#!/usr/bin/env bash
set -Eeuo pipefail

###############################################################################
# bootstrap-backup-env.sh
#
# Prépare un environnement de déploiement pour :
#   - backup-vaultwarden.sh
#   - check-storage.sh
#   - check-statut-recette.sh
#   - backup-bdd-recette.sh
#   - rebuild-bdd-recette.sh
#
# Fonctionnalités :
#   - idempotent : relançable sans erreur ;
#   - installation / mise à jour des dépendances ;
#   - création des dossiers ;
#   - permissions ;
#   - génération des clés SSH si absentes ;
#   - récupération depuis un dépôt Git privé volumineux via sparse-checkout ;
#   - mise à jour du .env ;
#   - injection des valeurs sensibles dans le .env si fournies ;
#   - ajout automatique de la clé publique backup sur le serveur distant
#     si un accès SSH bootstrap est disponible ;
#   - questions interactives si lancé en local et que des variables obligatoires
#     sont absentes ;
#   - génération d'un fichier scripts.json pour un futur affichage web ;
#   - exécutable en local ou envoyé via SSH sur un serveur distant.
###############################################################################

#######################################
# Valeurs par défaut
#######################################
REPO_URL=""
REPO_BRANCH="main"
REPO_SUBDIR=""
INSTALL_DIR="/opt/malio-backup"
DEPLOY_USER="${SUDO_USER:-${USER}}"
DEPLOY_GROUP=""
ENV_FILE_NAME=".env"

GIT_DIR_NAME="repo"
SCRIPTS_DIR_NAME="scripts"
CONFIG_DIR_NAME="config"
LOG_DIR_NAME="logs"
DATA_DIR_NAME="data"
TMP_DIR_NAME="tmp"
SSH_DIR_NAME="ssh"

BACKUP_SSH_KEY_NAME="id_ed25519_backup"
REPO_SSH_KEY_NAME="id_ed25519_repo"

FORCE_CHOWN="false"
NON_INTERACTIVE="false"

# Paramètres fonctionnels
ENV_NAME="RECETTE"
PGHOST="localhost"
PGPORT="5432"
PGUSER_VALUE=""
PGPASSWORD_VALUE=""
DBS_VALUE="sirh inventory ferme"

BACKUP_REMOTE_USER="backup"
BACKUP_REMOTE_HOST=""
BACKUP_REMOTE_DIR="/home/backup/backups/bdd-recette"
SSH_CONNECT_TIMEOUT="10"
RETENTION_DAYS="10"

DISCORD_WEBHOOK_URL_VALUE=""
DISCORD_PING_VALUE=""
WEBHOOK_URL_VALUE=""
VAULTWARDEN_DATA_DIR_VALUE="/var/lib/vaultwarden"
CHECK_STORAGE_PATHS_VALUE="/ /var /home"

APP_1_NAME_VALUE="ferme"
APP_1_URL_VALUE="https://ferme.malio-dev.fr"
APP_2_NAME_VALUE="sirh"
APP_2_URL_VALUE="https://sirh.malio-dev.fr"
APP_3_NAME_VALUE="inventory"
APP_3_URL_VALUE="https://inventory.malio-dev.fr"

# Bootstrap SSH vers le serveur de destination
BOOTSTRAP_SSH_USER=""
BOOTSTRAP_SSH_PORT="22"
BOOTSTRAP_SSH_KEY=""
BOOTSTRAP_SSH_STRICT="accept-new"
INSTALL_BACKUP_KEY_ON_REMOTE="true"

#######################################
# Scripts attendus
#######################################
EXPECTED_SCRIPTS=(
  "backup-vaultwarden.sh"
  "check-storage.sh"
  "check-statut-recette.sh"
  "backup-bdd-recette.sh"
  "rebuild-bdd-recette.sh"
)

#######################################
# Journalisation
#######################################
timestamp() {
  date '+%Y-%m-%d %H:%M:%S'
}

log() {
  echo "[$(timestamp)] [INFO] $*"
}

warn() {
  echo "[$(timestamp)] [WARN] $*" >&2
}

err() {
  echo "[$(timestamp)] [ERROR] $*" >&2
}

die() {
  err "$*"
  exit 1
}

#######################################
# Gestion erreurs
#######################################
on_error() {
  local exit_code=$?
  err "Échec ligne ${BASH_LINENO[0]} : ${BASH_COMMAND}"
  exit "$exit_code"
}
trap on_error ERR

#######################################
# Aide
#######################################
usage() {
  cat <<'EOF'
Usage:
  bootstrap-backup-env.sh [options]

Options dépôt :
  --repo-url URL
  --repo-branch BRANCH
  --repo-subdir PATH

Options installation :
  --install-dir PATH
  --deploy-user USER
  --deploy-group GROUP
  --env-file-name NAME
  --force-chown true|false
  --non-interactive true|false

