set -Eeuo pipefail

ARCH="$(dpkg --print-architecture)"
if [ "$ARCH" != "amd64" ]; then
  echo "Dieses Skript ist für amd64 gedacht. Gefunden: $ARCH"
  exit 1
fi

BLOCKY_VERSION="v0.29.0"
BLOCKY_TARBALL="blocky_v0.29.0_Linux_x86_64.tar.gz"
BLOCKY_URL="https://github.com/0xERR0R/blocky/releases/download/${BLOCKY_VERSION}/${BLOCKY_TARBALL}"

GO_VERSION="1.26.1"
GO_TARBALL="go1.26.1.linux-amd64.tar.gz"
GO_URL="https://go.dev/dl/${GO_TARBALL}"

NODE_VERSION="v25.9.0"
NODE_TARBALL="node-v25.9.0-linux-x64.tar.xz"
NODE_URL="https://nodejs.org/dist/${NODE_VERSION}/${NODE_TARBALL}"

API_KEY="tarnkappe"

BLOCKY_USER="blocky"
BLOCKY_GROUP="blocky"

BLOCKY_CONFIG_DIR="/etc/blocky"
BLOCKY_DATA_DIR="/var/lib/blocky"
BLOCKY_LOG_DIR="/var/log/blocky"
BLOCKY_BIN="/usr/local/bin/blocky"

VISOR_SRC_DIR="/opt/blocky-visor-src"
VISOR_WEB_DIR="/var/www/blocky-visor"

SIDECAR_DIR="/etc/blocky-visor-sidecar"
SIDECAR_BIN="/usr/local/bin/blocky-visor-sidecar"

NGINX_SITE="/etc/nginx/sites-available/blocky-visor"
NGINX_SITE_ENABLED="/etc/nginx/sites-enabled/blocky-visor"

OLD_DOCKER_STACK_DIR="$HOME/docker/blocky"

DNS_PORT="53"
BLOCKY_HTTP_PORT="4000"
VISOR_PORT="8081"
SIDECAR_PORT="8550"

HOST_SHORT="$(hostname -s)"
HOST_FQDN="$(hostname -f 2>/dev/null || hostname -s)"
RASPI_IP="$(hostname -I 2>/dev/null | awk '{print $1}')"
if [ -z "${RASPI_IP:-}" ]; then
  RASPI_IP="127.0.0.1"
fi

WORK_DIR="/tmp/blocky-native-install"

check_port() {
  local port="$1"
  local out
  out="$(sudo ss -H -tulpn "sport = :$port" 2>/dev/null || true)"
  if [ -n "$out" ]; then
    echo
    echo "Fehler: Port $port ist noch belegt:"
    echo "$out"
    echo
    exit 1
  fi
}

echo "[1/16] In sicheres Arbeitsverzeichnis wechseln ..."
sudo rm -rf "$WORK_DIR" || true
mkdir -p "$WORK_DIR"
cd "$WORK_DIR"

echo "[2/16] Basis-Pakete installieren ..."
sudo apt-get update
sudo apt-get install -y \
  ca-certificates \
  curl \
  git \
  gnupg \
  nginx \
  tar \
  xz-utils \
  build-essential

echo "[3/16] Alte Dienste stoppen ..."
sudo systemctl disable --now blocky.service 2>/dev/null || true
sudo systemctl disable --now blocky-visor-sidecar.service 2>/dev/null || true
sudo systemctl disable --now blocky-docker.service 2>/dev/null || true
sudo systemctl stop nginx 2>/dev/null || true

echo "[4/16] Alte Docker-Reste der bisherigen Blocky-Installation entfernen ..."
if command -v docker >/dev/null 2>&1; then
  if [ -f "$OLD_DOCKER_STACK_DIR/docker-compose.yml" ]; then
    sudo docker compose -f "$OLD_DOCKER_STACK_DIR/docker-compose.yml" down --remove-orphans || true
  fi
  sudo docker rm -f blocky blocky-visor blocky-visor-sidecar 2>/dev/null || true
fi

echo "[5/16] Alte Installation endgültig löschen ..."
rm -rf "$OLD_DOCKER_STACK_DIR" || true
sudo rm -rf "$BLOCKY_CONFIG_DIR" || true
sudo rm -rf "$BLOCKY_DATA_DIR" || true
sudo rm -rf "$BLOCKY_LOG_DIR" || true
sudo rm -rf "$VISOR_SRC_DIR" || true
sudo rm -rf "$VISOR_WEB_DIR" || true
sudo rm -rf "$SIDECAR_DIR" || true
sudo rm -f "$BLOCKY_BIN" || true
sudo rm -f "$SIDECAR_BIN" || true
sudo rm -f /etc/systemd/system/blocky.service || true
sudo rm -f /etc/systemd/system/blocky-visor-sidecar.service || true
sudo rm -f /etc/systemd/system/blocky-docker.service || true
sudo rm -f "$NGINX_SITE" || true
sudo rm -f "$NGINX_SITE_ENABLED" || true
sudo rm -f /etc/nginx/sites-enabled/default || true
sudo rm -f /etc/nginx/sites-available/default || true

