#!/usr/bin/env bash
# burnServ worker bootstrap — join as WORKER only (no temp manager)
# Run as root (e.g., cloud-init user-data or startup script)

set -euo pipefail

### === CONFIG: fill these in ===
SWARM_MANAGER_ADDR="10.10.10.5:2377"       # e.g., 10.10.10.7:2377
WORKER_JOIN_TOKEN="SWMTKN-1-2a2sxynvwvpcapqysty6fyifxjsdu7xlk529r05nnvi6g7i01c-e700ngcb66bp9rp04am7cmcli"

# Shared storage (NFS)
NFS_SERVER="10.10.10.8"                    # e.g., 10.10.10.7
NFS_EXPORT="/mnt/data"                    # e.g., /volume2/nfs0  or /mnt/data
MOUNTPOINT="/mnt/data"

# Optional local user
LINUX_USER="josh"
SSH_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFiNTLzVAex3rG3P233A85qwClxlhm+vIjhvi6e1tER josh@jos
h-zbook"            # leave empty to skip

### ===============================

log(){ echo "[bootstrap] $*"; }

log "Installing base packages"
apt-get update -y
apt-get install -y ca-certificates curl gnupg lsb-release nfs-common uidmap

log "Ensuring user '${LINUX_USER}'"
if ! id -u "$LINUX_USER" >/dev/null 2>&1; then
  adduser --disabled-password --gecos "" "$LINUX_USER"
fi
if [[ -n "$SSH_PUBKEY" ]]; then
  install -d -m 700 -o "$LINUX_USER" -g "$LINUX_USER" "/home/$LINUX_USER/.ssh"
  touch "/home/$LINUX_USER/.ssh/authorized_keys"
  chown "$LINUX_USER:$LINUX_USER" "/home/$LINUX_USER/.ssh/authorized_keys"
  chmod 600 "/home/$LINUX_USER/.ssh/authorized_keys"
  grep -qxF "$SSH_PUBKEY" "/home/$LINUX_USER/.ssh/authorized_keys" || echo "$SSH_PUBKEY" >> "/home/$LINUX_USER/.ssh/authorized_keys"
fi

log "Installing Docker (official repo)"
install -m 0755 -d /etc/apt/keyrings
curl -fsSL "https://download.docker.com/linux/$(. /etc/os-release && echo "$ID")/gpg" | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
  https://download.docker.com/linux/$(. /etc/os-release && echo "$ID") \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
  | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update -y
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
usermod -aG docker "$LINUX_USER" || true

log "Mounting NFS ${NFS_SERVER}:${NFS_EXPORT} -> ${MOUNTPOINT}"
mkdir -p "$MOUNTPOINT"
if ! grep -qE "^\s*${NFS_SERVER}:${NFS_EXPORT}\s+${MOUNTPOINT}\s+nfs" /etc/fstab; then
  echo "${NFS_SERVER}:${NFS_EXPORT} ${MOUNTPOINT} nfs defaults,_netdev,proto=tcp,noatime 0 0" >> /etc/fstab
fi
mount -a

log "Joining swarm as WORKER"
# leave any existing swarm membership (idempotent)
if docker info 2>/dev/null | grep -q 'Swarm: active'; then
  docker swarm leave --force || true
fi
docker swarm join --token "$WORKER_JOIN_TOKEN" "$SWARM_MANAGER_ADDR"

log "Done. Labels can be applied from a manager (e.g., scripts/bs-label-workers.sh)."