Options configuration applicative :
  --env-name NAME
  --pghost HOST
  --pgport PORT
  --pguser USER
  --pgpassword PASSWORD
  --dbs "sirh inventory ferme"
  --backup-remote-user USER
  --backup-remote-host HOST
  --backup-remote-dir PATH
  --ssh-connect-timeout SECONDS
  --retention-days DAYS
  --discord-webhook-url URL
  --discord-ping VALUE
  --webhook-url URL
  --vaultwarden-data-dir PATH
  --check-storage-paths "/ /var /home"
  --app-1-name NAME
  --app-1-url URL
  --app-2-name NAME
  --app-2-url URL
  --app-3-name NAME
  --app-3-url URL

Options bootstrap SSH distant :
  --bootstrap-ssh-user USER
  --bootstrap-ssh-port PORT
  --bootstrap-ssh-key PATH
  --bootstrap-ssh-strict accept-new|yes|no
  --install-backup-key-on-remote true|false

Divers :
  --help

Notes :
  - si le script est lancé localement en mode interactif, il posera les
    questions nécessaires pour compléter les champs obligatoires ;
  - la clé publique backup peut être installée automatiquement sur le serveur
    distant uniquement si un accès SSH bootstrap existe déjà ;
  - le .env peut être rempli automatiquement si les valeurs sont passées en
    arguments ou via variables d'environnement avant exécution.
EOF
}

#######################################
# Parsing arguments
#######################################
while [[ $# -gt 0 ]]; do
  case "$1" in
    --repo-url) REPO_URL="${2:-}"; shift 2 ;;
    --repo-branch) REPO_BRANCH="${2:-}"; shift 2 ;;
    --repo-subdir) REPO_SUBDIR="${2:-}"; shift 2 ;;
    --install-dir) INSTALL_DIR="${2:-}"; shift 2 ;;
    --deploy-user) DEPLOY_USER="${2:-}"; shift 2 ;;
    --deploy-group) DEPLOY_GROUP="${2:-}"; shift 2 ;;
    --env-file-name) ENV_FILE_NAME="${2:-}"; shift 2 ;;
    --force-chown) FORCE_CHOWN="${2:-}"; shift 2 ;;
    --non-interactive) NON_INTERACTIVE="${2:-}"; shift 2 ;;

    --env-name) ENV_NAME="${2:-}"; shift 2 ;;
    --pghost) PGHOST="${2:-}"; shift 2 ;;
    --pgport) PGPORT="${2:-}"; shift 2 ;;
    --pguser) PGUSER_VALUE="${2:-}"; shift 2 ;;
    --pgpassword) PGPASSWORD_VALUE="${2:-}"; shift 2 ;;
    --dbs) DBS_VALUE="${2:-}"; shift 2 ;;
    --backup-remote-user) BACKUP_REMOTE_USER="${2:-}"; shift 2 ;;
    --backup-remote-host) BACKUP_REMOTE_HOST="${2:-}"; shift 2 ;;
    --backup-remote-dir) BACKUP_REMOTE_DIR="${2:-}"; shift 2 ;;
    --ssh-connect-timeout) SSH_CONNECT_TIMEOUT="${2:-}"; shift 2 ;;
    --retention-days) RETENTION_DAYS="${2:-}"; shift 2 ;;
    --discord-webhook-url) DISCORD_WEBHOOK_URL_VALUE="${2:-}"; shift 2 ;;
    --discord-ping) DISCORD_PING_VALUE="${2:-}"; shift 2 ;;
    --webhook-url) WEBHOOK_URL_VALUE="${2:-}"; shift 2 ;;
    --vaultwarden-data-dir) VAULTWARDEN_DATA_DIR_VALUE="${2:-}"; shift 2 ;;
    --check-storage-paths) CHECK_STORAGE_PATHS_VALUE="${2:-}"; shift 2 ;;
    --app-1-name) APP_1_NAME_VALUE="${2:-}"; shift 2 ;;
    --app-1-url) APP_1_URL_VALUE="${2:-}"; shift 2 ;;
    --app-2-name) APP_2_NAME_VALUE="${2:-}"; shift 2 ;;
    --app-2-url) APP_2_URL_VALUE="${2:-}"; shift 2 ;;
    --app-3-name) APP_3_NAME_VALUE="${2:-}"; shift 2 ;;
    --app-3-url) APP_3_URL_VALUE="${2:-}"; shift 2 ;;

    --bootstrap-ssh-user) BOOTSTRAP_SSH_USER="${2:-}"; shift 2 ;;
    --bootstrap-ssh-port) BOOTSTRAP_SSH_PORT="${2:-}"; shift 2 ;;
    --bootstrap-ssh-key) BOOTSTRAP_SSH_KEY="${2:-}"; shift 2 ;;
    --bootstrap-ssh-strict) BOOTSTRAP_SSH_STRICT="${2:-}"; shift 2 ;;
    --install-backup-key-on-remote) INSTALL_BACKUP_KEY_ON_REMOTE="${2:-}"; shift 2 ;;