echo "[6/16] Alte Go- und Node-Installationen ersetzen ..."
sudo rm -rf /usr/local/go || true
sudo rm -rf /usr/local/lib/nodejs || true
sudo rm -f /usr/local/bin/node /usr/local/bin/npm /usr/local/bin/npx || true

echo "[7/16] Benötigte Ports prüfen ..."
check_port "$DNS_PORT"
check_port "$BLOCKY_HTTP_PORT"
check_port "$VISOR_PORT"
check_port "$SIDECAR_PORT"

echo "[8/16] Benutzer und Verzeichnisse neu anlegen ..."
if ! getent group "$BLOCKY_GROUP" >/dev/null 2>&1; then
  sudo groupadd --system "$BLOCKY_GROUP"
fi

if ! id -u "$BLOCKY_USER" >/dev/null 2>&1; then
  sudo useradd --system \
    --gid "$BLOCKY_GROUP" \
    --home-dir "$BLOCKY_DATA_DIR" \
    --shell /usr/sbin/nologin \
    "$BLOCKY_USER"
fi

sudo install -d -m 0755 "$BLOCKY_CONFIG_DIR"
sudo install -d -o "$BLOCKY_USER" -g "$BLOCKY_GROUP" -m 0755 "$BLOCKY_DATA_DIR"
sudo install -d -o "$BLOCKY_USER" -g "$BLOCKY_GROUP" -m 0755 "$BLOCKY_LOG_DIR"
sudo install -d -m 0755 "$VISOR_SRC_DIR"
sudo install -d -o www-data -g www-data -m 0755 "$VISOR_WEB_DIR"
sudo install -d -m 0755 "$SIDECAR_DIR"

TMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TMP_DIR" "$WORK_DIR"' EXIT

echo "[9/16] Blocky nativ installieren ..."
curl -fsSL "$BLOCKY_URL" -o "$TMP_DIR/$BLOCKY_TARBALL"
tar -xzf "$TMP_DIR/$BLOCKY_TARBALL" -C "$TMP_DIR"
sudo install -m 0755 "$TMP_DIR/blocky" "$BLOCKY_BIN"

echo "[10/16] Go nativ installieren ..."
curl -fsSL "$GO_URL" -o "$TMP_DIR/$GO_TARBALL"
sudo tar -C /usr/local -xzf "$TMP_DIR/$GO_TARBALL"

echo "[11/16] Node.js nativ installieren ..."
curl -fsSL "$NODE_URL" -o "$TMP_DIR/$NODE_TARBALL"
sudo mkdir -p /usr/local/lib/nodejs
sudo tar -xJf "$TMP_DIR/$NODE_TARBALL" -C /usr/local/lib/nodejs
sudo ln -sf "/usr/local/lib/nodejs/node-${NODE_VERSION}-linux-x64/bin/node" /usr/local/bin/node
sudo ln -sf "/usr/local/lib/nodejs/node-${NODE_VERSION}-linux-x64/bin/npm" /usr/local/bin/npm
sudo ln -sf "/usr/local/lib/nodejs/node-${NODE_VERSION}-linux-x64/bin/npx" /usr/local/bin/npx

echo "[12/16] Blocky-Konfiguration schreiben ..."
sudo tee "$BLOCKY_CONFIG_DIR/config.yml" > /dev/null <<'YAML'
upstreams:
  groups:
    default:
      - https://dns.nextdns.io
      - https://dns.adguard-dns.com/dns-query
  strategy: strict
  timeout: 5s

connectIPVersion: v4

bootstrapDns:
  - tcp+udp:9.9.9.9
  - tcp+udp:149.112.112.112
  - tcp+udp:94.140.14.140
  - tcp+udp:94.140.14.141

blocking:
  denylists:
    default:
      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/ultimate-onlydomains.txt
      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro-onlydomains.txt
      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif-onlydomains.txt
      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/popupads-onlydomains.txt
      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/native.amazon-onlydomains.txt
      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/native.winoffice-onlydomains.txt
      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/native.samsung-onlydomains.txt
      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/native.xiaomi-onlydomains.txt
      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/native.oppo-realme-onlydomains.txt
      - https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
      - https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt
      - https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
      - https://raw.githubusercontent.com/d3ward/toolz/master/src/d3host.txt

