#!/usr/bin/env bash
# --------------------------------------------------------------
# Pterodactyl Panel – LAN‑only installer for Raspberry Pi OS
# --------------------------------------------------------------
# What it does:
#   • Installs Nginx, MariaDB, Redis, PHP‑8.2, Composer, Git, …
#   • Creates a local MySQL database (no remote access)
#   • Downloads the latest panel release, configures .env
#   • Runs migrations, seeds, creates an admin user (no prompts)
#   • Configures Nginx to listen on the Pi's LAN IP (or 0.0.0.0)
#   • Sets up a tiny ufw firewall that only allows HTTP from the LAN
#   • Installs a systemd service for the queue worker (pteroq)
#   • Prints a short “install summary”
#
# Requirements:
#   • Raspberry Pi OS (Debian‑based) – tested on 64‑bit Bullseye & Bookworm
#   • At least 1 GB RAM (2 GB+ recommended)
#   • Run the script as root (or with sudo)
#
# --------------------------------------------------------------

set -euo pipefail   # abort on error, treat unset vars as errors

# -------------------------------------------------------------------------
# 1️⃣  USER‑CONFIGURABLE SETTINGS – change them before you run the script
# -------------------------------------------------------------------------
# If you want a custom domain (e.g. panel.local) you can set APP_DOMAIN
# to that value.  The script will still bind to the LAN IP.
APP_DOMAIN="panel.local"
APP_DIR="/var/www/pterodactyl"
DB_NAME="panel"
DB_USER="pterodactyl"
DB_PASS="$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 24)"   # random DB password
ADMIN_EMAIL="admin@local"
ADMIN_USERNAME="admin"
ADMIN_FIRST="Local"
ADMIN_LAST="Admin"
ADMIN_PASS="$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 16)"   # random admin password
TIMEZONE="$(cat /etc/timezone 2>/dev/null || echo 'UTC')"

# -------------------------------------------------------------------------
# 2️⃣  INTERNAL VARIABLES – do NOT edit unless you know what you’re doing
# -------------------------------------------------------------------------
export DEBIAN_FRONTEND=noninteractive
PHP_VERSION="8.2"                     # version shipped with Pi OS
PHP_FPM_SERVICE="php${PHP_VERSION}-fpm"
COMPOSER_BIN="/usr/local/bin/composer"
NGINX_CONF="/etc/nginx/sites-available/pterodactyl"
NGINX_LINK="/etc/nginx/sites-enabled/pterodactyl"

# -------------------------------------------------------------------------
# 3️⃣  HELPERS
# -------------------------------------------------------------------------
env_set() {
    # $1 = key, $2 = value
    local key=$1 value=$2
    if grep -q "^${key}=" .env; then
        sed -i "s|^${key}=.*|${key}=${value}|g" .env
    else
        echo "${key}=${value}" >> .env
    fi
}

# -------------------------------------------------------------------------
# 4️⃣  PRE‑FLIGHT CHECKS
# -------------------------------------------------------------------------
if [[ $EUID -ne 0 ]]; then
    echo "❌  This script must be run as root. Use: sudo $0"
    exit 1
fi

if [[ -d "$APP_DIR" ]]; then
    echo "❌  Directory $APP_DIR already exists – aborting to avoid overwriting."
    exit 1
fi

if ! command -v apt-get >/dev/null 2>&1; then
    echo "❌  apt-get not found – this script only works on Debian‑based systems."
    exit 1
fi

# -------------------------------------------------------------------------
# 5️⃣  DETERMINE LAN IP (the address that other Wi‑Fi devices will use)
# -------------------------------------------------------------------------
# We look for the first non‑loopback, non‑docker, IPv4 address.
LAN_IP=$(ip -4 addr show scope global | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -n1 || true)

if [[ -z "$LAN_IP" ]]; then
    echo "⚠️  Could not auto‑detect a LAN IP. Falling back to 0.0.0.0 (listen on all interfaces)."
    LAN_IP="0.0.0.0"
fi

APP_URL="http://${LAN_IP}"
echo "🔎  Detected LAN IP: $LAN_IP → APP_URL will be $APP_URL"

# -------------------------------------------------------------------------
# 6️⃣  UPDATE & INSTALL DEPENDENCIES
# -------------------------------------------------------------------------
echo "🔧  [1/10] Updating package list and installing required packages…"
apt-get update -y
apt-get upgrade -y

apt-get install -y \
    nginx \
    mariadb-server \
    redis-server \
    php${PHP_VERSION}-fpm php${PHP_VERSION}-cli php${PHP_VERSION}-mysql php${PHP_VERSION}-gd \
    php${PHP_VERSION}-zip php${PHP_VERSION}-mbstring php${PHP_VERSION}-bcmath php${PHP_VERSION}-xml \
    php${PHP_VERSION}-curl php${PHP_VERSION}-intl php${PHP_VERSION}-redis \
    curl unzip git ca-certificates gnupg lsb-release software-properties-common ufw

