#!/bin/bash
#
# Zabbix Agent 2 Deployment Script - Linux
# Installs and configures Zabbix Agent 2 with PSK auto-registration
# Target server: zabbix.snarfnet.net
#
# Usage: sudo bash deploy_zabbix_agent_linux.sh [psk_key]
#   psk_key - (optional) 128-char hex PSK. If omitted, one is generated.
#
set -euo pipefail

ZABBIX_SERVER="zabbix.snarfnet.net"
PSK_IDENTITY="PSK_autoregister"
PSK_FILE="/etc/zabbix/zabbix_agent2.psk"
AGENT_CONF="/etc/zabbix/zabbix_agent2.conf"
HOST_METADATA="Linux"

# --- Functions ---

log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*"; }

detect_os() {
    if [ -f /etc/os-release ]; then
        . /etc/os-release
        OS_ID="${ID}"
        OS_VERSION="${VERSION_ID%%.*}"
    else
        log "ERROR: Cannot detect OS. /etc/os-release not found."
        exit 1
    fi
}

install_agent_rhel() {
    local major_ver="$1"
    log "Installing Zabbix Agent 2 on RHEL/CentOS ${major_ver}..."

    # Install Zabbix repo
    rpm -Uvh "https://repo.zabbix.com/zabbix/7.0/rhel/${major_ver}/x86_64/zabbix-release-latest-7.0.el${major_ver}.noarch.rpm" 2>/dev/null || true
    dnf clean all
    dnf install -y zabbix-agent2 zabbix-agent2-plugin-*
}

install_agent_debian() {
    local codename="$1"
    log "Installing Zabbix Agent 2 on Debian/Ubuntu (${codename})..."

    wget -q "https://repo.zabbix.com/zabbix/7.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_latest+ubuntu_all.deb" -O /tmp/zabbix-release.deb
    dpkg -i /tmp/zabbix-release.deb
    apt-get update
    apt-get install -y zabbix-agent2 zabbix-agent2-plugin-*
    rm -f /tmp/zabbix-release.deb
}

install_agent() {
    detect_os
    case "${OS_ID}" in
        rhel|centos|rocky|alma|fedora)
            install_agent_rhel "${OS_VERSION}"
            ;;
        debian|ubuntu)
            local codename
            codename=$(lsb_release -cs 2>/dev/null || echo "jammy")
            install_agent_debian "${codename}"
            ;;
        *)
            log "ERROR: Unsupported OS '${OS_ID}'. Install zabbix-agent2 manually, then re-run."
            exit 1
            ;;
    esac
}

generate_psk() {
    openssl rand -hex 32
}

configure_agent() {
    local psk_key="$1"

    log "Writing PSK to ${PSK_FILE}..."
    echo "${psk_key}" > "${PSK_FILE}"
    chmod 640 "${PSK_FILE}"
    chown root:zabbix "${PSK_FILE}"

    log "Configuring ${AGENT_CONF}..."
    cp "${AGENT_CONF}" "${AGENT_CONF}.bak.$(date +%s)"

    # Apply configuration
    sed -i "s|^Server=.*|Server=${ZABBIX_SERVER}|" "${AGENT_CONF}"
    sed -i "s|^ServerActive=.*|ServerActive=${ZABBIX_SERVER}|" "${AGENT_CONF}"
    sed -i "s|^Hostname=.*|# Hostname=|" "${AGENT_CONF}"

    # Add/update settings that may not exist
    grep -q "^HostnameItem=" "${AGENT_CONF}" && \
        sed -i "s|^HostnameItem=.*|HostnameItem=system.hostname|" "${AGENT_CONF}" || \
        echo "HostnameItem=system.hostname" >> "${AGENT_CONF}"

    grep -q "^HostMetadata=" "${AGENT_CONF}" && \
        sed -i "s|^HostMetadata=.*|HostMetadata=${HOST_METADATA}|" "${AGENT_CONF}" || \
        echo "HostMetadata=${HOST_METADATA}" >> "${AGENT_CONF}"

    grep -q "^TLSConnect=" "${AGENT_CONF}" && \
        sed -i "s|^TLSConnect=.*|TLSConnect=psk|" "${AGENT_CONF}" || \
        echo "TLSConnect=psk" >> "${AGENT_CONF}"

    grep -q "^TLSAccept=" "${AGENT_CONF}" && \
        sed -i "s|^TLSAccept=.*|TLSAccept=psk|" "${AGENT_CONF}" || \
        echo "TLSAccept=psk" >> "${AGENT_CONF}"

    grep -q "^TLSPSKIdentity=" "${AGENT_CONF}" && \
        sed -i "s|^TLSPSKIdentity=.*|TLSPSKIdentity=${PSK_IDENTITY}|" "${AGENT_CONF}" || \
        echo "TLSPSKIdentity=${PSK_IDENTITY}" >> "${AGENT_CONF}"

    grep -q "^TLSPSKFile=" "${AGENT_CONF}" && \
        sed -i "s|^TLSPSKFile=.*|TLSPSKFile=${PSK_FILE}|" "${AGENT_CONF}" || \
        echo "TLSPSKFile=${PSK_FILE}" >> "${AGENT_CONF}"
}

start_agent() {
    log "Enabling and starting zabbix-agent2..."
    systemctl enable zabbix-agent2
    systemctl restart zabbix-agent2
    systemctl status zabbix-agent2 --no-pager
}

# --- Main ---

if [ "$(id -u)" -ne 0 ]; then
    echo "This script must be run as root." >&2
    exit 1
fi

PSK_KEY="${1:-}"
if [ -z "${PSK_KEY}" ]; then
    PSK_KEY=$(generate_psk)
    log "Generated new PSK key."
fi

# Validate PSK is valid hex and at least 32 chars
if ! echo "${PSK_KEY}" | grep -qE '^[0-9a-fA-F]{32,128}$'; then
    log "ERROR: PSK must be a 32-128 character hex string."
    exit 1
fi

log "=== Zabbix Agent 2 Deployment ==="
log "Server: ${ZABBIX_SERVER}"
log "PSK Identity: ${PSK_IDENTITY}"

install_agent
configure_agent "${PSK_KEY}"
start_agent

log "=== Deployment Complete ==="
log "PSK Identity: ${PSK_IDENTITY}"
log "PSK Key: ${PSK_KEY}"
log ""
log "IMPORTANT: Use this same PSK identity and key in your Zabbix server"
log "auto-registration encryption settings."