#!/bin/bash
set -euo pipefail

source "$(dirname "$0")/utils.sh"

require_root

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
ENV_FILE="$SCRIPT_DIR/.env"

if [ ! -f "$ENV_FILE" ]; then
    echo "ERROR: .env file not found at $ENV_FILE"
    echo "Create $ENV_FILE with: SERVER_IP=45.146.202.107"
    exit 1
fi

source "$ENV_FILE"

: "${SERVER_IP:?SERVER_IP is not set in .env}"

REAL_USER="${SUDO_USER:-$(whoami)}"
REAL_HOME=$(eval echo "~$REAL_USER")
VLESS_DIR="$REAL_HOME/services/vless_ip"
SERVICE_NAME="xray-vless-ip"
REALITY_DEST="www.kuper.ru:443"
REALITY_SERVER_NAME="www.kuper.ru"

echo "=== VLESS + Reality Installation ==="
echo "  Server IP: $SERVER_IP"
echo "  Port:      443"
echo "  Directory: $VLESS_DIR"
echo ""

# --- 1. Download Xray-core ---

mkdir -p "$VLESS_DIR"

ARCH=$(uname -m)
case "$ARCH" in
    x86_64)  XRAY_ARCH="64" ;;
    aarch64) XRAY_ARCH="arm64-v8a" ;;
    *)
        echo "ERROR: unsupported architecture: $ARCH"
        exit 1
        ;;
esac

XRAY_ZIP="Xray-linux-${XRAY_ARCH}.zip"
DOWNLOAD_URL="https://github.com/XTLS/Xray-core/releases/latest/download/${XRAY_ZIP}"

if [ -x "$VLESS_DIR/xray" ]; then
    echo "[1] Xray already installed: $("$VLESS_DIR/xray" version | head -1)"
else
    echo "[1] Downloading Xray-core..."
    for cmd in wget unzip; do
        if ! command -v "$cmd" >/dev/null 2>&1; then
            echo "    Installing $cmd..."
            apt-get install -y -qq "$cmd"
        fi
    done
    wget -q --show-progress -O "/tmp/$XRAY_ZIP" "$DOWNLOAD_URL"
    unzip -o -q "/tmp/$XRAY_ZIP" -d "$VLESS_DIR"
    chmod +x "$VLESS_DIR/xray"
    rm -f "/tmp/$XRAY_ZIP"
    echo "    Installed: $("$VLESS_DIR/xray" version | head -1)"
fi
echo ""

# --- 2. Generate keys & config ---

UUID=$("$VLESS_DIR/xray" uuid)
echo "[2] Generated UUID: $UUID"

KEYS=$("$VLESS_DIR/xray" x25519 2>&1) || true

PRIVATE_KEY=$(echo "$KEYS" | grep -i 'private' | awk '{print $NF}' || true)
PUBLIC_KEY=$(echo "$KEYS" | grep -i 'password' | awk '{print $NF}' || true)

if [ -z "$PRIVATE_KEY" ] || [ -z "$PUBLIC_KEY" ]; then
    echo "ERROR: Failed to parse x25519 keys. Raw output:"
    echo "$KEYS"
    exit 1
fi

echo "    Reality private key: $PRIVATE_KEY"
echo "    Reality public key:  $PUBLIC_KEY"

SHORT_ID=$(openssl rand -hex 4)
echo "    Short ID: $SHORT_ID"

cat > "$VLESS_DIR/config.json" <<EOF
{
  "log": {
    "loglevel": "warning"
  },
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "${UUID}",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "dest": "${REALITY_DEST}",
          "serverNames": ["${REALITY_SERVER_NAME}"],
          "privateKey": "${PRIVATE_KEY}",
          "shortIds": ["${SHORT_ID}"]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls", "quic"]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ],
  "routing": {
    "rules": [
      {
        "type": "field",
        "outboundTag": "block",
        "protocol": ["bittorrent"]
      }
    ]
  }
}
EOF

echo "    Config: $VLESS_DIR/config.json"
echo ""

# --- 3. Systemd service ---

echo "[3] Creating systemd service..."
cat > "/etc/systemd/system/${SERVICE_NAME}.service" <<EOF
[Unit]
Description=Xray VLESS Reality Server
After=network.target

[Service]
Type=simple
ExecStart=${VLESS_DIR}/xray run -config ${VLESS_DIR}/config.json
Restart=on-failure
RestartSec=5
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable "$SERVICE_NAME" --quiet
systemctl restart "$SERVICE_NAME"

sleep 1
if systemctl is-active --quiet "$SERVICE_NAME"; then
    echo "    Service $SERVICE_NAME started"
else
    echo "ERROR: Service failed to start"
    journalctl -u "$SERVICE_NAME" --no-pager -n 10
    exit 1
fi
echo ""

# --- 4. Firewall ---

if command -v ufw >/dev/null 2>&1; then
    ufw allow 443/tcp comment 'VLESS Reality' >/dev/null 2>&1 || true
    echo "[4] UFW: port 443 opened"
else
    echo "[4] UFW not installed, skipping firewall rule"
fi
echo ""

# --- 5. Fix ownership & output ---

chown -R "$REAL_USER:$REAL_USER" "$VLESS_DIR"

VLESS_LINK="vless://${UUID}@${SERVER_IP}:443?encryption=none&security=reality&sni=${REALITY_SERVER_NAME}&fp=chrome&pbk=${PUBLIC_KEY}&sid=${SHORT_ID}&type=tcp&flow=xtls-rprx-vision#VLESS-Reality"

echo "$VLESS_LINK" > "$VLESS_DIR/connection.txt"
chown "$REAL_USER:$REAL_USER" "$VLESS_DIR/connection.txt"

echo "=== VLESS READY ==="
echo ""
echo "$VLESS_LINK"
echo ""
echo "Saved to: $VLESS_DIR/connection.txt"