#!/bin/bash
# KYRA MDR Collector — One-line installer
# Usage:
#   curl -fsSL https://kyramdr.com/downloads/install.sh | sudo bash -s -- KYRA-LICENSE-KEY
# Or with env vars:
#   KYRA_LICENSE_KEY=KYRA-... curl -fsSL https://kyramdr.com/downloads/install.sh | sudo bash
#
# Options (env vars):
#   KYRA_VERSION=0.1.0          Version to install (default: latest)
#   KYRA_INSTALL_DIR=/opt/kyra  Install directory
#   KYRA_COLLECTOR_ID=my-host   Collector ID (default: hostname)
#   KYRA_GATEWAY=host:13011     Gateway endpoint (default: collector.kyramdr.com:13011)
#   KYRA_LICENSE_KEY=KYRA-...   License key
#   KYRA_BASE_URL=...           Override base download URL (default auto-detect)

set -euo pipefail

# ── Colors ──
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
NC='\033[0m'

info()  { echo -e "${CYAN}==>${NC} $1"; }
ok()    { echo -e "${GREEN}  ✓${NC} $1"; }
warn()  { echo -e "${YELLOW}  !${NC} $1"; }
err()   { echo -e "${RED}  ✗${NC} $1"; exit 1; }

# ── Config ──
VERSION="${KYRA_VERSION:-latest}"
INSTALL_DIR="${KYRA_INSTALL_DIR:-/opt/kyra/collector}"
COLLECTOR_ID="${KYRA_COLLECTOR_ID:-$(hostname)}"
GATEWAY="${KYRA_GATEWAY:-collector.kyramdr.com:13011}"
LICENSE_KEY="${KYRA_LICENSE_KEY:-${1:-}}"
BASE_URL="${KYRA_BASE_URL:-https://kyramdr.com/downloads}"

echo ""
echo -e "${CYAN}╔══════════════════════════════════════╗${NC}"
echo -e "${CYAN}║     KYRA Collector Installer         ║${NC}"
echo -e "${CYAN}╚══════════════════════════════════════╝${NC}"
echo ""

# ── Check root ──
if [ "$(id -u)" -ne 0 ]; then
    err "Please run as root: curl -fsSL ... | sudo bash"
fi

# ── Detect platform ──
RAW_OS=$(uname -s | tr '[:upper:]' '[:lower:]')
RAW_ARCH=$(uname -m)

case "$RAW_OS" in
    linux)   OS="linux" ;;
    darwin)  OS="darwin" ;;
    *)       err "Unsupported OS: $RAW_OS (this installer supports linux and darwin only)" ;;
esac

case "$RAW_ARCH" in
    x86_64|amd64)  ARCH="x86_64" ;;
    aarch64|arm64) ARCH="arm64" ;;
    *)             err "Unsupported architecture: $RAW_ARCH" ;;
esac

ASSET="collector-${OS}-${ARCH}"
info "Platform: ${OS}/${ARCH}"
info "Version: ${VERSION}"

# ── Build download URLs ──
if [ "$VERSION" = "latest" ]; then
    BIN_URL="${BASE_URL}/latest/${ASSET}"
    SUMS_URL="${BASE_URL}/latest/SHA256SUMS"
else
    BIN_URL="${BASE_URL}/${VERSION}/${ASSET}"
    SUMS_URL="${BASE_URL}/${VERSION}/SHA256SUMS"
fi

info "Source: ${BIN_URL}"

# ── Verify URL is reachable ──
if ! curl -fsSL --head "$BIN_URL" >/dev/null 2>&1; then
    err "Could not find collector binary at ${BIN_URL}. Try: KYRA_VERSION=0.1.0 ..."
fi

# ── Download binary ──
info "Downloading collector..."
TMP_BIN=$(mktemp)
TMP_SUMS=$(mktemp)
trap 'rm -f "$TMP_BIN" "$TMP_SUMS"' EXIT
curl -fsSL "$BIN_URL" -o "$TMP_BIN"
ok "Downloaded $(du -h "$TMP_BIN" | cut -f1)"

# ── Verify SHA256 (best-effort: skip if SUMS file missing) ──
if curl -fsSL "$SUMS_URL" -o "$TMP_SUMS" 2>/dev/null && [ -s "$TMP_SUMS" ]; then
    info "Verifying checksum..."
    EXPECTED=$(grep " ${ASSET}$" "$TMP_SUMS" | awk '{print $1}' || true)
    if [ -n "$EXPECTED" ]; then
        if command -v sha256sum >/dev/null 2>&1; then
            ACTUAL=$(sha256sum "$TMP_BIN" | awk '{print $1}')
        else
            ACTUAL=$(shasum -a 256 "$TMP_BIN" | awk '{print $1}')
        fi
        if [ "$EXPECTED" != "$ACTUAL" ]; then
            err "Checksum mismatch! Expected: $EXPECTED, got: $ACTUAL"
        fi
        ok "SHA256 verified"
    else
        warn "No checksum entry for ${ASSET} in SHA256SUMS — skipping verification"
    fi
else
    warn "SHA256SUMS not available — skipping checksum verification"
fi

