#!/usr/bin/env bash
set -euo pipefail

TARGET_ROOT="${1:-.}"
BLACKSHIELD_API_URL="${BLACKSHIELD_API_URL:-https://api.blackshield.chaplau.com}"
BLACKSHIELD_VMS_IMAGE="${BLACKSHIELD_VMS_IMAGE:-public.ecr.aws/blackshield-security/vms-scanner:1.0.6}"

mkdir -p "$TARGET_ROOT/deploy/vm-scanner/cron"

if [ ! -f "$TARGET_ROOT/deploy/vm-scanner/cron/.env.vm-scanner" ]; then
  cat > "$TARGET_ROOT/deploy/vm-scanner/cron/.env.vm-scanner" <<EOF
BLACKSHIELD_VMS_IMAGE=${BLACKSHIELD_VMS_IMAGE}
BLACKSHIELD_API_URL=${BLACKSHIELD_API_URL}
BLACKSHIELD_API_KEY=sp_xxxx
VMS_COLLECTOR_MODE=file
OSSEC_ALERTS_FILE=/var/ossec/logs/alerts/alerts.json
OSSEC_STATE_FILE=/tmp/vms-state/ossec-state.json
VM_ALERTS_DIR=/var/ossec/logs/alerts
VM_STATE_DIR=/var/lib/blackshield/vm-scanner
SCAN_INTERVAL_SECONDS=60
SCAN_ON_STARTUP=true
MIN_SEVERITY=high
LOG_LEVEL=INFO
HEALTH_PORT=8080
EOF
  printf 'Wrote deploy/vm-scanner/cron/.env.vm-scanner\n'
else
  printf 'Preserved existing deploy/vm-scanner/cron/.env.vm-scanner\n'
fi

cat > "$TARGET_ROOT/deploy/vm-scanner/cron/.env.vm-scanner.example" <<EOF
BLACKSHIELD_VMS_IMAGE=${BLACKSHIELD_VMS_IMAGE}
BLACKSHIELD_API_URL=${BLACKSHIELD_API_URL}
BLACKSHIELD_API_KEY=sp_xxxx
VMS_COLLECTOR_MODE=file
OSSEC_ALERTS_FILE=/var/ossec/logs/alerts/alerts.json
OSSEC_STATE_FILE=/tmp/vms-state/ossec-state.json
VM_ALERTS_DIR=/var/ossec/logs/alerts
VM_STATE_DIR=/var/lib/blackshield/vm-scanner
SCAN_INTERVAL_SECONDS=60
SCAN_ON_STARTUP=true
MIN_SEVERITY=high
LOG_LEVEL=INFO
HEALTH_PORT=8080
EOF

cat > "$TARGET_ROOT/deploy/vm-scanner/cron/run-vm-scanner.sh" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd -- "$(dirname -- "$0")" && pwd)"
set -a
. "$SCRIPT_DIR/.env.vm-scanner"
set +a

: "${BLACKSHIELD_VMS_IMAGE:?BLACKSHIELD_VMS_IMAGE is required}"
: "${BLACKSHIELD_API_KEY:?BLACKSHIELD_API_KEY is required}"
: "${VM_ALERTS_DIR:?VM_ALERTS_DIR is required}"
VM_STATE_DIR="${VM_STATE_DIR:-/var/lib/blackshield/vm-scanner}"

if [ "$BLACKSHIELD_API_KEY" = "sp_xxxx" ]; then
  echo "Replace the BLACKSHIELD_API_KEY placeholder before running the scanner." >&2
  exit 2
fi

if [ ! -r "${VM_ALERTS_DIR}/alerts.json" ]; then
  echo "alerts.json is not readable at ${VM_ALERTS_DIR}/alerts.json" >&2
  exit 2
fi

mkdir -p "$VM_STATE_DIR"

docker run --rm \
  --env-file "$SCRIPT_DIR/.env.vm-scanner" \
  -e SCAN_INTERVAL_SECONDS=0 \
  -e OSSEC_STATE_FILE=/tmp/vms-state/ossec-state.json \
  -v "${VM_ALERTS_DIR}:/var/ossec/logs/alerts:ro" \
  -v "${VM_STATE_DIR}:/tmp/vms-state" \
  "${BLACKSHIELD_VMS_IMAGE}"
EOF
chmod +x "$TARGET_ROOT/deploy/vm-scanner/cron/run-vm-scanner.sh"

cat > "$TARGET_ROOT/deploy/vm-scanner/cron/cron.example" <<'EOF'
*/10 * * * * root /opt/blackshield-vm-scanner/run-vm-scanner.sh >> /var/log/blackshield-vm-scanner.log 2>&1
EOF

cat > "$TARGET_ROOT/deploy/vm-scanner/cron/README.md" <<'EOF'
# VM Scanner cron Bundle

1. Open `.env.vm-scanner` and replace `BLACKSHIELD_API_KEY`. If that key was pasted into a terminal transcript, ticket, or chat, revoke it and create a new ingestion key before retesting.
2. Confirm `VM_ALERTS_DIR` points at the host directory that contains `alerts.json`.
3. Copy this directory to the host, then install the cron entry:

```bash
sudo install -d -m 755 /opt/blackshield-vm-scanner
sudo cp -R . /opt/blackshield-vm-scanner
sudo cp cron.example /etc/cron.d/blackshield-vm-scanner
```

4. Run one manual pass before waiting for cron:

```bash
./run-vm-scanner.sh
```

The wrapper forces `SCAN_INTERVAL_SECONDS=0`, so each cron invocation runs a
single incremental ingestion pass and exits cleanly. Scanner state is persisted
under `VM_STATE_DIR` so each run only forwards newly appended alerts.
EOF

printf 'Wrote deploy/vm-scanner/cron/.env.vm-scanner.example\n'
printf 'Wrote deploy/vm-scanner/cron/run-vm-scanner.sh\n'
printf 'Wrote deploy/vm-scanner/cron/cron.example\n'
printf 'Wrote deploy/vm-scanner/cron/README.md\n'