#!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'

# ─── 0. Root-Check ───────────────────────────────────────────────────────────────
if [ "$(id -u)" -ne 0 ]; then
  echo "Dieses Skript muss als root ausgeführt werden!" >&2
  exit 1
fi

# ─── 1. Fehlende Tools nachinstallieren ─────────────────────────────────────────
REQUIRED=(debootstrap cryptsetup lvm2 parted wget gnupg2 curl)
MISSING=()
for pkg in "${REQUIRED[@]}"; do
  if ! command -v "$pkg" &>/dev/null; then
    MISSING+=("$pkg")
  fi
done
if [ ${#MISSING[@]} -gt 0 ]; then
  echo "🔄 Fehlende Pakete: ${MISSING[*]}"
  apt update
  apt install -y "${MISSING[@]}"
fi

# ─── 2. Funktions-Helpers ────────────────────────────────────────────────────────
ask_default() {
  local prompt="$1" default="$2"
  read -rp "$prompt [$default]: " val
  echo "${val:-$default}"
}

ask_secret() {
  local prompt="$1" confirm="$2" p1 p2
  while true; do
    read -s -rp "$prompt: " p1 && echo
    read -s -rp "$confirm: " p2 && echo
    [[ "$p1" == "$p2" ]] && { echo "$p1"; return; }
    echo "❌ Passwörter stimmen nicht überein. Bitte erneut."
  done
}

# ─── 3. Parameter abfragen ───────────────────────────────────────────────────────
DISK=$(ask_default "Ziel-Disk (z.B. /dev/sda)" "/dev/sda")
BOOT_SIZE_MIB=$(ask_default "Größe der /boot-Partition in MiB" "512")
ROOT_GB=$(ask_default "Root-LV Größe in GB" "16")
SWAP_GB=$(ask_default "Swap-LV Größe in GB" "8")
DEBIAN_VERSION=$(ask_default "Debian-Codename" "bookworm")
CRYPT_NAME=$(ask_default "Name des LUKS-Containers" "cryptroot")
VG_NAME=$(ask_default "Name der Volume-Group" "pve")
LV_VMSTORE=$(ask_default "Name des VM-Storage-LV" "vmstore")
HOSTNAME=$(ask_default "Hostname" "proxmox")

DEFAULT_IFACE=$(ip -o link show | awk -F': ' '{print $2}' | grep -Ev '^(lo|vir|docker|veth)' | head -n1)
IFACE=$(ask_default "Netzwerk-Interface" "$DEFAULT_IFACE")
IP_ADDR=$(ask_default "Statische IP-Adresse" "192.168.1.100")
NETMASK=$(ask_default "Netzmaske" "255.255.255.0")
GATEWAY=$(ask_default "Gateway" "192.168.1.1")
DNS_SERVERS=$(ask_default "DNS-Server (Komma-getrennt)" "8.8.8.8,8.8.4.4")
DOMAIN=$(ask_default "Suchdomain (z.B. example.local)" "localdomain")

echo "⚠️  ALLE DATEN auf $DISK werden vollständig gelöscht!"
read -rp "ENTER zum Fortfahren oder STRG+C zum Abbrechen…" _

LUKS_PASS=$(ask_secret "🔐  LUKS-Passwort eingeben" "🔐  Passwort wiederholen")

# ─── 4. Partitionierung ─────────────────────────────────────────────────────────
echo "🧹  Alte Partitionen entfernen…"
sgdisk --zap-all "$DISK"

echo "🧱  Neue GPT-Tabelle & Partitionen anlegen…"
parted -s "$DISK" mklabel gpt
parted -s "$DISK" mkpart primary 1MiB 3MiB
parted -s "$DISK" set 1 bios_grub on
parted -s "$DISK" mkpart primary 3MiB "$((BOOT_SIZE_MIB + 3))MiB"
parted -s "$DISK" set 2 boot on
parted -s "$DISK" mkpart primary "$((BOOT_SIZE_MIB + 3))MiB" 100%

BOOT_PART="${DISK}2"
LUKS_PART="${DISK}3"

echo "🔄  Partitionstabelle neu einlesen…"
partprobe "$DISK"
udevadm settle
blockdev --rereadpt "$DISK"
sleep 1

# ─── 5. PARTUUID für crypttab & GRUB ─────────────────────────────────────────────
PARTUUID=$(blkid -s PARTUUID -o value "$LUKS_PART")

