#!/bin/bash
# Runs once on first VM boot. Installs Docker, Docker Compose, and Caddy.
set -euxo pipefail

# ── Docker ────────────────────────────────────────────────────────────────────
apt-get update -y
apt-get install -y ca-certificates curl gnupg lsb-release

install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
  https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
  > /etc/apt/sources.list.d/docker.list

apt-get update -y
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

systemctl enable docker
systemctl start docker

# Allow drb user to run docker
usermod -aG docker drb 2>/dev/null || true

# ── Caddy (reverse proxy + auto TLS) ─────────────────────────────────────────
apt-get install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
  | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \
  > /etc/apt/sources.list.d/caddy-stable.list
apt-get update -y
apt-get install -y caddy

# ── App directory — clone repo so CI can git pull + docker compose up ─────────
apt-get install -y git
mkdir -p /opt/drb
# Repo is cloned here by initial setup; CI just git pulls and rebuilds.
# Set safe directory for the drb user
git config --global --add safe.directory /opt/drb
chown -R drb:drb /opt/drb 2>/dev/null || true

# ── Caddyfile placeholder (CI will write the real one on first deploy) ────────
cat > /etc/caddy/Caddyfile <<'CADDY'
# This file is managed by CI. Do not edit manually.
# It will be replaced on the first deployment.
:80 {
  respond "DRB server — waiting for deployment" 200
}
CADDY

systemctl enable caddy
systemctl reload caddy

echo "Startup complete."