#!/usr/bin/env bash
# Pylon node installer — served at https://pylond.run/install.sh
#
#   curl -fsSL https://pylond.run/install.sh | sh -s -- --token <ENROLL_TOKEN>
#
# Connects this machine to Pylon: installs Docker if missing, fetches the Pylon
# CA, then runs the node-agent — it dials OUT to the control plane over mutually
# authenticated TLS (verifying the Pylon CA), joins the mesh, and holds the
# reverse tunnel. No inbound ports are opened.
# POSIX sh (the install one-liner pipes to `sh`, i.e. dash) — no `pipefail`.
set -eu

FLEET="${PYLON_FLEET:-https://fleet.pylon.host:50051}"
MESH="${PYLON_MESH:-https://mesh.pylon.host:50054}"
IMAGE="${PYLON_IMAGE:-registry.pylon.host/pylon:latest}"
CA_URL="${PYLON_CA_URL:-https://pylond.run/ca.crt}"
TLS_DOMAIN="${PYLON_TLS_DOMAIN:-pylon-control}"
INSTALL_DIR=/opt/pylon
TOKEN=""
UNINSTALL=0
while [ $# -gt 0 ]; do
  case "$1" in
    --token) TOKEN="$2"; shift 2 ;;
    --token=*) TOKEN="${1#*=}"; shift ;;
    --fleet) FLEET="$2"; shift 2 ;;
    --mesh) MESH="$2"; shift 2 ;;
    --uninstall|--remove) UNINSTALL=1; shift ;;
    *) echo "unknown arg: $1" >&2; exit 1 ;;
  esac
done
[ "$(id -u)" = "0" ] || { echo "error: run as root (sudo)"; exit 1; }

# --- Uninstall: tear the node down so it can be cleanly re-enrolled ---
#   curl -fsSL https://pylond.run/install.sh | sh -s -- --uninstall
if [ "$UNINSTALL" = "1" ]; then
  echo "==> Pylon node uninstall"
  if command -v docker >/dev/null 2>&1; then
    [ -f "$INSTALL_DIR/docker-compose.yml" ] && docker compose -f "$INSTALL_DIR/docker-compose.yml" down --remove-orphans 2>/dev/null || true
    # belt-and-suspenders: remove any stray pylon-node containers
    docker ps -aq --filter "label=com.docker.compose.project=pylon-node" | xargs -r docker rm -f 2>/dev/null || true
  fi
  rm -rf "$INSTALL_DIR"
  echo "✅ Pylon node removed. Re-enroll with a fresh token:"
  echo "   curl -fsSL https://pylond.run/install.sh | sh -s -- --token <NEW_TOKEN>"
  exit 0
fi

[ -n "$TOKEN" ] || { echo "error: --token <ENROLL_TOKEN> is required (mint one in the Pylon host panel → Nodes), or --uninstall to remove"; exit 1; }

echo "==> Pylon node install"
if ! command -v docker >/dev/null 2>&1; then
  echo "==> installing Docker"
  curl -fsSL https://get.docker.com | sh
fi

mkdir -p "$INSTALL_DIR"
echo "==> fetching Pylon CA"
curl -fsSL "$CA_URL" -o "$INSTALL_DIR/ca.crt"

cat > "$INSTALL_DIR/docker-compose.yml" <<YAML
name: pylon-node
services:
  node-agent:
    image: ${IMAGE}
    command: ["node-agent"]
    network_mode: host
    restart: unless-stopped
    volumes:
      - ${INSTALL_DIR}/ca.crt:/pylon-tls/ca.crt:ro
    environment:
      - NODE_FLEET_ENDPOINT=${FLEET}
      - NODE_MESH_ENDPOINT=${MESH}
      - NODE_ENROLL_TOKEN=${TOKEN}
      - NODE_CA_CERT=/pylon-tls/ca.crt
      - NODE_TLS_DOMAIN=${TLS_DOMAIN}
      - NODE_HOSTNAME=$(hostname)
      - NODE_WORKLOAD_HOST=127.0.0.1
YAML

echo "==> pulling ${IMAGE}"
docker pull "$IMAGE"
echo "==> starting node-agent"
docker compose -f "$INSTALL_DIR/docker-compose.yml" up -d --remove-orphans

echo
echo "✅ Node connected to Pylon. It will appear in your host panel → Nodes within a few seconds."
echo "   Manage: docker compose -f $INSTALL_DIR/docker-compose.yml [logs|down|pull]"