#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "$SCRIPT_DIR/_common.sh"

: "${SERVER_IP:=}"
: "${NODE_NAME:=}"
: "${SOVEREIGN_USER:=sovereign}"
: "${SSH_PUBLIC_KEY:=}"
: "${SSH_PORT:=}"                 # optional: if unset, apply auto-detects current sshd port (fallback 22)
: "${ALLOW_SSH_FALLBACK_22:=true}"# safety: keep 22 open if SSH_PORT != 22
: "${WG_PORT:=51820}"
: "${INSTALL_CLOUDFLARED:=true}"
: "${INSTALL_WIREGUARD:=true}"

main() {
  require_root
  [[ -n "$NODE_NAME" ]] || die "NODE_NAME required"
  [[ -n "$SSH_PUBLIC_KEY" ]] || die "SSH_PUBLIC_KEY required"

  echo "[PLAN] $(date -Iseconds) hetzner-bootstrap"
  echo "[PLAN] Server IP: ${SERVER_IP:-<unknown>}"
  echo "[PLAN] Hostname: $NODE_NAME"
  echo "[PLAN] Sovereign user: $SOVEREIGN_USER"
  echo "[PLAN] SSH port allowance:"
  if [[ -n "$SSH_PORT" ]]; then
    echo "       - Will allow SSH_PORT=${SSH_PORT}/tcp"
    if [[ "$ALLOW_SSH_FALLBACK_22" == "true" && "$SSH_PORT" != "22" ]]; then
      echo "       - Safety fallback: also allow 22/tcp"
    fi
  else
    echo "       - SSH_PORT not set: apply will auto-detect current sshd port (fallback 22) and allow it"
  fi
  echo "[PLAN] UFW: allow SSH port(s) + allow ${WG_PORT}/udp BEFORE enable; default deny incoming"
  echo "[PLAN] SSH hardening: PermitRootLogin no, PasswordAuthentication no, validate with sshd -t, reload ssh service"
  echo "[PLAN] cloudflared install: $INSTALL_CLOUDFLARED"
  echo "[PLAN] wireguard package install: $INSTALL_WIREGUARD"
  echo
  echo "[PLAN] Next: export DRY_RUN=0 && ./scripts/11_apply.sh"
}
main "$@"