#!/bin/bash
# backup-argocd-it15.sh — ArgoCD IT15 + K3s IT15 Backup
# Mandant:  platform
# Umgebung: prod
# Zielpfad: tenants/platform/prod/argocd-it15/
set -euo pipefail

TIMESTAMP=$(date -u +%Y%m%dT%H%M%SZ)
TMPDIR=$(mktemp -d /tmp/argocd-it15-XXXXXX)
trap 'rm -rf "$TMPDIR"' EXIT

IT15_KEY="$HOME/.ssh/kube-bot-it15-ed25519"
IT15_HOST="Misla@192.168.1.121"
AGE_BIN="/home/node/shared/tools/age"
DMZ_HOST="192.168.20.90"
DMZ_TARGET="/media/myCloudDrive/dmz-backup/k3s-dmz/tenants/platform/prod/argocd-it15/$TIMESTAMP"

log() { echo "[$(date -u +%H:%M:%SZ)] $*"; }
fail() { log "FEHLER: $*"; exit 1; }

log "=== ArgoCD IT15 Backup $TIMESTAMP ==="

# Credentials aus Infisical
eval $(python3 << 'PYEOF'
import json, urllib.request, os, tempfile

creds={}
with open(os.path.expanduser('~/.openclaw/workspace/.hob-cattaro-creds')) as f:
    for l in f:
        l=l.strip()
        if l and not l.startswith('#') and '=' in l:
            k,v=l.split('=',1); creds[k]=v

def api(u, d=None, tok=None, method=None):
    h={'Content-Type':'application/json'}
    if tok: h['Authorization']=f'Bearer {tok}'
    r=urllib.request.Request(u,data=json.dumps(d).encode() if d else None,headers=h,method=method)
    return json.loads(urllib.request.urlopen(r,timeout=10).read())

t  = api(f"{creds['HOB_CATTARO_INFISICAL_URL']}/api/v1/auth/universal-auth/login",
         {'clientId':creds['HOB_CATTARO_CLIENT_ID'],'clientSecret':creds['HOB_CATTARO_CLIENT_SECRET']})['accessToken']
s  = api(f"{creds['HOB_CATTARO_INFISICAL_URL']}/api/v3/secrets/raw?workspaceId={creds['HOB_CATTARO_PROJECT_ID']}&environment=prod&secretPath=/kube-bot",tok=t)
sv = {x['secretKey']:x['secretValue'] for x in s['secrets']}
ct = api(f"{sv['CATTARO_INFISICAL_URL']}/api/v1/auth/universal-auth/login",
         {'clientId':sv['CATTARO_INFISICAL_CLIENT_ID'],'clientSecret':sv['CATTARO_INFISICAL_CLIENT_SECRET']})['accessToken']
BR="ba0a79d9-32fe-474c-be2f-88384a3d9749"
def get(n):
    return api(f"{sv['CATTARO_INFISICAL_URL']}/api/v3/secrets/raw/{n}?workspaceId={BR}&environment=prod&secretPath=/",tok=ct)['secret']['secretValue']

recipient = get('BACKUP_ARGOCD_IT15_AGE_RECIPIENT')
dmz_key   = get('KUBE_BOT_DMZ_BACKUP_SSH_PRIVATE_KEY')

kf = tempfile.NamedTemporaryFile(delete=False, prefix='/tmp/dmz-it15-', mode='w', suffix='.key')
kf.write(dmz_key+'\n'); kf.close(); os.chmod(kf.name,0o600)

print(f"export RECIPIENT='{recipient}'")
print(f"export DMZ_KEYFILE='{kf.name}'")
PYEOF
)

log "Credentials geladen, Recipient: ${RECIPIENT:0:20}..."

# Daten von IT15 holen
log "Hole ArgoCD Applications..."
ssh -i "$IT15_KEY" -o StrictHostKeyChecking=no "$IT15_HOST" \
  'wsl -d Ubuntu -- bash -lc "kubectl -n argocd get applications -o yaml 2>/dev/null"' \
  > "$TMPDIR/argocd-applications.yaml"

log "Hole ArgoCD AppProjects..."
ssh -i "$IT15_KEY" -o StrictHostKeyChecking=no "$IT15_HOST" \
  'wsl -d Ubuntu -- bash -lc "kubectl -n argocd get appprojects -o yaml 2>/dev/null"' \
  > "$TMPDIR/argocd-appprojects.yaml"

log "Hole ArgoCD Secrets-Metadaten (keine Werte)..."
ssh -i "$IT15_KEY" -o StrictHostKeyChecking=no "$IT15_HOST" \
  'wsl -d Ubuntu -- bash -lc "kubectl -n argocd get secrets -o json 2>/dev/null"' \
  | python3 -c "
import sys,json
d=json.load(sys.stdin)
for s in d.get('items',[]): s.pop('data',None)
print(json.dumps(d,indent=2))" > "$TMPDIR/argocd-secrets-metadata.json"

log "Hole IT15 K3s DB..."
ssh -i "$IT15_KEY" -o StrictHostKeyChecking=no "$IT15_HOST" \
  'wsl -d Ubuntu -- bash -lc "sudo sqlite3 /var/lib/rancher/k3s/server/db/state.db \".backup /tmp/k3s-it15.db\" && base64 /tmp/k3s-it15.db; rm -f /tmp/k3s-it15.db"' \
  | base64 -d > "$TMPDIR/k3s-state.db"
log "K3s DB: $(du -sh "$TMPDIR/k3s-state.db" | cut -f1)"

# Archivieren + Verschlüsseln
log "Archiviere und verschlüssele..."
tar czf "$TMPDIR/argocd-it15.tar.gz" -C "$TMPDIR" \
  argocd-applications.yaml argocd-appprojects.yaml argocd-secrets-metadata.json k3s-state.db

"$AGE_BIN" -r "$RECIPIENT" -o "$TMPDIR/argocd-it15.tar.gz.age" "$TMPDIR/argocd-it15.tar.gz"
sha256sum "$TMPDIR/argocd-it15.tar.gz.age" | awk '{print $1"  argocd-it15.tar.gz.age"}' \
  > "$TMPDIR/argocd-it15.tar.gz.age.sha256"

log "Archiv: $(du -sh "$TMPDIR/argocd-it15.tar.gz.age" | cut -f1)"

# Push nach dmz-backup
log "Push nach dmz-backup..."
ssh -i "$DMZ_KEYFILE" -o StrictHostKeyChecking=no "openclaw@$DMZ_HOST" "mkdir -p '$DMZ_TARGET'"
scp -i "$DMZ_KEYFILE" -o StrictHostKeyChecking=no \
  "$TMPDIR/argocd-it15.tar.gz.age" \
  "$TMPDIR/argocd-it15.tar.gz.age.sha256" \
  "openclaw@$DMZ_HOST:$DMZ_TARGET/"

LOCAL_SHA=$(awk '{print $1}' "$TMPDIR/argocd-it15.tar.gz.age.sha256")
REMOTE_SHA=$(ssh -i "$DMZ_KEYFILE" -o StrictHostKeyChecking=no "openclaw@$DMZ_HOST" \
  "sha256sum '$DMZ_TARGET/argocd-it15.tar.gz.age' | awk '{print \$1}'")
[ "$LOCAL_SHA" = "$REMOTE_SHA" ] && log "SHA256 OK ✅" || fail "SHA256 FAIL"

rm -f "$DMZ_KEYFILE"
log "=== $TIMESTAMP abgeschlossen ==="
echo "$TIMESTAMP"