    --help|-h) usage; exit 0 ;;
    *) die "Option inconnue : $1" ;;
  esac
done

#######################################
# Surcharge par variables d'environnement
#######################################
PGPASSWORD_VALUE="${PGPASSWORD_VALUE:-${PGPASSWORD:-}}"
DISCORD_WEBHOOK_URL_VALUE="${DISCORD_WEBHOOK_URL_VALUE:-${DISCORD_WEBHOOK_URL:-}}"
DISCORD_PING_VALUE="${DISCORD_PING_VALUE:-${DISCORD_PING:-}}"
WEBHOOK_URL_VALUE="${WEBHOOK_URL_VALUE:-${WEBHOOK_URL:-}}"

#######################################
# Détection mode interactif local
#######################################
is_interactive() {
  [[ -t 0 && -t 1 && "${NON_INTERACTIVE}" != "true" ]]
}

#######################################
# Questions interactives
#######################################
prompt_value() {
  local var_name="$1"
  local prompt_label="$2"
  local default_value="${3:-}"
  local secret="${4:-false}"
  local required="${5:-false}"

  local current_value
  current_value="${!var_name:-}"

  if [[ -n "$current_value" ]]; then
    return 0
  fi

  if ! is_interactive; then
    if [[ "$required" == "true" ]]; then
      die "Valeur obligatoire manquante : ${var_name}. Fournissez-la en argument ou variable d'environnement."
    fi
    return 0
  fi

  local input=""
  while true; do
    if [[ "$secret" == "true" ]]; then
      if [[ -n "$default_value" ]]; then
        read -r -s -p "${prompt_label} [valeur masquée, Entrée pour conserver la valeur par défaut] : " input
      else
        read -r -s -p "${prompt_label} : " input
      fi
      echo
    else
      if [[ -n "$default_value" ]]; then
        read -r -p "${prompt_label} [${default_value}] : " input
      else
        read -r -p "${prompt_label} : " input
      fi
    fi

    if [[ -z "$input" && -n "$default_value" ]]; then
      input="$default_value"
    fi

    if [[ "$required" == "true" && -z "$input" ]]; then
      warn "Cette valeur est obligatoire."
      continue
    fi

    printf -v "$var_name" '%s' "$input"
    break
  done
}

ask_required_local_configuration() {
  if ! is_interactive; then
    return 0
  fi

  log "Mode interactif local détecté : collecte des données obligatoires."

  prompt_value REPO_URL "URL SSH du dépôt Git privé" "$REPO_URL" false true
  prompt_value REPO_BRANCH "Branche Git" "$REPO_BRANCH" false true
  prompt_value REPO_SUBDIR "Sous-dossier du dépôt contenant les scripts" "$REPO_SUBDIR" false true
  prompt_value INSTALL_DIR "Répertoire d'installation" "$INSTALL_DIR" false true
  prompt_value DEPLOY_USER "Utilisateur propriétaire du déploiement" "$DEPLOY_USER" false true

  if [[ -z "$DEPLOY_GROUP" ]]; then
    local deploy_group_default=""
    if id "$DEPLOY_USER" >/dev/null 2>&1; then
      deploy_group_default="$(id -gn "$DEPLOY_USER")"
    fi
    prompt_value DEPLOY_GROUP "Groupe propriétaire" "$deploy_group_default" false true
  fi

  prompt_value ENV_NAME "Nom de l'environnement" "$ENV_NAME" false true
  prompt_value PGHOST "Host PostgreSQL" "$PGHOST" false true
  prompt_value PGPORT "Port PostgreSQL" "$PGPORT" false true

  if [[ -z "$PGUSER_VALUE" ]]; then
    prompt_value PGUSER_VALUE "Utilisateur PostgreSQL" "$DEPLOY_USER" false true
  fi

  prompt_value PGPASSWORD_VALUE "Mot de passe PostgreSQL (PGPASSWORD)" "" true true
  prompt_value DBS_VALUE "Bases PostgreSQL à gérer (séparées par des espaces)" "$DBS_VALUE" false true

  prompt_value BACKUP_REMOTE_USER "Utilisateur du serveur de sauvegarde" "$BACKUP_REMOTE_USER" false true
  prompt_value BACKUP_REMOTE_HOST "Host/IP du serveur de sauvegarde" "$BACKUP_REMOTE_HOST" false true
  prompt_value BACKUP_REMOTE_DIR "Répertoire distant de sauvegarde" "$BACKUP_REMOTE_DIR" false true

