#
# NODE1 Operations Makefile
# Usage: make <target>
#

NODE1_HOST := 144.76.224.179
NODE1_USER := root
SSH_OPTS := -o StrictHostKeyChecking=accept-new

.PHONY: help status harden-dry-run harden-apply harden-rollback nginx-install nginx-deploy nginx-reload ssl-setup

help:
	@echo "NODE1 Operations"
	@echo ""
	@echo "Status:"
	@echo "  make status          - Run health check on NODE1"
	@echo ""
	@echo "Hardening:"
	@echo "  make harden-dry-run  - Show firewall changes (dry run)"
	@echo "  make harden-apply    - Apply firewall hardening"
	@echo "  make harden-rollback - Rollback firewall to previous state"
	@echo ""
	@echo "Nginx:"
	@echo "  make nginx-install   - Install nginx on NODE1"
	@echo "  make nginx-deploy    - Deploy nginx config to NODE1"
	@echo "  make nginx-reload    - Reload nginx on NODE1"
	@echo "  make ssl-setup       - Setup Let's Encrypt SSL"
	@echo ""
	@echo "Full hardening:"
	@echo "  make full-harden     - nginx-install + nginx-deploy + harden-apply"

# === Status ===
status:
	@echo "Running status check on NODE1..."
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) '/opt/microdao-daarion/ops/status.sh'

status-verbose:
	@echo "Running verbose status check on NODE1..."
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) '/opt/microdao-daarion/ops/status.sh --verbose'

# === Hardening ===
harden-dry-run:
	@echo "Dry run firewall hardening..."
	scp $(SSH_OPTS) ops/hardening/apply-node1-firewall.sh $(NODE1_USER)@$(NODE1_HOST):/opt/microdao-daarion/ops/hardening/
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) 'chmod +x /opt/microdao-daarion/ops/hardening/apply-node1-firewall.sh && /opt/microdao-daarion/ops/hardening/apply-node1-firewall.sh --dry-run'

harden-apply:
	@echo "Applying firewall hardening..."
	scp $(SSH_OPTS) ops/hardening/apply-node1-firewall.sh $(NODE1_USER)@$(NODE1_HOST):/opt/microdao-daarion/ops/hardening/
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) 'chmod +x /opt/microdao-daarion/ops/hardening/apply-node1-firewall.sh && /opt/microdao-daarion/ops/hardening/apply-node1-firewall.sh --apply'

harden-rollback:
	@echo "Rolling back firewall..."
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) '/opt/microdao-daarion/ops/hardening/apply-node1-firewall.sh --rollback'

# === Nginx ===
nginx-install:
	@echo "Installing nginx on NODE1..."
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) 'apt-get update && apt-get install -y nginx'

nginx-deploy:
	@echo "Deploying nginx config..."
	scp $(SSH_OPTS) ops/nginx/node1-api.conf $(NODE1_USER)@$(NODE1_HOST):/etc/nginx/conf.d/node1-api.conf
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) 'nginx -t'

nginx-reload:
	@echo "Reloading nginx..."
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) 'systemctl reload nginx'

nginx-status:
	@echo "Nginx status..."
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) 'systemctl status nginx --no-pager'

ssl-setup:
	@echo "Setting up SSL with Let's Encrypt..."
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) 'apt-get install -y certbot python3-certbot-nginx && certbot --nginx -d api.daarion.io'

# === Full Hardening ===
full-harden: nginx-install nginx-deploy nginx-reload harden-apply
	@echo ""
	@echo "=== Full hardening complete ==="
	@echo "1. Nginx installed and configured"
	@echo "2. Firewall rules applied"
	@echo ""
	@echo "Next steps:"
	@echo "  1. Run 'make ssl-setup' to enable HTTPS"
	@echo "  2. Run 'make status' to verify services"
	@echo "  3. Test rate limiting: curl -I http://$(NODE1_HOST)"

# === Verification ===
verify-ports:
	@echo "Checking port exposure..."
	ssh $(SSH_OPTS) $(NODE1_USER)@$(NODE1_HOST) 'ss -ltnp | grep -E ":(9102|9300|6333|9090|3030|80|443)\b"'

verify-ratelimit:
	@echo "Testing rate limiting (should get 429 after ~20 requests)..."
	@for i in $$(seq 1 25); do \
		curl -s -o /dev/null -w "%{http_code} " http://$(NODE1_HOST)/health; \
	done
	@echo ""