#!/usr/bin/env bash
#
# tmuxapp installer (Debian/Ubuntu)
#
#   curl -fsSL https://tmuxapp.com/install.sh | bash
#
# Installs system deps (tmux/git), Bun, the app, and a systemd service that runs
# it as the current user. Configure via env vars:
#
#   TMUXAPP_REPO   git URL to clone            (REQUIRED unless already cloned)
#   TMUXAPP_REF    branch/tag to check out     (default: main)
#   INSTALL_DIR    where to install            (default: /opt/tmuxapp)
#   PORT           port to listen on           (default: 3000)
#   HOST_BIND      bind address                (default: 127.0.0.1, for a proxy)
#   INSTALL_SERVICE  set to 0 to skip systemd  (default: 1)
#
# Example:
#   curl -fsSL https://tmuxapp.com/install.sh | TMUXAPP_REPO=https://github.com/you/tmuxapp.git bash
#
set -euo pipefail

INSTALL_DIR="${INSTALL_DIR:-/opt/tmuxapp}"
PORT="${PORT:-3000}"
HOST_BIND="${HOST_BIND:-127.0.0.1}"
TMUXAPP_REPO="${TMUXAPP_REPO:-https://github.com/REPLACE-ME/tmuxapp.git}"
TMUXAPP_REF="${TMUXAPP_REF:-main}"
SERVICE_NAME="${SERVICE_NAME:-tmuxapp}"
INSTALL_SERVICE="${INSTALL_SERVICE:-1}"
RUN_USER="$(id -un)"
USER_HOME="$(getent passwd "$RUN_USER" | cut -d: -f6)"
USER_HOME="${USER_HOME:-$HOME}"

c_step() { printf '\033[1;35m▸\033[0m %s\n' "$*"; }
c_warn() { printf '\033[1;33m!\033[0m %s\n' "$*"; }
c_err()  { printf '\033[1;31m✗\033[0m %s\n' "$*" >&2; }

# Run a command as root (via sudo if we aren't already root).
as_root() {
  if [ "$(id -u)" -eq 0 ]; then "$@"; else sudo "$@"; fi
}

if [ "$(id -u)" -ne 0 ] && ! command -v sudo >/dev/null 2>&1; then
  c_err "This installer needs root or sudo (for apt + systemd)."
  exit 1
fi

# ── 1. System packages ────────────────────────────────────────────────────────
if command -v apt-get >/dev/null 2>&1; then
  c_step "Installing system packages (tmux, git, curl, unzip)…"
  as_root apt-get update -y
  as_root apt-get install -y --no-install-recommends tmux git curl unzip ca-certificates
else
  c_warn "Not a Debian/apt system — ensure tmux, git, curl, unzip are installed."
fi

# ── 2. Bun ────────────────────────────────────────────────────────────────────
BUN="$(command -v bun || true)"
if [ -z "$BUN" ] && [ -x "$USER_HOME/.bun/bin/bun" ]; then BUN="$USER_HOME/.bun/bin/bun"; fi
if [ -z "$BUN" ]; then
  c_step "Installing Bun…"
  curl -fsSL https://bun.sh/install | bash
  BUN="$USER_HOME/.bun/bin/bun"
fi
c_step "Bun: $("$BUN" --version) ($BUN)"

# ── 3. Fetch the app ──────────────────────────────────────────────────────────
as_root mkdir -p "$INSTALL_DIR"
as_root chown "$RUN_USER:$(id -gn "$RUN_USER")" "$INSTALL_DIR"

if [ -d "$INSTALL_DIR/.git" ]; then
  c_step "Updating existing checkout in $INSTALL_DIR…"
  git -C "$INSTALL_DIR" fetch --depth 1 origin "$TMUXAPP_REF"
  git -C "$INSTALL_DIR" checkout -f "$TMUXAPP_REF"
  git -C "$INSTALL_DIR" reset --hard "origin/$TMUXAPP_REF" 2>/dev/null || true
elif [ -f "$INSTALL_DIR/package.json" ]; then
  c_step "Using existing files in $INSTALL_DIR (no git)…"
else
  if [ "$TMUXAPP_REPO" = "https://github.com/REPLACE-ME/tmuxapp.git" ]; then
    c_err "Set TMUXAPP_REPO to your repo URL (or place the app in $INSTALL_DIR first)."
    exit 1
  fi
  c_step "Cloning $TMUXAPP_REPO@$TMUXAPP_REF → $INSTALL_DIR…"
  git clone --depth 1 --branch "$TMUXAPP_REF" "$TMUXAPP_REPO" "$INSTALL_DIR"
fi

