#!/bin/bash
set -e

REPO_URL="https://git.simplifiedprivacy.com/Support/sp-hydra-veil-core"
BRANCH="core-laravel-proxyTEST"
INSTALL_DIR="$HOME/sp-hydra-veil-core"
SINGBOX_VERSION="1.13.5"
SINGBOX_BIN="/usr/bin/sing-box"
WRAPPER_PATH="/usr/local/bin/hydraveil-singbox"
SUDOERS_PATH="/etc/sudoers.d/hydraveil"
HV_DATA_HOME="$HOME/.local/share/hydra-veil"

echo "=== sp-hydra-veil-core installer ==="

# 1. Clone repo
echo ""
echo "[1/6] Cloning repository (branch: $BRANCH)..."
if [ -d "$INSTALL_DIR" ]; then
    echo "Directory already exists, removing..."
    rm -rf "$INSTALL_DIR"
fi
git clone --branch "$BRANCH" "$REPO_URL" "$INSTALL_DIR"
cd "$INSTALL_DIR"

# 2. .env
echo ""
echo "[2/6] Creating .env..."
cat > "$INSTALL_DIR/.env" << 'DOTENV'
SP_API_BASE_URL_LOCAL=http://simplifiedprivacy.test/api/v1
SP_API_BASE_URL_PRODUCTION=https://fake.simplifiedprivacy.org/api/v1
APP_ENV=production
DOTENV
echo ".env created."

# 3. venv + dependencies
echo ""
echo "[3/6] Setting up virtual environment..."
python3 -m venv "$INSTALL_DIR/.venv"
source "$INSTALL_DIR/.venv/bin/activate"

pip install --quiet --upgrade pip

pip install \
    python-dotenv \
    "cryptography~=46.0.3" \
    "dataclasses-json~=0.6.7" \
    "marshmallow~=3.26.1" \
    "psutil~=7.1.3" \
    "pysocks~=1.7.1" \
    "python-dateutil~=2.9.0.post0" \
    "requests~=2.32.5" \
    "annotated-types==0.7.0" \
    "certifi==2026.4.22" \
    "charset-normalizer==3.4.7" \
    "click==8.3.3" \
    "cytoolz==1.1.0" \
    "eth-hash==0.8.0" \
    "eth-typing==6.0.0" \
    "eth-utils==6.0.0" \
    "idna==3.13" \
    "packaging==26.2" \
    "pathspec==1.1.1" \
    "platformdirs==4.9.6" \
    "py-ecc==8.0.0" \
    "pydantic==2.13.3" \
    "pydantic_core==2.46.3" \
    "pydeps==3.0.6" \
    "pytokens==0.4.1" \
    "stdlib-list==0.12.0" \
    "toolz==1.1.0" \
    "typing-inspect==0.9.0" \
    "typing-inspection==0.4.2" \
    "typing_extensions==4.15.0" \
    "urllib3==2.6.3"

pip install -e "$INSTALL_DIR" --no-deps
echo "Dependencies installed."

# 4. sing-box
echo ""
echo "[4/6] Checking sing-box..."

# Find sing-box in any common location
FOUND_SINGBOX=""
for candidate in /usr/bin/sing-box /usr/local/bin/sing-box /bin/sing-box /usr/local/sbin/sing-box; do
    if [ -x "$candidate" ]; then
        FOUND_SINGBOX="$candidate"
        break
    fi
done

# Also check PATH
if [ -z "$FOUND_SINGBOX" ]; then
    FOUND_SINGBOX=$(command -v sing-box 2>/dev/null || true)
fi

if [ -n "$FOUND_SINGBOX" ]; then
    echo "sing-box found at: $FOUND_SINGBOX"
    echo "Version: $($FOUND_SINGBOX version | head -1)"
    # If not at /usr/bin/sing-box, create symlink
    if [ "$FOUND_SINGBOX" != "$SINGBOX_BIN" ]; then
        echo "Creating symlink: $FOUND_SINGBOX -> $SINGBOX_BIN"
        sudo ln -sf "$FOUND_SINGBOX" "$SINGBOX_BIN"
    fi
else
    echo "sing-box not found, installing v$SINGBOX_VERSION..."
    wget -q "https://github.com/SagerNet/sing-box/releases/download/v${SINGBOX_VERSION}/sing-box-${SINGBOX_VERSION}-linux-amd64.tar.gz" -O /tmp/sing-box.tar.gz
    tar -xzf /tmp/sing-box.tar.gz -C /tmp
    sudo cp "/tmp/sing-box-${SINGBOX_VERSION}-linux-amd64/sing-box" "$SINGBOX_BIN"
    sudo chmod 755 "$SINGBOX_BIN"
    rm -rf /tmp/sing-box.tar.gz "/tmp/sing-box-${SINGBOX_VERSION}-linux-amd64"
    echo "sing-box installed: $($SINGBOX_BIN version | head -1)"
fi

# Final check
if [ ! -x "$SINGBOX_BIN" ]; then
    echo "ERROR: sing-box not found at $SINGBOX_BIN after install. Aborting."
    exit 1
fi
echo "sing-box OK at $SINGBOX_BIN"

# 5. wrapper + sudoers + HV_DATA_HOME
echo ""
echo "[5/6] Installing wrapper..."

sudo tee "$WRAPPER_PATH" > /dev/null << WRAPPER
#!/bin/bash
CONFIG=\$1
ACTION=\$2

if [[ "\$ACTION" == "stop" ]]; then
    pkill -9 -f sing-box
    exit 0
fi

if [[ "\$CONFIG" != /tmp/*.json ]] && \\
   [[ "\$CONFIG" != /home/*/.local/share/hydra-veil/*.json ]]; then
    echo "Error: config path not allowed"
    exit 1
fi

exec $SINGBOX_BIN run -c "\$CONFIG"
WRAPPER

sudo chmod 755 "$WRAPPER_PATH"

# Verify wrapper points to correct sing-box
if grep -q "$SINGBOX_BIN" "$WRAPPER_PATH"; then
    echo "Wrapper OK — points to $SINGBOX_BIN"
else
    echo "ERROR: wrapper does not reference $SINGBOX_BIN"
    exit 1
fi

# 6. sudoers
echo ""
echo "[6/6] Configuring sudoers..."
if [ ! -f "$SUDOERS_PATH" ]; then
    echo "$USER ALL=(ALL) NOPASSWD: $WRAPPER_PATH" | sudo tee "$SUDOERS_PATH" > /dev/null
    sudo chmod 440 "$SUDOERS_PATH"
    echo "Sudoers configured."
else
    echo "Sudoers already exists, skipping."
fi

# Create HV_DATA_HOME directory
mkdir -p "$HV_DATA_HOME"
echo "HV_DATA_HOME created: $HV_DATA_HOME"

echo ""
echo "=== Installation complete ==="
echo "Activate the environment with:"
echo "  source $INSTALL_DIR/.venv/bin/activate"