#!/bin/bash
set -euo pipefail

RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'
info()  { echo -e "${GREEN}[INFO]${NC}  $*"; }
warn()  { echo -e "${YELLOW}[WARN]${NC}  $*"; }
error() { echo -e "${RED}[ERR]${NC}   $*"; exit 1; }

[[ $EUID -ne 0 ]] && error "Ce script doit être exécuté en root."

DB_NAME="${DB_NAME:-}"
DB_USER="${DB_USER:-}"
CREDS_FILE="/root/.mariadb_credentials"

# ── Installation ──────────────────────────────────────────────────────────────
info "=== Étape 1/4 — Installation de MariaDB ==="
apt-get update -qq
apt-get install -y mariadb-server mariadb-client

systemctl enable --now mariadb
info "MariaDB $(mariadb --version | grep -oP '\d+\.\d+\.\d+' | head -1) installé"

# ── Génération du mot de passe root ──────────────────────────────────────────
ROOT_PASS=$(tr -dc 'A-Za-z0-9!#%&()*+,-./:;<=>?@[]^_{|}~' </dev/urandom | head -c 32)

# ── Sécurisation (mysql_secure_installation non-interactif) ───────────────────
info "=== Étape 2/4 — Sécurisation ==="
mariadb -u root <<SQL
-- Mot de passe root
ALTER USER 'root'@'localhost' IDENTIFIED BY '${ROOT_PASS}';

-- Suppression des utilisateurs anonymes
DELETE FROM mysql.user WHERE User='';

-- Désactivation de l'accès root distant
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');

-- Suppression de la base test
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';

-- Application
FLUSH PRIVILEGES;
SQL

info "Sécurisation appliquée."

# ── Sauvegarde des credentials ────────────────────────────────────────────────
info "=== Étape 3/4 — Sauvegarde des credentials ==="
cat > "$CREDS_FILE" <<EOF
# MariaDB credentials — $(date '+%d/%m/%Y %H:%M')
# Généré automatiquement par scripts.ysavary.fr/mariadb

[client]
user     = root
password = ${ROOT_PASS}
host     = localhost
EOF
chmod 600 "$CREDS_FILE"

# Configuration my.cnf pour permettre à root de se connecter sans mot de passe depuis le shell
cat > /etc/mysql/conf.d/root-auth.cnf <<EOF
[client]
user     = root
password = ${ROOT_PASS}
EOF
chmod 600 /etc/mysql/conf.d/root-auth.cnf

# ── Base applicative (optionnelle) ────────────────────────────────────────────
info "=== Étape 4/4 — Base applicative ==="
APP_PASS=""
if [[ -n "$DB_NAME" && -n "$DB_USER" ]]; then
    APP_PASS=$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 24)

    mariadb -u root -p"${ROOT_PASS}" <<SQL
CREATE DATABASE IF NOT EXISTS \`${DB_NAME}\` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER IF NOT EXISTS '${DB_USER}'@'localhost' IDENTIFIED BY '${APP_PASS}';
GRANT ALL PRIVILEGES ON \`${DB_NAME}\`.* TO '${DB_USER}'@'localhost';
FLUSH PRIVILEGES;
SQL

    cat >> "$CREDS_FILE" <<EOF

[app]
database = ${DB_NAME}
user     = ${DB_USER}
password = ${APP_PASS}
host     = localhost
EOF
    info "Base '$DB_NAME' créée avec l'utilisateur '$DB_USER'."
else
    info "Pas de DB_NAME/DB_USER défini, pas de base applicative créée."
fi

echo ""
info "=== MariaDB configuré ==="
echo ""
echo "  ┌─ Credentials root ────────────────────────────────────┐"
echo "  │  Fichier      : $CREDS_FILE                         │"
printf "  │  Mot de passe : %-38s│\n" "$ROOT_PASS"
echo "  └───────────────────────────────────────────────────────┘"
if [[ -n "$APP_PASS" ]]; then
    echo ""
    echo "  ┌─ Base applicative ─────────────────────────────────────┐"
    printf "  │  Base     : %-44s│\n" "$DB_NAME"
    printf "  │  User     : %-44s│\n" "$DB_USER"
    printf "  │  Password : %-44s│\n" "$APP_PASS"
    echo "  └───────────────────────────────────────────────────────┘"
fi
echo ""
echo "  Connexion root : mariadb  (via /etc/mysql/conf.d/root-auth.cnf)"
echo "  Statut         : systemctl status mariadb"
echo ""
warn "Conserve $CREDS_FILE en lieu sûr !"
echo ""