  prompt_value SSH_CONNECT_TIMEOUT "Timeout SSH en secondes" "$SSH_CONNECT_TIMEOUT" false true
  prompt_value RETENTION_DAYS "Rétention en jours" "$RETENTION_DAYS" false true

  prompt_value VAULTWARDEN_DATA_DIR_VALUE "Répertoire des données Vaultwarden" "$VAULTWARDEN_DATA_DIR_VALUE" false true
  prompt_value CHECK_STORAGE_PATHS_VALUE "Chemins à surveiller pour le stockage" "$CHECK_STORAGE_PATHS_VALUE" false true

  prompt_value APP_1_NAME_VALUE "Nom application 1" "$APP_1_NAME_VALUE" false true
  prompt_value APP_1_URL_VALUE "URL application 1" "$APP_1_URL_VALUE" false true
  prompt_value APP_2_NAME_VALUE "Nom application 2" "$APP_2_NAME_VALUE" false true
  prompt_value APP_2_URL_VALUE "URL application 2" "$APP_2_URL_VALUE" false true
  prompt_value APP_3_NAME_VALUE "Nom application 3" "$APP_3_NAME_VALUE" false true
  prompt_value APP_3_URL_VALUE "URL application 3" "$APP_3_URL_VALUE" false true

  prompt_value DISCORD_WEBHOOK_URL_VALUE "Discord webhook URL (optionnel)" "$DISCORD_WEBHOOK_URL_VALUE" true false
  prompt_value DISCORD_PING_VALUE "Discord ping (optionnel)" "$DISCORD_PING_VALUE" false false
  prompt_value WEBHOOK_URL_VALUE "Webhook URL générique (optionnel)" "$WEBHOOK_URL_VALUE" true false

  if [[ "$INSTALL_BACKUP_KEY_ON_REMOTE" == "true" ]]; then
    prompt_value BOOTSTRAP_SSH_USER "Utilisateur SSH bootstrap pour installer la clé distante" "${BOOTSTRAP_SSH_USER:-$BACKUP_REMOTE_USER}" false true
    prompt_value BOOTSTRAP_SSH_PORT "Port SSH bootstrap" "$BOOTSTRAP_SSH_PORT" false true
    prompt_value BOOTSTRAP_SSH_KEY "Chemin de la clé SSH bootstrap (optionnel si agent SSH ou accès existant)" "$BOOTSTRAP_SSH_KEY" false false
  fi
}

#######################################
# Vérifications initiales
#######################################
validate_required_values() {
  [[ -n "$REPO_URL" ]] || die "L'option --repo-url est obligatoire."
  [[ -n "$REPO_SUBDIR" ]] || die "L'option --repo-subdir est obligatoire."
  [[ -n "$BACKUP_REMOTE_HOST" ]] || die "L'option --backup-remote-host est obligatoire."
  [[ -n "$DEPLOY_USER" ]] || die "L'utilisateur de déploiement est obligatoire."

  if ! id "$DEPLOY_USER" >/dev/null 2>&1; then
    die "Utilisateur inexistant : $DEPLOY_USER"
  fi

  if [[ -z "$DEPLOY_GROUP" ]]; then
    DEPLOY_GROUP="$(id -gn "$DEPLOY_USER")"
  fi

  if [[ -z "$PGUSER_VALUE" ]]; then
    PGUSER_VALUE="$DEPLOY_USER"
  fi
}

#######################################
# Chemins calculés
#######################################
compute_paths() {
  BASE_DIR="$INSTALL_DIR"
  REPO_DIR="$BASE_DIR/$GIT_DIR_NAME"
  APP_SCRIPTS_DIR="$BASE_DIR/$SCRIPTS_DIR_NAME"
  CONFIG_DIR="$BASE_DIR/$CONFIG_DIR_NAME"
  LOG_DIR="$BASE_DIR/$LOG_DIR_NAME"
  DATA_DIR="$BASE_DIR/$DATA_DIR_NAME"
  TMP_DIR="$BASE_DIR/$TMP_DIR_NAME"
  APP_SSH_DIR="$BASE_DIR/$SSH_DIR_NAME"
  ENV_FILE="$BASE_DIR/$ENV_FILE_NAME"
  SCRIPTS_JSON="$CONFIG_DIR/scripts.json"

  BACKUP_SSH_KEY="$APP_SSH_DIR/$BACKUP_SSH_KEY_NAME"
  REPO_SSH_KEY="$APP_SSH_DIR/$REPO_SSH_KEY_NAME"
}

#######################################
# Wrapper sudo
#######################################
run_root() {
  if [[ "$(id -u)" -eq 0 ]]; then
    "$@"
  else
    sudo "$@"
  fi
}

run_as_deploy_user() {
  if [[ "$(id -un)" == "$DEPLOY_USER" ]]; then
    "$@"
  else
    run_root sudo -u "$DEPLOY_USER" -H "$@"
  fi
}

