#!/usr/bin/env bash
# BlackShield Go security appliance bootstrap script.
# Creates a local Docker Compose runtime for one enforcement layer.
set -euo pipefail

APPLIANCE_TYPE="${1:-perimeter}"
TARGET_DIR="${2:-./deploy/blackshield-$APPLIANCE_TYPE}"
BLACKSHIELD_API_URL="${BLACKSHIELD_API_URL:-https://api.blackshield.chaplau.com}"
BLACKSHIELD_API_KEY="${BLACKSHIELD_API_KEY:-}"
POLL_INTERVAL="${POLL_INTERVAL:-30s}"
METRICS_ADDR="${METRICS_ADDR:-0.0.0.0:9090}"
FAIL_CLOSED="${FAIL_CLOSED:-false}"
ENFORCEMENT_MODE="${ENFORCEMENT_MODE:-audit}"
SCAN_INTERVAL="${SCAN_INTERVAL:-5s}"
MAX_BODY_BYTES="${MAX_BODY_BYTES:-1048576}"

VALID_TYPES=("perimeter" "network" "endpoint" "application" "data" "security")
if [[ ! " ${VALID_TYPES[*]} " =~ " ${APPLIANCE_TYPE} " ]]; then
  echo "Error: Invalid appliance type '$APPLIANCE_TYPE'."
  echo "Choose from: perimeter, network, endpoint, application, data, security"
  exit 1
fi

IMAGE=""
LISTEN_ADDR=""
UPSTREAM_ENV_NAME=""
UPSTREAM_ENV_VALUE=""
PRIMARY_PORT=""
PID_MODE=""
SUPPORTS_FAIL_CLOSED="false"

case "$APPLIANCE_TYPE" in
  perimeter)
    IMAGE="public.ecr.aws/blackshield-security/perimeter-appliance:1.0.6"
    LISTEN_ADDR="${LISTEN_ADDR:-0.0.0.0:8081}"
    UPSTREAM_ENV_NAME="UPSTREAM_ADDR"
    UPSTREAM_ENV_VALUE="${UPSTREAM_ADDR:-127.0.0.1:8080}"
    PRIMARY_PORT="8081"
    SUPPORTS_FAIL_CLOSED="true"
    ;;
  network)
    IMAGE="public.ecr.aws/blackshield-security/network-appliance:1.0.6"
    LISTEN_ADDR="${LISTEN_ADDR:-0.0.0.0:8082}"
    PRIMARY_PORT="8082"
    ;;
  endpoint)
    IMAGE="public.ecr.aws/blackshield-security/endpoint-appliance:1.0.6"
    PID_MODE="host"
    ;;
  application)
    IMAGE="public.ecr.aws/blackshield-security/application-appliance:1.0.6"
    LISTEN_ADDR="${LISTEN_ADDR:-0.0.0.0:8083}"
    UPSTREAM_ENV_NAME="UPSTREAM_URL"
    UPSTREAM_ENV_VALUE="${UPSTREAM_URL:-http://127.0.0.1:8080}"
    PRIMARY_PORT="8083"
    SUPPORTS_FAIL_CLOSED="true"
    ;;
  data)
    IMAGE="public.ecr.aws/blackshield-security/data-appliance:1.0.6"
    LISTEN_ADDR="${LISTEN_ADDR:-0.0.0.0:8084}"
    PRIMARY_PORT="8084"
    ;;
  security)
    IMAGE="public.ecr.aws/blackshield-security/security-appliance:1.0.6"
    LISTEN_ADDR="${LISTEN_ADDR:-0.0.0.0:8085}"
    PRIMARY_PORT="8085"
    ;;
esac

echo "Bootstrapping BlackShield Go appliance: $APPLIANCE_TYPE..."
mkdir -p "$TARGET_DIR"

cat > "$TARGET_DIR/docker-compose.yml" <<EOF
services:
  $APPLIANCE_TYPE-appliance:
    image: $IMAGE
    restart: unless-stopped
    env_file:
      - .env
EOF

if [[ -n "$PID_MODE" ]]; then
  cat >> "$TARGET_DIR/docker-compose.yml" <<EOF
    pid: "$PID_MODE"
EOF
fi

cat >> "$TARGET_DIR/docker-compose.yml" <<EOF
    ports:
EOF

if [[ -n "$PRIMARY_PORT" ]]; then
  cat >> "$TARGET_DIR/docker-compose.yml" <<EOF
      - "$PRIMARY_PORT:$PRIMARY_PORT"
EOF
fi

cat >> "$TARGET_DIR/docker-compose.yml" <<EOF
      - "9090:9090"
EOF

cat > "$TARGET_DIR/.env" <<EOF
BLACKSHIELD_API_URL=$BLACKSHIELD_API_URL
BLACKSHIELD_API_KEY=$BLACKSHIELD_API_KEY
POLL_INTERVAL=$POLL_INTERVAL
METRICS_ADDR=$METRICS_ADDR
EOF

if [[ "$APPLIANCE_TYPE" == "endpoint" ]]; then
  cat >> "$TARGET_DIR/.env" <<EOF
SCAN_INTERVAL=$SCAN_INTERVAL
ENFORCEMENT_MODE=$ENFORCEMENT_MODE
EOF
fi

if [[ "$APPLIANCE_TYPE" == "application" ]]; then
  cat >> "$TARGET_DIR/.env" <<EOF
MAX_BODY_BYTES=$MAX_BODY_BYTES
EOF
fi

if [[ "$SUPPORTS_FAIL_CLOSED" == "true" ]]; then
  cat >> "$TARGET_DIR/.env" <<EOF
FAIL_CLOSED=$FAIL_CLOSED
EOF
fi

if [[ -n "$LISTEN_ADDR" ]]; then
  cat >> "$TARGET_DIR/.env" <<EOF
LISTEN_ADDR=$LISTEN_ADDR
EOF
fi

if [[ -n "$UPSTREAM_ENV_NAME" ]]; then
  cat >> "$TARGET_DIR/.env" <<EOF
$UPSTREAM_ENV_NAME=$UPSTREAM_ENV_VALUE
EOF
fi

cat > "$TARGET_DIR/README.md" <<EOF
# BlackShield $APPLIANCE_TYPE Appliance Deployment

This environment was bootstrapped automatically for the BlackShield Go
$APPLIANCE_TYPE enforcement appliance.

## How to run

1. Open \`.env\` and set \`BLACKSHIELD_API_KEY\`.
2. Review listener and upstream values when this appliance is in a traffic path.
3. For perimeter and application appliances, keep \`FAIL_CLOSED=false\` until you have verified sync health.
4. Start the appliance container:

   \`\`\`bash
   docker compose up -d
   \`\`\`

5. Verify metrics:

   \`\`\`bash
   curl http://localhost:9090/metrics
   \`\`\`
EOF

echo "Appliance $APPLIANCE_TYPE environment created under $TARGET_DIR."
echo "Deploy with: cd $TARGET_DIR && docker compose up -d"