# Enable & start services
systemctl enable --now mariadb
systemctl enable --now redis-server
systemctl enable --now nginx
systemctl enable --now "${PHP_FPM_SERVICE}"

# -------------------------------------------------------------------------
# 7️⃣  INSTALL COMPOSER (global)
# -------------------------------------------------------------------------
if ! command -v composer >/dev/null 2>&1; then
    echo "🔧  [2/10] Installing Composer…"
    EXPECTED_CHECKSUM="$(curl -s https://composer.github.io/installer.sig)"
    php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
    ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
    if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]; then
        echo "❌  Composer installer corrupt – aborting."
        rm composer-setup.php
        exit 1
    fi
    php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
    rm composer-setup.php
else
    echo "✅  Composer already installed."
fi

# -------------------------------------------------------------------------
# 8️⃣  DATABASE SETUP (local only)
# -------------------------------------------------------------------------
echo "🔧  [3/10] Creating MySQL database and user…"
# MariaDB on Pi OS uses unix_socket auth for root, so we can run as root without a password.
mysql -u root <<SQL
CREATE DATABASE IF NOT EXISTS \`${DB_NAME}\` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER IF NOT EXISTS '${DB_USER}'@'127.0.0.1' IDENTIFIED BY '${DB_PASS}';
GRANT ALL PRIVILEGES ON \`${DB_NAME}\`.* TO '${DB_USER}'@'127.0.0.1';
FLUSH PRIVILEGES;
SQL

# -------------------------------------------------------------------------
# 9️⃣  DOWNLOAD & SETUP PTERODACTYL PANEL
# -------------------------------------------------------------------------
echo "🔧  [4/10] Downloading latest Pterodactyl Panel…"
mkdir -p "${APP_DIR}"
cd "$(dirname "${APP_DIR}")"

# Grab the latest release tarball from GitHub (fallback to static URL if API rate‑limited)
LATEST_URL=$(curl -s https://api.github.com/repos/pterodactyl/panel/releases/latest \
    | grep browser_download_url | grep ".tar.gz" | cut -d '"' -f 4)

if [[ -z "$LATEST_URL" ]]; then
    echo "❌  Could not fetch latest release URL – aborting."
    exit 1
fi

curl -L "$LATEST_URL" -o panel.tar.gz
tar -xzf panel.tar.gz --strip-components=1 -C "${APP_DIR}"
rm panel.tar.gz

# Permissions – Nginx runs as www-data
chown -R www-data:www-data "${APP_DIR}"
chmod -R 755 "${APP_DIR}"

# -------------------------------------------------------------------------
# 🔟  LARAVEL .ENV CONFIGURATION
# -------------------------------------------------------------------------
echo "🔧  [5/10] Preparing Laravel .env file…"
cd "${APP_DIR}"
cp .env.example .env

env_set "APP_URL" "${APP_URL}"
env_set "APP_TIMEZONE" "${TIMEZONE}"
env_set "APP_ENV" "production"
env_set "APP_DEBUG" "false"
env_set "DB_CONNECTION" "mysql"
env_set "DB_HOST" "127.0.0.1"
env_set "DB_PORT" "3306"
env_set "DB_DATABASE" "${DB_NAME}"
env_set "DB_USERNAME" "${DB_USER}"
env_set "DB_PASSWORD" "${DB_PASS}"
env_set "CACHE_DRIVER" "redis"
env_set "SESSION_DRIVER" "redis"
env_set "QUEUE_CONNECTION" "redis"
env_set "REDIS_HOST" "127.0.0.1"
env_set "REDIS_PASSWORD" "null"
env_set "REDIS_PORT" "6379"

# -------------------------------------------------------------------------
# 1️⃣1️⃣  COMPOSER DEPENDENCIES & LARAVEL KEY
# -------------------------------------------------------------------------
echo "🔧  [6/10] Installing PHP dependencies via Composer…"
sudo -u www-data composer install --no-dev --optimize-autoloader

echo "🔧  [7/10] Generating application key…"
sudo -u www-data php artisan key:generate --force

# -------------------------------------------------------------------------
# 1️⃣2️⃣  DATABASE MIGRATIONS & SEEDING
# -------------------------------------------------------------------------
echo "🔧  [8/10] Running migrations and seeding…"
sudo -u www-data php artisan migrate --seed --force

