#!/bin/bash
source ~/.bashrc
# Setup Proxmox RBAC (Role-Based Access Control)

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"

# Load environment variables
if [ -f "$PROJECT_ROOT/.env" ]; then
    set -a
    source <(grep -v '^#' "$PROJECT_ROOT/.env" | grep -v '^$' | sed 's/#.*$//' | grep '=')
    set +a
fi

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

log_info() {
    echo -e "${GREEN}[INFO]${NC} $1"
}

log_warn() {
    echo -e "${YELLOW}[WARN]${NC} $1"
}

log_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

SSH_KEY="${SSH_KEY:-$HOME/.ssh/id_ed25519_proxmox}"
PROXMOX_HOSTS=("192.168.1.206" "192.168.1.49")  # ML110 and R630

main() {
    log_info "Setting up Proxmox RBAC"
    echo ""

    for host in "${PROXMOX_HOSTS[@]}"; do
        log_info "Configuring RBAC on $host..."
        
        # Check if we can connect
        if ! ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "root@${host}" "pveversion" &>/dev/null; then
            log_warn "Cannot connect to $host. Skipping..."
            continue
        fi

        # Create roles
        log_info "Creating custom roles..."
        ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "root@${host}" <<'EOF'
set -e

# Create VM Operator role (can manage VMs but not hosts)
pveum role add VMOperator --privs "VM.Allocate VM.Audit VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Monitor VM.PowerMgmt Datastore.Allocate Datastore.Audit"

# Create VM Viewer role (read-only access to VMs)
pveum role add VMViewer --privs "VM.Audit VM.Monitor Datastore.Audit"

# Create Storage Operator role (can manage storage)
pveum role add StorageOperator --privs "Datastore.Allocate Datastore.Audit Datastore.AllocateSpace Datastore.AllocateTemplate"

# Create Network Operator role (can manage networks)
pveum role add NetworkOperator --privs "SDN.Use SDN.Audit Network.Allocate Network.Audit"

echo "Roles created successfully"
EOF

        log_info "✓ RBAC roles created on $host"
        echo ""
    done

    log_info "RBAC setup complete!"
    echo ""
    log_warn "Manual steps required:"
    log_info "1. Create users via Web UI: Datacenter → Permissions → Users → Add"
    log_info "2. Assign roles to users: Datacenter → Permissions → User → Edit → Roles"
    log_info "3. Create API tokens for automation:"
    log_info "   - Datacenter → Permissions → API Tokens → Add"
    log_info "   - Store tokens securely in .env file"
    echo ""
    log_info "Available roles:"
    log_info "  - VMOperator: Full VM management"
    log_info "  - VMViewer: Read-only VM access"
    log_info "  - StorageOperator: Storage management"
    log_info "  - NetworkOperator: Network management"
}

main "$@"