# ── 4. Dependencies ───────────────────────────────────────────────────────────
c_step "Installing dependencies…"
( cd "$INSTALL_DIR" && "$BUN" install --frozen-lockfile )

# ── 5. Config (.env) ──────────────────────────────────────────────────────────
ENV_FILE="$INSTALL_DIR/.env"
if [ ! -f "$ENV_FILE" ]; then
  PW="$(head -c 24 /dev/urandom | base64 | tr -dc 'A-Za-z0-9' | head -c 24)"
  c_step "Writing $ENV_FILE (generated password)…"
  cat > "$ENV_FILE" <<EOF
APP_PASSWORD=$PW
HOST=$HOST_BIND
PORT=$PORT
DATABASE_URL=$INSTALL_DIR/lifeweb.db
SESSION_COMMAND=claude
# Safer default for a networked server. Use bypassPermissions for full tool access.
CHAT_PERMISSION_MODE=dontAsk
EOF
  GENERATED_PW="$PW"
else
  c_warn "$ENV_FILE already exists — leaving it unchanged."
fi

# ── 6. Claude Code check ──────────────────────────────────────────────────────
if ! command -v claude >/dev/null 2>&1 && [ ! -x "$USER_HOME/.local/bin/claude" ]; then
  c_warn "Claude Code ('claude') not found. Install it and run 'claude' once to"
  c_warn "authenticate AS THIS USER ($RUN_USER) before sessions will work."
fi

# ── 7. systemd service ────────────────────────────────────────────────────────
if [ "$INSTALL_SERVICE" = "1" ]; then
  c_step "Installing systemd service '$SERVICE_NAME'…"
  UNIT="/etc/systemd/system/$SERVICE_NAME.service"
  as_root tee "$UNIT" >/dev/null <<EOF
[Unit]
Description=tmuxapp — web control panel for tmux-hosted Claude
After=network.target

[Service]
Type=simple
User=$RUN_USER
WorkingDirectory=$INSTALL_DIR
# Include the user's bun + ~/.local/bin (claude) on PATH so spawned tmux/claude resolve.
Environment=PATH=$USER_HOME/.bun/bin:$USER_HOME/.local/bin:/usr/local/bin:/usr/bin:/bin
Environment=NODE_ENV=production
ExecStart=$BUN run start
Restart=on-failure
RestartSec=2

[Install]
WantedBy=multi-user.target
EOF
  as_root systemctl daemon-reload
  as_root systemctl enable --now "$SERVICE_NAME"
  sleep 1
  as_root systemctl --no-pager --lines=0 status "$SERVICE_NAME" || true
fi

# ── Summary ───────────────────────────────────────────────────────────────────
echo
c_step "Done. tmuxapp is installed at $INSTALL_DIR"
echo   "    Listening on http://$HOST_BIND:$PORT"
[ -n "${GENERATED_PW:-}" ] && echo "    Password (APP_PASSWORD): $GENERATED_PW  (saved in .env)"
echo
echo "  Next:"
echo "   • Authenticate Claude as $RUN_USER:   claude"
echo "   • Logs:                                journalctl -u $SERVICE_NAME -f"
echo "   • Restart after config changes:        sudo systemctl restart $SERVICE_NAME"
echo "   • Put it behind TLS for tmuxapp.com (Caddy):"
echo "         tmuxapp.com { reverse_proxy $HOST_BIND:$PORT }"
echo
c_warn "This panel can run arbitrary commands on the server. Keep HOST=127.0.0.1"
c_warn "behind a TLS proxy, use a strong password, and restrict access (VPN/IP allowlist)."