#!/usr/bin/env bash
set -euo pipefail

usage() {
  cat <<'EOF'
Usage: ./deployments/setup.sh

This script DOES NOT install dependencies.
It prints the manual steps and required/optional dependencies for a real (non-Docker) production deployment.
EOF
}

if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
  usage
  exit 0
fi

cat <<'EOF'
== FetchML production setup (non-Docker) ==

Required (core):
- Go-built binaries: api-server, worker
- Redis (reachable from api-server + worker)
- A writable base_path for experiments
- A writable data_dir if you want snapshot/dataset staging + integrity validation

Required (TLS/WSS):
- Caddy (recommended) OR another reverse proxy that can terminate TLS and proxy WebSockets

Optional:
- systemd (recommended) for service supervision
- MinIO / S3-compatible storage (only if you use remote snapshot_store)
- Podman (only if your worker executes jobs in Podman)

Notes:
- The Zig CLI currently supports ws:// only. In production, keep the API server internal on ws:// and terminate TLS/WSS at Caddy.
- This script is informational; it will not modify your system.

---
1) Build binaries

  make prod

Artifacts:
  ./bin/api-server
  ./bin/worker

---
2) Create a dedicated user (recommended)

  useradd --system --create-home --shell /usr/sbin/nologin fetchml

---
3) Create directories (example paths)

  mkdir -p /var/lib/fetchml/experiments
  mkdir -p /var/lib/fetchml/active/datasets /var/lib/fetchml/active/snapshots
  mkdir -p /var/log/fetchml

Ensure ownership:
  chown -R fetchml:fetchml /var/lib/fetchml /var/log/fetchml

---
4) Configure the API server

- Start from: configs/api/prod.yaml (or your multi-user config)
- For real production, keep server.tls.enabled: false
- Ensure monitoring.health_checks.enabled is set appropriately

Example flags:
  ./bin/api-server -config /etc/fetchml/api.yaml

---
5) Configure Caddy (TLS/WSS termination)

- Recommended: use deployments/Caddyfile.prod as a baseline.
- Caddy should listen on 443 and reverse proxy to the API server (internal) on 9101.

Example layout:
  /etc/caddy/Caddyfile
  /var/lib/caddy

---
6) Configure Redis

- Use Redis AUTH in production.
- Ensure the api-server + worker can reach it.

---
7) Run under systemd (recommended)

Create unit files (example):
  /etc/systemd/system/fetchml-api.service
  /etc/systemd/system/fetchml-worker.service
  /etc/systemd/system/caddy.service (if not already provided)

Then:
  systemctl daemon-reload
  systemctl enable --now fetchml-api
  systemctl enable --now fetchml-worker
  systemctl enable --now caddy

---
8) Smoke check

Internal health (no TLS):
  curl -f http://127.0.0.1:9101/health

External health (through Caddy TLS termination):
  curl -f https://YOUR_DOMAIN/health

EOF