#!/bin/bash
# ═══════════════════════════════════════════════════════════════════
# TheKetoBay — Kompletan VPS Setup Guide
# Ubuntu 22.04 LTS | Docker | Nginx | SSL | Ollama
# ═══════════════════════════════════════════════════════════════════
#
# KORACI:
#  1. Priprema VPS-a (Docker, Git, Node)
#  2. Upload fajlova na server
#  3. Konfiguracija .env
#  4. Pokretanje stack-a
#  5. SSL certifikat
#  6. Ollama AI model
#  7. Provjera i monitoring
#
# Pokretanje: bash vps-setup.sh
# ═══════════════════════════════════════════════════════════════════

set -e
GREEN='\033[0;32m'; YELLOW='\033[1;33m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m'

info()    { echo -e "${BLUE}ℹ️  $1${NC}"; }
success() { echo -e "${GREEN}✅ $1${NC}"; }
warn()    { echo -e "${YELLOW}⚠️  $1${NC}"; }
error()   { echo -e "${RED}❌ $1${NC}"; exit 1; }
step()    { echo -e "\n${GREEN}══════════════════════════════════════${NC}"; echo -e "${GREEN} $1${NC}"; echo -e "${GREEN}══════════════════════════════════════${NC}"; }

# ── STEP 1: System update & dependencies ──────────────────────────
step "STEP 1: System Update & Dependencies"

apt-get update -qq && apt-get upgrade -y -qq
apt-get install -y -qq \
  curl wget git unzip nano htop \
  ca-certificates gnupg lsb-release \
  ufw fail2ban

success "System packages installed"

# ── STEP 2: Install Docker ─────────────────────────────────────────
step "STEP 2: Docker Installation"

if ! command -v docker &> /dev/null; then
  curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
  echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
  apt-get update -qq
  apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
  systemctl enable docker
  systemctl start docker
  success "Docker installed"
else
  success "Docker already installed: $(docker --version)"
fi

# Docker Compose v2 alias
if ! command -v docker-compose &> /dev/null; then
  ln -s /usr/libexec/docker/cli-plugins/docker-compose /usr/local/bin/docker-compose 2>/dev/null || true
fi

# ── STEP 3: Firewall setup ─────────────────────────────────────────
step "STEP 3: Firewall (UFW)"

ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp    # SSH
ufw allow 80/tcp    # HTTP
ufw allow 443/tcp   # HTTPS
ufw --force enable

success "Firewall configured (22, 80, 443 open)"

# ── STEP 4: Fail2ban ──────────────────────────────────────────────
step "STEP 4: Fail2Ban (Brute Force Protection)"

cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime  = 3600
findtime  = 600
maxretry = 5

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
EOF

systemctl enable fail2ban
systemctl restart fail2ban
success "Fail2ban active"

success "VPS base setup complete!"
echo ""
info "Next: Upload your project files and run configure-ketobay.sh"