#######################################
# Détection package manager
#######################################
detect_pkg_manager() {
  if command -v apt-get >/dev/null 2>&1; then
    echo "apt"
  elif command -v dnf >/dev/null 2>&1; then
    echo "dnf"
  elif command -v yum >/dev/null 2>&1; then
    echo "yum"
  elif command -v apk >/dev/null 2>&1; then
    echo "apk"
  elif command -v pacman >/dev/null 2>&1; then
    echo "pacman"
  else
    echo ""
  fi
}

install_packages() {
  local packages=("$@")
  [[ ${#packages[@]} -gt 0 ]] || return 0

  case "$PKG_MANAGER" in
    apt)
      run_root apt-get update -y
      run_root apt-get install -y "${packages[@]}"
      ;;
    dnf)
      run_root dnf install -y "${packages[@]}"
      ;;
    yum)
      run_root yum install -y "${packages[@]}"
      ;;
    apk)
      run_root apk add --no-cache "${packages[@]}"
      ;;
    pacman)
      run_root pacman -Sy --noconfirm "${packages[@]}"
      ;;
    *)
      die "Package manager non géré : $PKG_MANAGER"
      ;;
  esac
}

ensure_cmd() {
  local cmd="$1"
  shift
  local packages=("$@")

  if command -v "$cmd" >/dev/null 2>&1; then
    log "Dépendance OK : $cmd"
  else
    warn "Dépendance absente : $cmd"
    install_packages "${packages[@]}"
  fi
}

install_dependencies() {
  case "$PKG_MANAGER" in
    apt)
      ensure_cmd git git
      ensure_cmd ssh openssh-client
      ensure_cmd ssh-keygen openssh-client
      ensure_cmd rsync rsync
      ensure_cmd curl curl
      ensure_cmd jq jq
      ensure_cmd psql postgresql-client
      install_packages ca-certificates
      ;;
    dnf|yum)
      ensure_cmd git git
      ensure_cmd ssh openssh-clients
      ensure_cmd ssh-keygen openssh-clients
      ensure_cmd rsync rsync
      ensure_cmd curl curl
      ensure_cmd jq jq
      ensure_cmd psql postgresql
      install_packages ca-certificates
      ;;
    apk)
      ensure_cmd git git
      ensure_cmd ssh openssh-client
      ensure_cmd ssh-keygen openssh-keygen
      ensure_cmd rsync rsync
      ensure_cmd curl curl
      ensure_cmd jq jq
      ensure_cmd psql postgresql-client
      install_packages ca-certificates
      ;;
    pacman)
      ensure_cmd git git
      ensure_cmd ssh openssh
      ensure_cmd ssh-keygen openssh
      ensure_cmd rsync rsync
      ensure_cmd curl curl
      ensure_cmd jq jq
      ensure_cmd psql postgresql-libs
      install_packages ca-certificates
      ;;
  esac
}

#######################################
# Création dossiers
#######################################
ensure_dir() {
  local dir="$1"
  local mode="$2"

  run_root mkdir -p "$dir"
  run_root chmod "$mode" "$dir"
}

prepare_directories() {
  ensure_dir "$BASE_DIR" 0755
  ensure_dir "$REPO_DIR" 0755
  ensure_dir "$APP_SCRIPTS_DIR" 0750
  ensure_dir "$CONFIG_DIR" 0750
  ensure_dir "$LOG_DIR" 0750
  ensure_dir "$DATA_DIR" 0750
  ensure_dir "$TMP_DIR" 0750
  ensure_dir "$APP_SSH_DIR" 0700
}

#######################################
# Permissions
#######################################
apply_ownership() {
  if [[ "$FORCE_CHOWN" == "true" ]]; then
    run_root chown -R "${DEPLOY_USER}:${DEPLOY_GROUP}" "$BASE_DIR"
  else
    run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" \
      "$BASE_DIR" "$REPO_DIR" "$APP_SCRIPTS_DIR" "$CONFIG_DIR" \
      "$LOG_DIR" "$DATA_DIR" "$TMP_DIR" "$APP_SSH_DIR"
  fi
}

