#!/usr/bin/env bash
# Provision a dedicated backend LXC for the MEV Control stack.
#
# Intended topology:
# - Public GUI/static nginx remains on CT 2410 (info-defi-oracle-web)
# - This backend CT runs mev-admin-api, mev-supervisor, pipeline services, and local infra
# - CT 2410 proxies /api/* to this backend CT
#
# Usage:
#   bash scripts/deployment/provision-mev-control-backend-lxc.sh [--dry-run]
#
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
# shellcheck source=/dev/null
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true

PROXMOX_HOST="${PROXMOX_HOST:-${PROXMOX_HOST_R630_04:-192.168.11.14}}"
VMID="${MEV_CONTROL_BACKEND_VMID:-2421}"
IP_CT="${MEV_CONTROL_BACKEND_IP:-192.168.11.223}"
HOSTNAME_CT="${MEV_CONTROL_BACKEND_HOSTNAME:-mev-control-backend}"
TEMPLATE_CT="${TEMPLATE:-local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst}"
STORAGE="${STORAGE:-local-lvm}"
NETWORK="${NETWORK:-vmbr0}"
GATEWAY="${NETWORK_GATEWAY:-192.168.11.1}"
SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
DRY_RUN=false
[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true

echo "=== Provision MEV Control backend LXC ==="
echo "Proxmox: ${PROXMOX_HOST}  VMID: ${VMID}  IP: ${IP_CT}"

if $DRY_RUN; then
  echo "[DRY-RUN] pct create ${VMID} on ${PROXMOX_HOST} with Docker-capable unprivileged settings"
  exit 0
fi

if ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct list 2>/dev/null | grep -q '^${VMID} '"; then
  echo "CT ${VMID} already exists — skipping pct create"
else
  echo "Creating CT ${VMID} (${HOSTNAME_CT}) @ ${IP_CT}/24..."
  ssh $SSH_OPTS "root@${PROXMOX_HOST}" bash -s <<EOF
set -euo pipefail
pct create ${VMID} ${TEMPLATE_CT} \\
  --hostname ${HOSTNAME_CT} \\
  --memory 32768 \\
  --swap 8192 \\
  --cores 16 \\
  --rootfs ${STORAGE}:200 \\
  --net0 name=eth0,bridge=${NETWORK},ip=${IP_CT}/24,gw=${GATEWAY} \\
  --nameserver ${DNS_PRIMARY:-1.1.1.1} \\
  --description 'Dedicated backend LXC: MEV admin API, supervisor, pipeline, and local infra' \\
  --features nesting=1,keyctl=1 \\
  --onboot 1 \\
  --start 1 \\
  --unprivileged 1
EOF
  echo "Waiting for CT to boot..."
  sleep 15
fi

ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct status ${VMID}" | grep -q running || {
  echo "ERROR: CT ${VMID} not running — start with: ssh root@${PROXMOX_HOST} 'pct start ${VMID}'" >&2
  exit 1
}

echo "Installing baseline packages inside CT ${VMID}..."
ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -lc \"set -euo pipefail; export DEBIAN_FRONTEND=noninteractive; apt-get update -qq; apt-get install -y -qq curl jq git ca-certificates build-essential pkg-config libssl-dev gpg lsb-release uidmap\""

echo ""
echo "✅ Backend CT ${VMID} ready at ${IP_CT}"
echo "   Next: deploy the MEV stack inside the CT and point CT 2410 /api to http://${IP_CT}:9090"