  clientGroupsBlock:
    default:
      - default

  blockType: zeroIp
  blockTTL: 1m

  loading:
    refreshPeriod: 24h
    concurrency: 2
    downloads:
      timeout: 60s
      readTimeout: 120s
      writeTimeout: 120s
      attempts: 3
      cooldown: 2s

ports:
  dns: 53
  http: 4000

prometheus:
  enable: true
  path: /metrics

queryLog:
  type: csv
  target: /var/log/blocky
  logRetentionDays: 7
  flushInterval: 30s

log:
  level: info
YAML

sudo chown root:root "$BLOCKY_CONFIG_DIR/config.yml"
sudo chmod 0644 "$BLOCKY_CONFIG_DIR/config.yml"

echo "[13/16] Blocky systemd-Service anlegen ..."
sudo tee /etc/systemd/system/blocky.service > /dev/null <<UNIT
[Unit]
Description=Blocky DNS proxy and ad blocker
After=network-online.target
Wants=network-online.target

[Service]
User=$BLOCKY_USER
Group=$BLOCKY_GROUP
WorkingDirectory=$BLOCKY_DATA_DIR
ExecStart=$BLOCKY_BIN --config $BLOCKY_CONFIG_DIR/config.yml
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
Restart=on-failure
RestartSec=5s
ReadWritePaths=$BLOCKY_LOG_DIR $BLOCKY_DATA_DIR
ProtectSystem=full
ProtectHome=true
PrivateTmp=true

[Install]
WantedBy=multi-user.target
UNIT

echo "[14/16] Visor nativ bauen und über nginx ausliefern ..."
sudo git clone --depth 1 https://github.com/JCHHeilmann/blocky-visor.git "$VISOR_SRC_DIR"
cd "$VISOR_SRC_DIR"
sudo /usr/local/bin/npm install
sudo /usr/local/bin/npm run build
sudo rm -rf "$VISOR_WEB_DIR"/*
sudo cp -a "$VISOR_SRC_DIR/build/." "$VISOR_WEB_DIR/"
sudo chown -R www-data:www-data "$VISOR_WEB_DIR"

sudo tee "$NGINX_SITE" > /dev/null <<NGINX
server {
    listen $VISOR_PORT;
    server_name _;

    root $VISOR_WEB_DIR;
    index index.html;

    location / {
        try_files \$uri \$uri/ /index.html;
    }
}
NGINX

sudo ln -sf "$NGINX_SITE" "$NGINX_SITE_ENABLED"

echo "[15/16] Nativen Sidecar bauen und konfigurieren ..."
cd "$VISOR_SRC_DIR/sidecar"
sudo /usr/local/go/bin/go build -o "$SIDECAR_BIN" .
sudo chmod 0755 "$SIDECAR_BIN"

sudo tee "$SIDECAR_DIR/config.yaml" > /dev/null <<YAML
listen: ":$SIDECAR_PORT"
api_key: "$API_KEY"

cors_origins:
  - http://localhost:$VISOR_PORT
  - http://127.0.0.1:$VISOR_PORT
  - http://$RASPI_IP:$VISOR_PORT
  - http://$HOST_SHORT:$VISOR_PORT
  - http://$HOST_FQDN:$VISOR_PORT
  - http://$HOST_SHORT.local:$VISOR_PORT

blocky:
  dir: $BLOCKY_CONFIG_DIR
  service_name: blocky
  config_path: $BLOCKY_CONFIG_DIR/config.yml
  log_dir: $BLOCKY_LOG_DIR
YAML

sudo chmod 0644 "$SIDECAR_DIR/config.yaml"

sudo tee /etc/systemd/system/blocky-visor-sidecar.service > /dev/null <<UNIT
[Unit]
Description=Blocky Visor Sidecar
After=network-online.target blocky.service
Wants=network-online.target

[Service]
Type=simple
WorkingDirectory=$SIDECAR_DIR
ExecStart=$SIDECAR_BIN
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
UNIT

echo "[16/16] Dienste starten ..."
sudo nginx -t
sudo systemctl daemon-reload
sudo systemctl enable --now blocky.service
sudo systemctl enable --now nginx
sudo systemctl restart nginx
sudo systemctl enable --now blocky-visor-sidecar.service

sleep 5

echo
echo "=================================================================="
echo "FERTIG"
echo "=================================================================="
echo "Host-IP:             $RASPI_IP"
echo "Blocky DNS:          $RASPI_IP:$DNS_PORT"
echo "Blocky API:          http://$RASPI_IP:$BLOCKY_HTTP_PORT"
echo "Blocky Metrics:      http://$RASPI_IP:$BLOCKY_HTTP_PORT/metrics"
echo "Blocky Visor:        http://$RASPI_IP:$VISOR_PORT"
echo "Visor Sidecar:       http://$RASPI_IP:$SIDECAR_PORT"
echo "Sidecar API-Key:     $API_KEY"
echo "=================================================================="