#######################################
# SSH
#######################################
ensure_ssh_keypair() {
  local private_key="$1"
  local comment="$2"

  if [[ -f "$private_key" && -f "${private_key}.pub" ]]; then
    log "Clé SSH déjà présente : $private_key"
    run_root chmod 600 "$private_key"
    run_root chmod 644 "${private_key}.pub"
    run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$private_key" "${private_key}.pub"
    return 0
  fi

  log "Génération de la clé SSH : $private_key"
  run_root ssh-keygen -t ed25519 -N "" -C "$comment" -f "$private_key" >/dev/null
  run_root chmod 600 "$private_key"
  run_root chmod 644 "${private_key}.pub"
  run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$private_key" "${private_key}.pub"
}

build_bootstrap_ssh_cmd() {
  local target="$1"
  local -a cmd=(ssh -p "$BOOTSTRAP_SSH_PORT" -o "StrictHostKeyChecking=$BOOTSTRAP_SSH_STRICT")

  if [[ -n "$BOOTSTRAP_SSH_KEY" ]]; then
    cmd+=(-i "$BOOTSTRAP_SSH_KEY" -o IdentitiesOnly=yes)
  fi

  cmd+=("$target")
  printf '%q ' "${cmd[@]}"
}

install_backup_key_on_remote() {
  [[ "$INSTALL_BACKUP_KEY_ON_REMOTE" == "true" ]] || {
    log "Installation de la clé backup sur le serveur distant désactivée."
    return 0
  }

  [[ -n "$BACKUP_REMOTE_HOST" ]] || {
    warn "BACKUP_REMOTE_HOST vide, installation de la clé distante ignorée."
    return 0
  }

  local bootstrap_user="${BOOTSTRAP_SSH_USER:-$BACKUP_REMOTE_USER}"
  local remote_target="${bootstrap_user}@${BACKUP_REMOTE_HOST}"
  local remote_auth_user="$BACKUP_REMOTE_USER"
  local pubkey

  pubkey="$(run_root cat "${BACKUP_SSH_KEY}.pub")"

  log "Tentative d'installation de la clé publique backup sur ${remote_auth_user}@${BACKUP_REMOTE_HOST}"

  local ssh_cmd
  ssh_cmd="$(build_bootstrap_ssh_cmd "$remote_target")"

  if ! eval "$ssh_cmd" "true" >/dev/null 2>&1; then
    warn "Accès SSH bootstrap indisponible vers ${remote_target}. Clé backup non installée automatiquement."
    return 0
  fi

  local escaped_pubkey
  escaped_pubkey="$(printf '%q' "$pubkey")"

  eval "$ssh_cmd" "sudo -u '$remote_auth_user' sh -c '
    set -eu
    umask 077
    mkdir -p ~/.ssh
    touch ~/.ssh/authorized_keys
    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys
    grep -qxF $escaped_pubkey ~/.ssh/authorized_keys || printf \"%s\n\" $escaped_pubkey >> ~/.ssh/authorized_keys
  '" >/dev/null

  log "Clé publique backup installée / vérifiée sur ${remote_auth_user}@${BACKUP_REMOTE_HOST}"
}

#######################################
# .env
#######################################
ensure_env_file() {
  if [[ ! -f "$ENV_FILE" ]]; then
    log "Création du fichier : $ENV_FILE"
    run_root touch "$ENV_FILE"
  fi

  run_root chmod 0640 "$ENV_FILE"
  run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$ENV_FILE"
}

set_env_value() {
  local key="$1"
  local value="$2"
  local escaped

  escaped="$(printf '%s' "$value" | sed 's/[\/&]/\\&/g')"

  if run_root grep -qE "^${key}=" "$ENV_FILE"; then
    run_root sed -i "s/^${key}=.*/${key}=${escaped}/" "$ENV_FILE"
  else
    printf '%s=%s\n' "$key" "$value" | run_root tee -a "$ENV_FILE" >/dev/null
  fi
}

update_env_defaults() {
  set_env_value "ENV_NAME" "$ENV_NAME"

  set_env_value "BASE_DIR" "$BASE_DIR"
  set_env_value "SCRIPTS_DIR" "$APP_SCRIPTS_DIR"
  set_env_value "CONFIG_DIR" "$CONFIG_DIR"
  set_env_value "LOG_DIR" "$LOG_DIR"
  set_env_value "DATA_DIR" "$DATA_DIR"
  set_env_value "TMP_DIR" "$TMP_DIR"

  set_env_value "SSH_DIR" "$APP_SSH_DIR"
  set_env_value "SSH_KEY" "$BACKUP_SSH_KEY"
  set_env_value "REPO_SSH_KEY" "$REPO_SSH_KEY"

  set_env_value "PGHOST" "$PGHOST"
  set_env_value "PGPORT" "$PGPORT"
  set_env_value "PGUSER" "$PGUSER_VALUE"
  set_env_value "PGPASSWORD" "${PGPASSWORD_VALUE:-change_me}"
  set_env_value "DBS" "\"$DBS_VALUE\""

  set_env_value "BACKUP_REMOTE_USER" "$BACKUP_REMOTE_USER"
  set_env_value "BACKUP_REMOTE_HOST" "$BACKUP_REMOTE_HOST"
  set_env_value "BACKUP_REMOTE_DIR" "$BACKUP_REMOTE_DIR"

  set_env_value "SSH_CONNECT_TIMEOUT" "$SSH_CONNECT_TIMEOUT"
  set_env_value "RETENTION_DAYS" "$RETENTION_DAYS"

