#!/bin/bash
# Deploy orchestrator to VPS.
# Idempotent: safe to run for updates (just re-syncs code and restarts).
set -euo pipefail

VPS="${VPS:-root@2.24.28.41}"
REMOTE_DIR="/opt/lobe-sandbox"
ENV_FILE="/etc/lobe-sandbox/orchestrator.env"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"

log() { echo "==> $*"; }

log "1/6 Ensure Bun on VPS"
ssh "$VPS" '
  command -v bun >/dev/null || {
    curl -fsSL https://bun.sh/install | env BUN_INSTALL=/usr/local bash
  }
  bun --version
'

log "2/6 Ensure remote dirs"
ssh "$VPS" "mkdir -p $REMOTE_DIR /etc/lobe-sandbox /var/lib/lobe-sandbox"

log "3/6 Sync orchestrator source"
rsync -az --delete \
  --exclude node_modules --exclude dist --exclude .env --exclude .env.local \
  "$PROJECT_ROOT/orchestrator/" \
  "$VPS:$REMOTE_DIR/orchestrator/"

log "4/6 bun install on VPS"
ssh "$VPS" "cd $REMOTE_DIR/orchestrator && bun install --production --frozen-lockfile 2>/dev/null || bun install --production"

log "5/6 Env file (only if missing — do not overwrite)"
ssh "$VPS" "
  if [ ! -f $ENV_FILE ]; then
    cat > $ENV_FILE <<'ENV'
PORT=8700
HOST=127.0.0.1
SANDBOX_ORCH_SECRET=CHANGEME_RUN_openssl_rand_base64_32
INCUS_PROJECT=lobe-sandbox
INCUS_PROFILE=sandbox-default
INCUS_BASE_IMAGE=lobe-sandbox-base
INCUS_CONTAINER_PREFIX=sb-
IDLE_TIMEOUT_MS=1800000
STATE_DB_PATH=/var/lib/lobe-sandbox/state.sqlite
S3_ENDPOINT=http://192.168.2.221:9000
S3_REGION=us-east-1
S3_BUCKET=lobe-sandbox-exports
S3_ACCESS_KEY_ID=admin
S3_SECRET_ACCESS_KEY=CHANGEME
S3_FORCE_PATH_STYLE=true
ENV
    chmod 600 $ENV_FILE
    echo '!!! First deploy. Edit $ENV_FILE before starting service !!!'
  fi
"

log "6/6 Install systemd unit and reload"
scp "$PROJECT_ROOT/deploy/sandbox-orchestrator.service" \
  "$VPS:/etc/systemd/system/sandbox-orchestrator.service"
ssh "$VPS" 'systemctl daemon-reload'

log "DONE"
log ""
log "Next: ssh $VPS and run:"
log "  1. nano $ENV_FILE  # set SANDBOX_ORCH_SECRET + S3_SECRET_ACCESS_KEY"
log "  2. systemctl enable --now sandbox-orchestrator"
log "  3. journalctl -u sandbox-orchestrator -f"
log "  4. curl http://127.0.0.1:8700/health"