - RUST_LOG=info
      - GST_DEBUG=2
      - TZ=UTC

    healthcheck:
      test: ["CMD-SHELL", "curl -fk https://localhost:8080/api/health || curl -f http://localhost:8080/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
EOF
fi

if [[ "${DRY_RUN}" == "yes" ]]; then
  echo "[dry-run] Writing ${INSTALL_DIR}/docker-compose.override.yml"
else
  cat > "${INSTALL_DIR}/docker-compose.override.yml" <<EOF
services:
  eriol-server:
    volumes:
      - "${CERT_SOURCE}:/app/config/cert.pem:ro"
      - "${KEY_SOURCE}:/app/config/key.pem:ro"
EOF
fi

echo ""
echo "Install complete."
API_SCHEME="http"
if [[ "${TLS_MODE}" == "self-signed" || "${TLS_MODE}" == "existing" ]]; then
  API_SCHEME="https"
fi
echo "HTTP API:  ${API_SCHEME}://${PUBLIC_HOST}:${HTTP_PORT}"
echo "API v1:    ${API_SCHEME}://${PUBLIC_HOST}:${HTTP_PORT}/api/v1/sessions"
echo "SRT Ingest:${PUBLIC_HOST}:${SRT_PORT}/udp"
echo "WHIP (legacy): ${API_SCHEME}://${PUBLIC_HOST}:${HTTP_PORT}/whip"
echo "Auth:      ${AUTH_USER}:${AUTH_PASS}"
if [[ "${API_SCHEME}" == "https" ]]; then
  echo "Health:    curl -k https://${PUBLIC_HOST}:${HTTP_PORT}/api/health"
else
  echo "Health:    curl http://${PUBLIC_HOST}:${HTTP_PORT}/api/health"
fi
echo "Config:    ${INSTALL_DIR}/config/config.toml"

if [[ "${START_NOW}" == "yes" ]]; then
  echo "Starting server..."
  if [[ "${DRY_RUN}" == "yes" ]]; then
    echo "[dry-run] (cd ${INSTALL_DIR} && ${COMPOSE_CMD[*]} up -d)"
  else
    (cd "${INSTALL_DIR}" && "${COMPOSE_CMD[@]}" up -d)
  fi
fi