# ── Verify it's an executable ──
if [ "$OS" = "linux" ]; then
    if ! file "$TMP_BIN" 2>/dev/null | grep -q "ELF.*executable"; then
        err "Downloaded file is not a valid Linux ELF executable"
    fi
fi

chmod +x "$TMP_BIN"

# ── Install ──
info "Installing to $INSTALL_DIR..."
mkdir -p "$INSTALL_DIR/bin"
mkdir -p "$INSTALL_DIR/config"
mkdir -p "$INSTALL_DIR/logs"
mkdir -p "$INSTALL_DIR/buffer"

mv "$TMP_BIN" "$INSTALL_DIR/bin/collector"
chmod +x "$INSTALL_DIR/bin/collector"
ok "Binary installed: $INSTALL_DIR/bin/collector"

# ── Version check ──
INSTALLED_VERSION=$("$INSTALL_DIR/bin/collector" --version 2>/dev/null || echo "unknown")
ok "Version: $INSTALLED_VERSION"

# ── Generate config ──
if [ ! -f "$INSTALL_DIR/config/collector.yaml" ]; then
    info "Generating config..."
    cat > "$INSTALL_DIR/config/collector.yaml" << YAML
collector:
  collector_id: "$COLLECTOR_ID"
  gateway_endpoint: "${GATEWAY}"
  license_key: "${LICENSE_KEY:-CHANGE_ME}"

inputs:
  edr_receiver:
    enabled: true
    bind_address: "0.0.0.0:5055"

  syslog:
    enabled: true
    bind_address: "0.0.0.0:514"
    protocol: "udp"

  file_tail:
    enabled: false
    paths: []

  ndr:
    enabled: false

buffer:
  path: "$INSTALL_DIR/buffer"
  max_size_mb: 512

logging:
  level: info
  file: "$INSTALL_DIR/logs/collector.log"
YAML
    ok "Config: $INSTALL_DIR/config/collector.yaml"
else
    warn "Config already exists — skipping"
fi

# ── Create systemd service (Linux only) ──
if [ "$OS" = "linux" ] && command -v systemctl >/dev/null 2>&1; then
    info "Installing systemd service..."
    cat > /etc/systemd/system/kyra-collector.service << EOF
[Unit]
Description=KYRA MDR Collector Agent
Documentation=https://docs.kyramdr.com
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=$INSTALL_DIR/bin/collector --config $INSTALL_DIR/config/collector.yaml
Restart=always
RestartSec=5
LimitNOFILE=65536
WorkingDirectory=$INSTALL_DIR

# Security hardening
ProtectSystem=strict
ReadWritePaths=$INSTALL_DIR/buffer $INSTALL_DIR/logs
NoNewPrivileges=true
PrivateTmp=true

Environment=RUST_LOG=info

[Install]
WantedBy=multi-user.target
EOF

    systemctl daemon-reload
    systemctl enable kyra-collector
    ok "Service installed: kyra-collector"

    info "Starting service..."
    systemctl start kyra-collector
    sleep 2

    if systemctl is-active --quiet kyra-collector; then
        ok "Service is running"
    else
        warn "Service failed to start — check: journalctl -u kyra-collector"
    fi
fi

# ── Summary ──
echo ""
echo -e "${GREEN}╔══════════════════════════════════════╗${NC}"
echo -e "${GREEN}║     Installation Complete!           ║${NC}"
echo -e "${GREEN}╚══════════════════════════════════════╝${NC}"
echo ""
echo -e "  Binary:   $INSTALL_DIR/bin/collector"
echo -e "  Config:   $INSTALL_DIR/config/collector.yaml"
echo -e "  Logs:     $INSTALL_DIR/logs/collector.log"
echo -e "  Service:  kyra-collector"
echo ""
echo -e "  ${CYAN}Commands:${NC}"
echo -e "    sudo systemctl status kyra-collector"
echo -e "    sudo systemctl restart kyra-collector"
echo -e "    sudo journalctl -u kyra-collector -f"
echo ""

if [ -z "$LICENSE_KEY" ] || [ "$LICENSE_KEY" = "CHANGE_ME" ]; then
    echo -e "  ${YELLOW}Next: add your license key to config:${NC}"
    echo -e "    sudo nano $INSTALL_DIR/config/collector.yaml"
    echo -e "    sudo systemctl restart kyra-collector"
    echo ""
    echo -e "  ${CYAN}Get a license at https://console.kyramdr.com/settings?tab=collector-keys${NC}"
    echo ""
fi