#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "$SCRIPT_DIR/_common.sh"

: "${NODE_NAME:=}"
: "${SOVEREIGN_USER:=sovereign}"
: "${SSH_PUBLIC_KEY:=}"
: "${SSH_PORT:=}"                 # optional; auto-detect in apply if unset
: "${INSTALL_CLOUDFLARED:=true}"
: "${INSTALL_WIREGUARD:=true}"
: "${WG_PORT:=51820}"

main() {
  require_root

  [[ -n "$NODE_NAME" ]] || die "NODE_NAME is required"
  [[ -n "$SSH_PUBLIC_KEY" ]] || die "SSH_PUBLIC_KEY is required"

  # Required baseline tools for a typical Hetzner Debian/Ubuntu image.
  need apt
  need systemctl
  need hostnamectl
  need sed
  need grep
  need getent
  need id
  need chmod
  need chown

  # Soft checks: these may be installed during apply.
  if ! command -v ufw >/dev/null 2>&1; then
    log_warn "ufw not found (will be installed during apply)."
  fi
  if ! command -v sshd >/dev/null 2>&1; then
    log_warn "sshd not found (openssh-server may be installed during apply)."
  fi
  if [[ "$INSTALL_WIREGUARD" == "true" ]] && ! command -v wg >/dev/null 2>&1; then
    log_warn "wg not found (wireguard will be installed during apply)."
  fi

  if [[ "$INSTALL_CLOUDFLARED" == "true" ]]; then
    if ! command -v curl >/dev/null 2>&1; then
      log_warn "curl not found (will be installed during apply)."
    fi
    if ! command -v gpg >/dev/null 2>&1; then
      log_warn "gpg not found (will be installed during apply via gnupg)."
    fi
    code="$(os_codename)"
    if [[ -z "$code" ]]; then
      log_warn "Could not determine OS codename in preflight; apply will attempt again."
    else
      log_info "OS codename detected: $code"
    fi
  fi

  if [[ -n "$SSH_PORT" ]]; then
    log_info "SSH_PORT override set: $SSH_PORT"
  fi

  log_info "Preflight OK."
  log_info "Reminder: keep an open root session until sovereign access is verified."
}
main "$@"