  set_env_value "DISCORD_WEBHOOK_URL" "$DISCORD_WEBHOOK_URL_VALUE"
  set_env_value "DISCORD_PING" "$DISCORD_PING_VALUE"
  set_env_value "WEBHOOK_URL" "$WEBHOOK_URL_VALUE"

  set_env_value "VAULTWARDEN_DATA_DIR" "$VAULTWARDEN_DATA_DIR_VALUE"
  set_env_value "CHECK_STORAGE_PATHS" "\"$CHECK_STORAGE_PATHS_VALUE\""

  set_env_value "APP_1_NAME" "$APP_1_NAME_VALUE"
  set_env_value "APP_1_URL" "$APP_1_URL_VALUE"
  set_env_value "APP_2_NAME" "$APP_2_NAME_VALUE"
  set_env_value "APP_2_URL" "$APP_2_URL_VALUE"
  set_env_value "APP_3_NAME" "$APP_3_NAME_VALUE"
  set_env_value "APP_3_URL" "$APP_3_URL_VALUE"
}

#######################################
# Git privé + sparse checkout
#######################################
write_git_ssh_wrapper() {
  local wrapper="$TMP_DIR/git_ssh_wrapper.sh"

  cat > /tmp/.git_ssh_wrapper.$$ <<EOF
#!/usr/bin/env bash
exec ssh -i "$REPO_SSH_KEY" -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new "\$@"
EOF

  run_root mv /tmp/.git_ssh_wrapper.$$ "$wrapper"
  run_root chmod 0700 "$wrapper"
  run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$wrapper"

  echo "$wrapper"
}

sync_repo() {
  local wrapper
  wrapper="$(write_git_ssh_wrapper)"

  if [[ ! -d "$REPO_DIR/.git" ]]; then
    log "Clone initial du dépôt"
    run_root rm -rf "$REPO_DIR"
    run_root mkdir -p "$REPO_DIR"
    run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$REPO_DIR"

    run_as_deploy_user env GIT_SSH_COMMAND="$wrapper" \
      git clone \
      --filter=blob:none \
      --no-checkout \
      --branch "$REPO_BRANCH" \
      "$REPO_URL" \
      "$REPO_DIR"

    run_as_deploy_user git -C "$REPO_DIR" sparse-checkout init --cone
    run_as_deploy_user git -C "$REPO_DIR" sparse-checkout set "$REPO_SUBDIR"
    run_as_deploy_user git -C "$REPO_DIR" checkout "$REPO_BRANCH"
  else
    log "Mise à jour du dépôt existant"
    run_as_deploy_user git -C "$REPO_DIR" remote set-url origin "$REPO_URL"
    run_as_deploy_user git -C "$REPO_DIR" sparse-checkout init --cone || true
    run_as_deploy_user git -C "$REPO_DIR" sparse-checkout set "$REPO_SUBDIR"
    run_as_deploy_user env GIT_SSH_COMMAND="$wrapper" \
      git -C "$REPO_DIR" fetch origin "$REPO_BRANCH" --depth=1
    run_as_deploy_user git -C "$REPO_DIR" checkout "$REPO_BRANCH"
    run_as_deploy_user git -C "$REPO_DIR" reset --hard "origin/$REPO_BRANCH"
    run_as_deploy_user git -C "$REPO_DIR" clean -fd
  fi
}

#######################################
# Déploiement scripts
#######################################
deploy_scripts() {
  local source_dir="$REPO_DIR/$REPO_SUBDIR"
  [[ -d "$source_dir" ]] || die "Sous-dossier introuvable : $source_dir"

  local script
  for script in "${EXPECTED_SCRIPTS[@]}"; do
    [[ -f "$source_dir/$script" ]] || die "Script manquant dans le dépôt : $source_dir/$script"
  done

  for script in "${EXPECTED_SCRIPTS[@]}"; do
    log "Déploiement : $script"
    run_root install -m 0750 -o "$DEPLOY_USER" -g "$DEPLOY_GROUP" \
      "$source_dir/$script" "$APP_SCRIPTS_DIR/$script"
  done
}

verify_scripts() {
  local script
  for script in "${EXPECTED_SCRIPTS[@]}"; do
    [[ -f "$APP_SCRIPTS_DIR/$script" ]] || die "Script absent après déploiement : $APP_SCRIPTS_DIR/$script"
    [[ -x "$APP_SCRIPTS_DIR/$script" ]] || die "Script non exécutable : $APP_SCRIPTS_DIR/$script"
  done
}