# ─── 6. LUKS & LVM einrichten ───────────────────────────────────────────────────
KEYFILE=$(mktemp)
trap 'shred -u "$KEYFILE"' EXIT
echo "$LUKS_PASS" > "$KEYFILE"

echo "🔒  LUKS2 auf $LUKS_PART einrichten…"
cryptsetup luksFormat --type luks2 --pbkdf=argon2id --key-file "$KEYFILE" "$LUKS_PART"
cryptsetup open --allow-discards --key-file "$KEYFILE" "$LUKS_PART" "$CRYPT_NAME"

pvcreate "/dev/mapper/${CRYPT_NAME}"
vgcreate "$VG_NAME" "/dev/mapper/${CRYPT_NAME}"
lvcreate -L "${ROOT_GB}G" -n root "$VG_NAME"
lvcreate -L "${SWAP_GB}G" -n swap "$VG_NAME"
lvcreate -l 100%FREE -n "$LV_VMSTORE" "$VG_NAME"

# ─── 7. Dateisysteme & Mountpoints ─────────────────────────────────────────────
mkfs.ext4 -F "/dev/${VG_NAME}/root"
mkfs.ext4 -F -O ^has_journal "$BOOT_PART"
mkfs.ext4 -F "/dev/${VG_NAME}/${LV_VMSTORE}"
mkswap "/dev/${VG_NAME}/swap"

mount "/dev/${VG_NAME}/root" /mnt
mkdir -p /mnt/boot "/mnt/${LV_VMSTORE}"
mount "$BOOT_PART" /mnt/boot
mount "/dev/${VG_NAME}/${LV_VMSTORE}" "/mnt/${LV_VMSTORE}"
swapon "/dev/${VG_NAME}/swap"

# ─── 8. Debian-Basissystem installieren ────────────────────────────────────────
debootstrap --arch amd64 "$DEBIAN_VERSION" /mnt http://deb.debian.org/debian

# ─── 9. chroot: System konfigurieren ───────────────────────────────────────────
mount --bind /dev  /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys  /mnt/sys

cat <<EOF | chroot /mnt /bin/bash
set -euo pipefail

echo "$HOSTNAME" > /etc/hostname
cat >> /etc/hosts <<HM
127.0.0.1   localhost
127.0.1.1   $HOSTNAME.$DOMAIN $HOSTNAME
HM

apt update
apt install -y linux-image-amd64 lvm2 cryptsetup initramfs-tools net-tools ifupdown curl wget gnupg2

echo "$CRYPT_NAME UUID=$PARTUUID none luks,discard" >> /etc/crypttab

cat >> /etc/fstab <<FT
/dev/mapper/$VG_NAME-root        /               ext4   defaults,noatime,discard,commit=600 0 1
$BOOT_PART                       /boot           ext4   defaults                            0 2
/dev/mapper/$VG_NAME/$LV_VMSTORE /$LV_VMSTORE    ext4   defaults,noatime,discard,commit=600 0 2
/dev/mapper/$VG_NAME-swap        none            swap   sw                                  0 0
FT

cat > /etc/network/interfaces <<NET
auto lo
iface lo inet loopback

auto $IFACE
iface $IFACE inet static
    address $IP_ADDR
    netmask $NETMASK
    gateway $GATEWAY
    dns-nameservers $(echo $DNS_SERVERS | sed 's/,/ /g')
    dns-search $DOMAIN
NET

if [ -d /sys/firmware/efi ]; then
  apt install -y grub-efi-amd64 efibootmgr
  mkdir -p /boot/efi
  mount "$BOOT_PART" /boot/efi
  grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=proxmox
else
  apt install -y grub-pc
  grub-install "$DISK"
fi

echo 'GRUB_ENABLE_CRYPTODISK=y' >> /etc/default/grub
echo "GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$PARTUUID:$CRYPT_NAME root=/dev/mapper/$VG_NAME-root\"" >> /etc/default/grub

update-initramfs -u -k all
update-grub
EOF

# ─── 10. Proxmox VE installieren ────────────────────────────────────────────────
cat <<EOF | chroot /mnt /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive

echo "deb http://download.proxmox.com/debian/pve $DEBIAN_VERSION pve-no-subscription" > /etc/apt/sources.list.d/pve-install.list
wget -qO /etc/apt/trusted.gpg.d/proxmox.gpg https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg

apt update
apt install -y proxmox-ve postfix open-iscsi
EOF

# ─── 11. Aufräumen ───────────────────────────────────────────────────────────────
swapoff -a || true
umount -R /mnt || true
vgchange -an "$VG_NAME" || true
cryptsetup close "$CRYPT_NAME" || true

echo "✅  Installation abgeschlossen. System kann jetzt neu gestartet werden."