#!/bin/bash
set -euo pipefail

# ==========================================================
# FIRST SETUP SCRIPT — mist / microk8s
#
# PURPOSE:
# - Bootstrap a fresh machine
# - Install & configure microk8s
# - Enable required core addons
# - Apply cluster-wide RBAC from YAML
#
# RUN:
# - Once on a fresh host
# - Or again after a full microk8s reset
#
# DOES NOT:
# - Deploy apps
# - Deploy databases
# - Contain RBAC logic inline
#
# All ongoing infra changes should be done via:
# - YAML (db/k8s/**)
# - GitHub Actions
# ==========================================================

echo "=== [1/6] Installing microk8s (if needed) ==="

if ! command -v microk8s >/dev/null 2>&1; then
  sudo snap install microk8s --classic
else
  echo "microk8s already installed"
fi

echo "=== [2/6] Adding current user to microk8s group ==="

sudo usermod -aG microk8s "$USER"

# Required so kubectl works without sudo
sudo chown -f -R "$USER" ~/.kube || true

echo "=== [3/6] Enabling core microk8s addons ==="

# These are the foundations everything else depends on
sudo microk8s enable \
  dns \
  rbac \
  hostpath-storage \
  host-access \
  metrics-server \
  ingress

# Optional: MetalLB (only if you need L2 IPs)
# sudo microk8s enable metallb:192.168.0.200-192.168.0.220

echo "=== [4/6] Waiting for microk8s to be ready ==="

sudo microk8s status --wait-ready

echo "=== [5/6] Writing kubeconfig for local user ==="

mkdir -p ~/.kube
microk8s kubectl config view --raw > ~/.kube/config
chmod 600 ~/.kube/config

echo "=== [6/6] Applying cluster RBAC (infra deployer role) ==="

# IMPORTANT:
# RBAC is fully declarative and lives in YAML.
# Extend permissions by editing the YAML — NOT this script.
microk8s kubectl apply -f db/k8s/rbac/infra-deployer-rbac.yaml

echo
echo "=== Bootstrap complete ==="
echo
echo "You can now:"
echo "- Install ARC (GitHub Actions runners)"
echo "- Deploy Postgres via CI"
echo "- Apply CronJobs, Jobs, and Traefik resources"
echo
echo "This script should NOT be modified for normal infra changes."