#######################################
# Configuration web
#######################################
generate_scripts_json() {
  local tmp_json
  tmp_json="$(mktemp)"

  cat > "$tmp_json" <<EOF
{
  "generated_at": "$(date -Iseconds)",
  "base_dir": "$BASE_DIR",
  "env_file": "$ENV_FILE",
  "scripts": [
    {
      "id": "backup-vaultwarden",
      "label": "Backup Vaultwarden",
      "path": "$APP_SCRIPTS_DIR/backup-vaultwarden.sh",
      "web_enabled": true,
      "params": [
        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
        { "name": "dry_run", "type": "boolean", "required": false, "default": false },
        { "name": "json", "type": "boolean", "required": false, "default": true }
      ]
    },
    {
      "id": "check-storage",
      "label": "Vérification stockage",
      "path": "$APP_SCRIPTS_DIR/check-storage.sh",
      "web_enabled": true,
      "params": [
        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
        { "name": "verbose", "type": "boolean", "required": false, "default": false },
        { "name": "json", "type": "boolean", "required": false, "default": true }
      ]
    },
    {
      "id": "check-statut-recette",
      "label": "Vérification statut recette",
      "path": "$APP_SCRIPTS_DIR/check-statut-recette.sh",
      "web_enabled": true,
      "params": [
        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
        { "name": "timeout", "type": "integer", "required": false, "default": 10 },
        { "name": "json", "type": "boolean", "required": false, "default": true }
      ]
    },
    {
      "id": "backup-bdd-recette",
      "label": "Backup BDD recette",
      "path": "$APP_SCRIPTS_DIR/backup-bdd-recette.sh",
      "web_enabled": true,
      "params": [
        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
        { "name": "db", "type": "select", "required": false, "values": ["sirh", "inventory", "ferme"] },
        { "name": "dry_run", "type": "boolean", "required": false, "default": false },
        { "name": "json", "type": "boolean", "required": false, "default": true }
      ]
    },
    {
      "id": "rebuild-bdd-recette",
      "label": "Rebuild BDD recette",
      "path": "$APP_SCRIPTS_DIR/rebuild-bdd-recette.sh",
      "web_enabled": true,
      "params": [
        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
        { "name": "db", "type": "select", "required": true, "values": ["sirh", "inventory", "ferme"] },
        { "name": "source", "type": "string", "required": false, "default": "latest" },
        { "name": "force", "type": "boolean", "required": false, "default": false },
        { "name": "json", "type": "boolean", "required": false, "default": true }
      ]
    }
  ]
}
EOF

  run_root mv "$tmp_json" "$SCRIPTS_JSON"
  run_root chmod 0640 "$SCRIPTS_JSON"
  run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$SCRIPTS_JSON"
}

#######################################
# Résumé
#######################################
print_summary() {
  cat <<EOF

========================================================================
Bootstrap terminé
========================================================================
Utilisateur      : $DEPLOY_USER:$DEPLOY_GROUP
Base             : $BASE_DIR
Scripts          : $APP_SCRIPTS_DIR
Config           : $CONFIG_DIR
.env             : $ENV_FILE
scripts.json     : $SCRIPTS_JSON
Repo             : $REPO_DIR

Clé SSH backup   : $BACKUP_SSH_KEY
Clé SSH repo     : $REPO_SSH_KEY
Remote backup    : ${BACKUP_REMOTE_USER}@${BACKUP_REMOTE_HOST}:${BACKUP_REMOTE_DIR}

Clé publique repo :
$(run_root cat "${REPO_SSH_KEY}.pub")

Clé publique backup :
$(run_root cat "${BACKUP_SSH_KEY}.pub")

Vérifiez :
  - la clé repo doit être ajoutée comme deploy key sur le dépôt Git privé ;
  - la valeur PGPASSWORD dans $ENV_FILE ;
  - les webhooks renseignés dans $ENV_FILE si nécessaires.
========================================================================

EOF
}

#######################################
# Main
#######################################
main() {
  ask_required_local_configuration
  validate_required_values
  compute_paths

  PKG_MANAGER="$(detect_pkg_manager)"
  [[ -n "$PKG_MANAGER" ]] || die "Gestionnaire de paquets non supporté."

  log "Vérification / installation des dépendances"
  install_dependencies

  log "Création des répertoires"
  prepare_directories

  log "Préparation du .env"
  ensure_env_file
  update_env_defaults

  log "Préparation des clés SSH"
  ensure_ssh_keypair "$BACKUP_SSH_KEY" "${DEPLOY_USER}@backup-runtime"
  ensure_ssh_keypair "$REPO_SSH_KEY" "${DEPLOY_USER}@repo-deploy"

  log "Installation de la clé publique backup sur le serveur distant"
  install_backup_key_on_remote

  log "Synchronisation du dépôt Git privé"
  sync_repo

  log "Déploiement des scripts"
  deploy_scripts
  verify_scripts

  log "Génération de la configuration web scripts.json"
  generate_scripts_json

  log "Application des permissions"
  apply_ownership

  print_summary
}

main "$@"