#!/usr/bin/env bash
# UniSOC Honeypot Agent — installer
#
# Usage (sur la VM honeypot, en root) :
#   UNISOC_LICENSE=unisoc_xxxxxxxx \
#   UNISOC_API=https://api.unisoc.fr \
#   HONEYPOT_ID=vm111-srvdomaine \
#   bash <(curl -sL https://client.unisoc.fr/downloads/honeypot/agent-install.sh)
#
# Ou après checkout du repo :
#   sudo HONEYPOT_ID=vm111 UNISOC_LICENSE=unisoc_… ./install.sh
set -euo pipefail

LOG=/var/log/unisoc-honeypot-agent-install.log
exec > >(tee -a "$LOG") 2>&1

echo "[$(date -u +%FT%TZ)] === UniSOC Honeypot Agent install ==="

if [ "$(id -u)" -ne 0 ]; then
    echo "ERREUR : exécuter en root" >&2
    exit 1
fi

UNISOC_API="${UNISOC_API:-https://api.unisoc.fr}"
UNISOC_LICENSE="${UNISOC_LICENSE:-}"
HONEYPOT_ID="${HONEYPOT_ID:-$(hostname)}"
HONEYPOT_HOSTNAME="${HONEYPOT_HOSTNAME:-$(hostname)}"

if [ -z "$UNISOC_LICENSE" ]; then
    echo "ERREUR : UNISOC_LICENSE manquant. Récupère-le côté SOC via :"
    echo "  POST /api/honeypot/admin/license/issue?tenant_id=<tenant> (auth admin JWT)"
    exit 1
fi

# Dépendance unique : python3 (déjà sur Debian 13). 'at' optionnel pour TTL des blocs IP.
apt-get install -y --no-install-recommends python3 at >/dev/null 2>&1 || true
systemctl enable --now atd 2>/dev/null || true

# Layout : /opt/unisoc-honeypot-agent/agent.py + /etc/unisoc-honeypot-agent/agent.{conf,env}
mkdir -p /opt/unisoc-honeypot-agent /etc/unisoc-honeypot-agent /var/lib/unisoc-honeypot-agent
chmod 700 /etc/unisoc-honeypot-agent /var/lib/unisoc-honeypot-agent

# Copie de l'agent
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
if [ -f "$SCRIPT_DIR/agent.py" ]; then
    install -m 755 "$SCRIPT_DIR/agent.py" /opt/unisoc-honeypot-agent/agent.py
elif [ -n "${AGENT_DOWNLOAD_URL:-}" ]; then
    curl -sL "$AGENT_DOWNLOAD_URL" -o /opt/unisoc-honeypot-agent/agent.py
    chmod +x /opt/unisoc-honeypot-agent/agent.py
else
    echo "ERREUR : agent.py introuvable et AGENT_DOWNLOAD_URL non défini"
    exit 1
fi

# Config : licence + endpoint
cat > /etc/unisoc-honeypot-agent/agent.conf <<EOF
UNISOC_API=$UNISOC_API
UNISOC_LICENSE=$UNISOC_LICENSE
HONEYPOT_ID=$HONEYPOT_ID
HONEYPOT_HOSTNAME=$HONEYPOT_HOSTNAME
EOF
chmod 600 /etc/unisoc-honeypot-agent/agent.conf

# Aussi en EnvironmentFile pour systemd (override possible)
cat > /etc/unisoc-honeypot-agent/agent.env <<EOF
UNISOC_API=$UNISOC_API
UNISOC_LICENSE=$UNISOC_LICENSE
HONEYPOT_ID=$HONEYPOT_ID
HONEYPOT_HOSTNAME=$HONEYPOT_HOSTNAME
EOF
chmod 600 /etc/unisoc-honeypot-agent/agent.env

# Systemd unit
if [ -f "$SCRIPT_DIR/unisoc-honeypot-agent.service" ]; then
    install -m 644 "$SCRIPT_DIR/unisoc-honeypot-agent.service" \
        /etc/systemd/system/unisoc-honeypot-agent.service
elif [ -n "${UNIT_DOWNLOAD_URL:-}" ]; then
    curl -sL "$UNIT_DOWNLOAD_URL" -o /etc/systemd/system/unisoc-honeypot-agent.service
fi

systemctl daemon-reload
systemctl enable --now unisoc-honeypot-agent
sleep 2

echo
echo "[+] Service status :"
systemctl status unisoc-honeypot-agent --no-pager 2>&1 | head -10

echo
echo "[+] Premier test heartbeat :"
journalctl -u unisoc-honeypot-agent --no-pager -n 8 2>&1 | tail -8

echo
echo "==================================================="
echo "[$(date -u +%FT%TZ)] UniSOC Honeypot Agent installé"
echo "Logs   : journalctl -u unisoc-honeypot-agent -f"
echo "Config : /etc/unisoc-honeypot-agent/agent.conf"
echo "==================================================="