#!/bin/bash
# sharekit QUICKSTART — just paste this after setting USER_DOMAIN and DOMAIN_IP below.
# Pulled from https://files.spannerjun.top (verified May 2026, 14 KB tarball).

set -euo pipefail

# ──── CONFIG (fill these) ──────────────────────────────────────────────
USER_DOMAIN="example.com"               # e.g. example.com — your base domain
SHAREKIT_DOMAIN="example.com"            # could be same as USER_DOMAIN
# ──────────────────────────────────────────────────────────────────────

read -rp "Server IP (this box): " SERVER_IP
test -n "$SERVER_IP" || { echo "no IP given"; exit 1; }

echo
echo "▼ Step 1: user / venv"
useradd --system --home /home/hermes --shell /bin/bash hermes 2>/dev/null || true
python3 -m venv /home/hermes/venv
/home/hermes/venv/bin/pip install --quiet fastapi httpx \\'uvicorn[standard]\\' pydantic mcp
chmod -R go+rX /home/hermes/venv

echo
echo "▼ Step 2: download source from public release (no auth, no scp)"
mkdir -p /home/hermes/sharekit
TARBALL=$(curl -ksS "https://files.spannerjun.top/browse?path=sharekit-release/" \
   | grep -oP "sharekit-\\d{8}-\\d{4}\\.tar\\.gz" | sort | tail -1)
[ -n "$TARBALL" ] || { echo "tarball not found in release dir"; exit 1; }
echo "  found $TARBALL"
curl -ksS -o "/tmp/$TARBALL" "https://files.spannerjun.top/raw?path=sharekit-release/$TARBALL"
tar xzf "/tmp/$TARBALL" -C /home/hermes/
ls /home/hermes/sharekit/

echo
echo "▼ Step 3: configure .env"
curl -ksS -o /home/hermes/sharekit/config.env.example \
   "https://files.spannerjun.top/raw?path=sharekit-release/config.env.example"
cp /home/hermes/sharekit/config.env.example /home/hermes/sharekit/.env
chmod 600 /home/hermes/sharekit/.env
sed -i "s|mcp.spannerjun.top|mcp.$USER_DOMAIN|g; s|files.spannerjun.top|files.$USER_DOMAIN|g" /home/hermes/sharekit/.env
echo "  edit /home/hermes/sharekit/.env manually if you want litellm/smail"

echo
echo "▼ Step 4: nginx placeholders + configs"
mkdir -p /etc/nginx/ssl
for sub in files mcp; do
  openssl req -x509 -nodes -days 1 -newkey rsa:2048 \
    -keyout /etc/nginx/ssl/${sub}.${USER_DOMAIN}.key \
    -out /etc/nginx/ssl/${sub}.${USER_DOMAIN}.crt \
    -subj "/CN=${sub}.${USER_DOMAIN}"
done

# Render reverse-proxy configs (substitute USER_DOMAIN)
WSD=$USER_DOMAIN
cat > /etc/nginx/conf.d/files.$WSD.conf <<NGINX
server {
    listen 80;
    listen [::]:80;
    server_name files.$WSD;
    location /.well-known/acme-challenge/ { root /var/www/acme-challenge; default_type "text/plain"; }
    location / { return 301 https://\$host\$request_uri; }
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name files.$WSD;
    ssl_certificate     /etc/nginx/ssl/files.$WSD.fullchain.crt;
    ssl_certificate_key /etc/nginx/ssl/files.$WSD.key;
    ssl_protocols       TLSv1.2 TLSv1.3;
    client_max_body_size 512m;
    location / {
        proxy_pass http://127.0.0.1:8789;
        proxy_http_version 1.1;
        proxy_set_header Host              \$host;
        proxy_set_header X-Real-IP         \$remote_addr;
        proxy_set_header X-Forwarded-For   \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_buffering off;
        proxy_read_timeout 300s;
    }
}
NGINX

cat > /etc/nginx/conf.d/mcp.$WSD.conf <<NGINX
server {
    listen 80;
    listen [::]:80;
    server_name mcp.$WSD;
    location /.well-known/acme-challenge/ { root /var/www/acme-challenge; default_type "text/plain"; }
    location / { return 301 https://\$host\$request_uri; }
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name mcp.$WSD;
    ssl_certificate     /etc/nginx/ssl/mcp.$WSD.fullchain.crt;
    ssl_certificate_key /etc/nginx/ssl/mcp.$WSD.key;
    ssl_protocols       TLSv1.2 TLSv1.3;
    client_max_body_size 50m;
    location / {
        proxy_pass http://127.0.0.1:8790;
        proxy_http_version 1.1;
        # FastMCP binds 127.0.0.1 — MUST hardcode, otherwise 421
        proxy_set_header Host              127.0.0.1;
        proxy_set_header X-Real-IP         \$remote_addr;
        proxy_set_header X-Forwarded-For   \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_set_header Connection        "";
        proxy_buffering off;
        proxy_read_timeout 3600s;
    }
}
NGINX
nginx -t && nginx -s reload

echo
echo "▼ Step 5: bootstrap (writes systemd units, starts services)"
/home/hermes/sharekit/sharekit-bootstrap.sh

echo
echo "▼ Step 6: real TLS via acme.sh"
acme.sh --issue -d files.$WSD -w /var/www/acme-challenge
acme.sh --install-cert -d files.$WSD --ecc \
  --cert-file /etc/nginx/ssl/files.$WSD.crt \
  --key-file /etc/nginx/ssl/files.$WSD.key \
  --fullchain-file /etc/nginx/ssl/files.$WSD.fullchain.crt \
  --reloadcmd "systemctl reload nginx"
acme.sh --issue -d mcp.$WSD -w /var/www/acme-challenge
acme.sh --install-cert -d mcp.$WSD --ecc \
  --cert-file /etc/nginx/ssl/mcp.$WSD.crt \
  --key-file /etc/nginx/ssl/mcp.$WSD.key \
  --fullchain-file /etc/nginx/ssl/mcp.$WSD.fullchain.crt \
  --reloadcmd "systemctl reload nginx"
nginx -s reload

echo
echo "▼ verify ──────────────────────────────────────"
sleep 5
echo "files health: $(curl -ksS -o /dev/null -w '%{http_code}' https://files.$WSD/health)"
echo "mcp   health: $(curl -ksS -X POST -o /dev/null -w '%{http_code}' https://mcp.$WSD/mcp -H \\'Content-Type: application/json\\' -H \\'Accept: application/json, text/event-stream\\' -d \\'{{}}\\')"
echo "sharekit-fileserver: $(systemctl is-active sharekit-fileserver)"
echo "sharekit-mcpserver:  $(systemctl is-active sharekit-mcpserver)"

echo
echo "✓ DONE. Servers:"
echo "  https://files.$WSD"
echo "  https://mcp.$WSD/mcp   (12 sharekit tools + 9 smail tools if you filled SMAIL_*)"
