#!/usr/bin/env bash
# NOBA Command Center — Docker image installer
#
# Downloads the versioned NOBA Docker image tarball from R2, verifies its
# SHA-256 checksum, loads it into the local Docker daemon, and tags the
# result as ``noba-enterprise:latest`` so ``docker run`` / ``docker
# compose up`` work immediately. Does NOT run the container — port
# mappings, volumes, environment, and systemd integration are operator
# decisions that belong in docker-compose.yml or a bespoke ``docker run``
# command.
#
# Usage:
#   curl -fL https://www.nobacmd.com/download/latest/docker-install.sh | bash
#
#   # or pin a version:
#   curl -fL https://www.nobacmd.com/download/latest/docker-install.sh | NOBA_VERSION=2.1.0-beta.33 bash
#
# Requirements: docker (local daemon with load permission), curl, gunzip,
# sha256sum. All standard on Debian/Ubuntu/Fedora/RHEL.

set -euo pipefail

BASE_URL="${NOBA_DOWNLOAD_BASE:-https://www.nobacmd.com/download}"
VERSION_JSON_URL="${NOBA_VERSION_JSON:-${BASE_URL}/latest/version.json}"

log()  { printf '[noba] %s\n' "$*"; }
err()  { printf '[noba] ERROR: %s\n' "$*" >&2; }
die()  { err "$*"; exit 1; }

# ── prerequisite check ─────────────────────────────────────────────────
for cmd in docker curl gunzip sha256sum; do
  command -v "$cmd" >/dev/null 2>&1 || die "missing required command: $cmd"
done

# Docker daemon must be reachable.
docker info >/dev/null 2>&1 \
  || die "cannot talk to the Docker daemon — is it running? permission? (try: sudo bash -s < docker-install.sh)"

# ── resolve version ────────────────────────────────────────────────────
if [ -n "${NOBA_VERSION:-}" ]; then
  VERSION="$NOBA_VERSION"
  log "using pinned version: $VERSION (from NOBA_VERSION)"
else
  log "resolving latest version from ${VERSION_JSON_URL}"
  VERSION=$(curl -fsSL "$VERSION_JSON_URL" \
    | python3 -c 'import json,sys; print(json.load(sys.stdin)["version"])' 2>/dev/null) \
    || die "could not fetch or parse ${VERSION_JSON_URL}"
  log "latest version: $VERSION"
fi

# ── download image tarball + sha256 ────────────────────────────────────
TARBALL="noba-enterprise-${VERSION}.docker.tar.gz"
TARBALL_URL="${BASE_URL}/v${VERSION}/${TARBALL}"
SHA_URL="${TARBALL_URL}.sha256"

WORKDIR=$(mktemp -d -t noba-docker-install.XXXXXX)
trap 'rm -rf "$WORKDIR"' EXIT

log "downloading ${TARBALL} from ${BASE_URL}/v${VERSION}/"
curl -fL --progress-bar -o "${WORKDIR}/${TARBALL}" "$TARBALL_URL" \
  || die "download failed: $TARBALL_URL"

log "downloading ${TARBALL}.sha256"
curl -fsSL -o "${WORKDIR}/${TARBALL}.sha256" "$SHA_URL" \
  || die "sha256 download failed: $SHA_URL"

# ── verify ─────────────────────────────────────────────────────────────
log "verifying SHA-256"
(cd "$WORKDIR" && sha256sum -c "${TARBALL}.sha256") \
  || die "SHA-256 mismatch — download corrupt, refusing to load"

# ── load + tag ─────────────────────────────────────────────────────────
log "loading image into Docker daemon (may take ~30s)"
gunzip -c "${WORKDIR}/${TARBALL}" | docker load

log "tagging noba-enterprise:${VERSION} as noba-enterprise:latest"
docker tag "noba-enterprise:${VERSION}" "noba-enterprise:latest"

log "done. Loaded image:"
docker images --filter "reference=noba-enterprise" \
  --format 'table {{.Repository}}\t{{.Tag}}\t{{.Size}}\t{{.CreatedSince}}'

cat <<EOF

Next steps — NOBA is now available as docker image noba-enterprise:latest.

Quick start (foreground, SQLite, default port):
  docker run -d --name noba \\
    -p 8080:8080 \\
    -v noba-config:/app/config \\
    -v noba-data:/app/data \\
    noba-enterprise:latest

Stack (recommended — bundles Redis for enterprise tier):
  curl -fL https://www.nobacmd.com/download/latest/docker-compose.yml -o docker-compose.yml
  docker compose up -d

Config, env vars, upgrade path, and troubleshooting:
  https://www.nobacmd.com/docs/configuration
EOF