#!/bin/bash
# Docker TLS Setup Script
# Configures Docker daemon with TLS certificates for secure API access

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
CERTS_DIR="$PROJECT_ROOT/certs"

# Configuration
DOCKER_HOST_IP="${DOCKER_HOST_IP:-127.0.0.1}"
DOCKER_TLS_PORT="${DOCKER_TLS_PORT:-2376}"

echo "Setting up Docker TLS configuration..."
echo "Certificates directory: $CERTS_DIR"
echo "Docker host IP: $DOCKER_HOST_IP"
echo "TLS port: $DOCKER_TLS_PORT"

# Check if certificates exist
if [[ ! -f "$CERTS_DIR/ca.pem" || ! -f "$CERTS_DIR/server-cert.pem" || ! -f "$CERTS_DIR/server-key.pem" ]]; then
    echo "Error: TLS certificates not found. Run generate-certs.sh first."
    exit 1
fi

# Create Docker daemon configuration
DAEMON_CONFIG="/etc/docker/daemon.json"
BACKUP_CONFIG="/etc/docker/daemon.json.backup.$(date +%Y%m%d_%H%M%S)"

echo "Configuring Docker daemon for TLS..."

# Backup existing configuration if it exists
if [[ -f "$DAEMON_CONFIG" ]]; then
    echo "Backing up existing daemon.json to $BACKUP_CONFIG"
    sudo cp "$DAEMON_CONFIG" "$BACKUP_CONFIG"
fi

# Create new daemon configuration
sudo tee "$DAEMON_CONFIG" > /dev/null << EOF
{
  "tls": true,
  "tlsverify": true,
  "tlscacert": "/etc/docker/certs/ca.pem",
  "tlscert": "/etc/docker/certs/server-cert.pem",
  "tlskey": "/etc/docker/certs/server-key.pem",
  "hosts": ["tcp://0.0.0.0:$DOCKER_TLS_PORT", "unix:///var/run/docker.sock"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  },
  "storage-driver": "overlay2",
  "iptables": false,
  "bridge": "none",
  "live-restore": true,
  "userland-proxy": false,
  "no-new-privileges": true,
  "userns-remap": "default"
}
EOF

# Create Docker certificates directory
sudo mkdir -p /etc/docker/certs

# Copy certificates to Docker directory
echo "Installing TLS certificates..."
sudo cp "$CERTS_DIR/ca.pem" /etc/docker/certs/
sudo cp "$CERTS_DIR/server-cert.pem" /etc/docker/certs/
sudo cp "$CERTS_DIR/server-key.pem" /etc/docker/certs/
sudo cp "$CERTS_DIR/client-cert.pem" /etc/docker/certs/
sudo cp "$CERTS_DIR/client-key.pem" /etc/docker/certs/

# Set proper permissions
sudo chmod 0444 /etc/docker/certs/ca.pem /etc/docker/certs/server-cert.pem /etc/docker/certs/client-cert.pem
sudo chmod 0400 /etc/docker/certs/server-key.pem /etc/docker/certs/client-key.pem
sudo chown root:root /etc/docker/certs/*

echo "Restarting Docker daemon..."
sudo systemctl restart docker

# Wait for Docker to restart
sleep 5

# Test TLS connection
echo "Testing TLS connection..."
if docker --tlsverify --tlscacert="$CERTS_DIR/ca.pem" --tlscert="$CERTS_DIR/client-cert.pem" --tlskey="$CERTS_DIR/client-key.pem" -H tcp://$DOCKER_HOST_IP:$DOCKER_TLS_PORT version > /dev/null 2>&1; then
    echo "✅ TLS connection successful!"
else
    echo "❌ TLS connection failed!"
    exit 1
fi

echo ""
echo "Docker TLS setup complete!"
echo ""
echo "Environment variables for applications:"
echo "  export DOCKER_TLS_VERIFY=1"
echo "  export DOCKER_CERT_PATH=$CERTS_DIR"
echo "  export DOCKER_HOST=tcp://$DOCKER_HOST_IP:$DOCKER_TLS_PORT"
echo ""
echo "For docker-compose, add these to your environment or .env file."