#!/bin/bash
# setup.sh — MukenVault Entry one-shot installer for Founding 50 partners.
#
# Downloads the install tarball, verifies its sha256, extracts it, and
# runs the installer with the license key the partner passes via
# --license. Designed for the curl|bash entry-point documented in the
# onboarding email:
#
#   curl -fsSL https://install.mukenvault.com/setup.sh | \
#     sudo bash -s -- --license <YOUR_LICENSE_KEY>
#
# The wrapper exists so the curl|bash convenience path still goes
# through sha256 verification. Partners who want the safer "download,
# inspect, then run" flow can do the equivalent three steps by hand
# (see https://install.mukenvault.com/quickstart).

set -euo pipefail
IFS=$'\n\t'

INSTALL_HOST="${INSTALL_HOST:-install.mukenvault.com}"
VERSION="${MUKENVAULT_VERSION:-v5.0.0-entry}"
TARBALL="mukenvault-${VERSION}.tar.gz"
WORK="$(mktemp -d -t mukenvault-setup-XXXXXXXX)"
trap 'rm -rf "$WORK"' EXIT

LICENSE_KEY=""
while [[ $# -gt 0 ]]; do
    case "$1" in
        --license) LICENSE_KEY="${2:?--license requires a value}"; shift 2;;
        -h|--help)
            cat <<EOF
Usage: setup.sh --license <LICENSE_KEY>

Downloads https://${INSTALL_HOST}/${TARBALL}, verifies its sha256,
and runs the bundled installer.

To override the version pulled (default ${VERSION}):
  MUKENVAULT_VERSION=v4.3.1-entry sudo bash setup.sh --license ...
EOF
            exit 0;;
        *) echo "unknown arg: $1" >&2; exit 1;;
    esac
done

if [[ -z "$LICENSE_KEY" ]]; then
    echo "ERROR: --license is required" >&2
    echo "       see https://${INSTALL_HOST}/quickstart" >&2
    exit 1
fi

# Catch the placeholder string from the onboarding email / quickstart before
# we waste any time downloading + extracting. The bug we're guarding against
# is the partner copy-pasting the curl command verbatim without swapping
# YOUR-KEY-HERE for the real key. Without this check the install proceeds
# all the way to Phase C (Keygen validate-key) before failing with a
# confusing "license not found" error.
case "$LICENSE_KEY" in
    YOUR-KEY-HERE|"<YOUR_LICENSE_KEY>"|"<LICENSE_KEY>"|YOUR_LICENSE_KEY)
        echo "ERROR: license key is the placeholder text:  $LICENSE_KEY" >&2
        echo "       Replace it with the real key from your onboarding email." >&2
        echo "       Example: --license 99AADB-9477B2-26C379-F14D4D-9825B7-V3" >&2
        exit 3;;
esac

# Catch obvious format errors (typos, partial paste) before the network
# round-trip. Real Keygen keys are 5 groups of 6 uppercase alphanumeric
# separated by '-' with a trailing -V<n> revision marker; deviations are
# almost always a paste mistake.
if ! [[ "$LICENSE_KEY" =~ ^[A-Z0-9]{6}(-[A-Z0-9]{6}){4}-V[0-9]+$ ]]; then
    echo "ERROR: license key format looks wrong:" >&2
    echo "         received: $LICENSE_KEY" >&2
    echo "         expected: XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-V<digit>" >&2
    echo "       (uppercase letters + digits only, 5 groups of 6, '-' separators)" >&2
    echo "       Double-check the key in your onboarding email." >&2
    exit 4
fi

if [[ "$(id -u)" -ne 0 ]]; then
    echo "ERROR: must run as root (re-run with sudo)" >&2
    exit 1
fi

log() { printf '\033[1;36m[setup]\033[0m %s\n' "$*"; }

log "Downloading ${TARBALL}…"
cd "$WORK"
curl -fsSL --proto '=https' --tlsv1.2 -o "$TARBALL"        "https://${INSTALL_HOST}/${TARBALL}"
curl -fsSL --proto '=https' --tlsv1.2 -o "${TARBALL}.sha256" "https://${INSTALL_HOST}/${TARBALL}.sha256"

log "Verifying sha256…"
if ! sha256sum -c "${TARBALL}.sha256" --quiet; then
    echo "ERROR: tarball checksum mismatch — do NOT proceed" >&2
    exit 2
fi

log "Extracting…"
tar xzf "$TARBALL"
cd "mukenvault-${VERSION}"

log "Running installer…"
exec bash installer/nginx-entry-install.sh --license "$LICENSE_KEY"