# -------------------------------------------------------------------------
# 1️⃣3️⃣  CREATE ADMIN USER (non‑interactive)
# -------------------------------------------------------------------------
echo "🔧  [9/10] Creating admin user…"
ADMIN_INPUT=$(cat <<EOF
${ADMIN_EMAIL}
${ADMIN_USERNAME}
${ADMIN_FIRST}
${ADMIN_LAST}
${ADMIN_PASS}
${ADMIN_PASS}
y
EOF
)
echo "$ADMIN_INPUT" | sudo -u www-data php artisan p:user:make --admin --no-interaction

# -------------------------------------------------------------------------
# 1️⃣4️⃣  NGINX CONFIGURATION (LAN‑only)
# -------------------------------------------------------------------------
echo "🔧  [10/10] Configuring Nginx (listen on ${LAN_IP:-0.0.0.0})…"
cat > "${NGINX_CONF}" <<NGX
server {
    # Listen on the detected LAN IP; if detection failed we fall back to 0.0.0.0
    listen ${LAN_IP}:80;
    server_name ${APP_DOMAIN};

    root ${APP_DIR}/public;
    index index.php;

    access_log /var/log/nginx/pterodactyl.access.log;
    error_log  /var/log/nginx/pterodactyl.error.log;

    client_max_body_size 100M;
    client_body_timeout 120s;

    location / {
        try_files \$uri \$uri/ /index.php?\$query_string;
    }

    location ~ \.php\$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)\$;
        fastcgi_pass unix:/run/php/php${PHP_VERSION}-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
        fastcgi_param HTTP_PROXY "";
        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}
NGX

ln -sf "${NGINX_CONF}" "${NGINX_LINK}"
nginx -t && systemctl reload nginx

# -------------------------------------------------------------------------
# 1️⃣5️⃣  FIREWALL – allow HTTP only from the local subnet
# -------------------------------------------------------------------------
echo "🔧  Setting up ufw firewall (allow LAN, block everything else)…"
ufw --force reset
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (so you don’t lock yourself out)
ufw allow OpenSSH

# Allow HTTP from the local subnet (assumes /24 – adjust if you use a different mask)
LAN_SUBNET=$(ip -4 addr show scope global | grep -oP '(?<=inet\s)\d+\.\d+\.\d+\.0/24' | head -n1 || true)
if [[ -z "$LAN_SUBNET" ]]; then
    # Fallback – allow from any 192.168.*.* and 10.*.*.* networks
    ufw allow from 192.168.0.0/16 to any port 80 comment "Pterodactyl LAN"
    ufw allow from 10.0.0.0/8 to any port 80 comment "Pterodactyl LAN"
else
    ufw allow from "${LAN_SUBNET}" to any port 80 comment "Pterodactyl LAN"
fi

ufw enable

# -------------------------------------------------------------------------
# 1️⃣6️⃣  QUEUE WORKER SERVICE (pteroq)
# -------------------------------------------------------------------------
echo "🔧  Installing systemd service for the queue worker (pteroq)…"
cat > /etc/systemd/system/pteroq.service <<SERVICE
[Unit]
Description=Pterodactyl Queue Worker
After=network.target redis-server.service mariadb.service

[Service]
User=www-data
Group=www-data
Restart=always
WorkingDirectory=${APP_DIR}
ExecStart=/usr/bin/php ${APP_DIR}/artisan queue:work --queue=high,standard,low --sleep=3 --tries=3

[Install]
WantedBy=multi-user.target
SERVICE

systemctl daemon-reload
systemctl enable --now pteroq

# -------------------------------------------------------------------------
# 1️⃣7️⃣  FINAL SUMMARY
# -------------------------------------------------------------------------
echo
echo "============================================================"
echo "✅  Pterodactyl Panel installed successfully!"
echo
echo "Panel URL          : ${APP_URL}"
echo "Admin username     : ${ADMIN_USERNAME}"
echo "Admin email        : ${ADMIN_EMAIL}"
echo "Admin password     : ${ADMIN_PASS}"
echo
echo "Database"
echo "  Name             : ${DB_NAME}"
echo "  User             : ${DB_USER}"
echo "  Password         : ${DB_PASS}"
echo
echo "Nginx is listening on ${LAN_IP}:80 – any device on the same Wi‑Fi"
echo "subnet can open http://${LAN_IP} (or http://${APP_DOMAIN} if you set up"
echo "local DNS/hosts entries)."
echo
echo "UFW firewall:"
echo "  • SSH (port 22) is allowed"
echo "  • HTTP (port 80) is allowed only from the local subnet"
echo "  • All other inbound traffic is blocked"
echo
echo "Queue worker (pteroq) runs as a systemd service."
echo "If you ever need to restart it: sudo systemctl restart pteroq"
echo "============================================================"
echo

exit 0