#!/usr/bin/env bash
set -euo pipefail

# ==== EDIT THESE ====
WIFI_SSID="Lav.Studio"
WIFI_PASS="0147258369"

LIGHT_IP="192.168.50.10/24"     # Pi's address on eth0
LIGHT_NET_DNS=""                # usually blank; no DNS on lighting net
# If you truly need a gateway on lighting (rare), set LIGHT_GW here and see notes below.
LIGHT_GW=""

# Optional: if you want a static Wi-Fi IP instead of DHCP, set WIFI_STATIC="yes"
WIFI_STATIC="no"
WIFI_IP="192.168.10.20/24"
WIFI_GW="192.168.10.1"
WIFI_DNS="192.168.10.1"
# =====================

echo "[*] Updating system..."
sudo apt update
sudo apt full-upgrade -y

echo "[*] Ensure NetworkManager is active (Bookworm default)..."
sudo systemctl enable --now NetworkManager

echo "[*] Create Ethernet profile for lighting (static IP, NO gateway)..."
# Delete default connection if it exists, to avoid conflicts
nmcli -t -f NAME,TYPE con | grep -q "^Wired connection 1:ethernet$" && nmcli con delete "Wired connection 1" || true
nmcli con delete lighting >/dev/null 2>&1 || true

nmcli con add type ethernet ifname eth0 con-name lighting ipv4.method manual ipv4.addresses "${LIGHT_IP}" ipv4.gateway "" ipv4.dns "${LIGHT_NET_DNS}" ipv6.method ignore
# Make sure this interface never installs a default route
nmcli con mod lighting ipv4.never-default yes
# Prefer Wi-Fi for routing by giving Ethernet a higher metric
nmcli con mod lighting ipv4.route-metric 300

echo "[*] Create Wi-Fi profile for Xilica..."
nmcli con delete xilica >/dev/null 2>&1 || true
if [ "${WIFI_STATIC}" = "yes" ]; then
  nmcli con add type wifi ifname wlan0 con-name xilica ssid "${WIFI_SSID}" \
    ipv4.method manual ipv4.addresses "${WIFI_IP}" ipv4.gateway "${WIFI_GW}" ipv4.dns "${WIFI_DNS}" ipv6.method ignore
else
  nmcli dev wifi connect "${WIFI_SSID}" password "${WIFI_PASS}" ifname wlan0 name xilica
  nmcli con mod xilica ipv6.method ignore
fi
# Lower metric so Wi-Fi becomes preferred default route (if it has a gateway)
nmcli con mod xilica ipv4.route-metric 200

echo "[*] Disable IP forwarding to keep networks isolated..."
sudo bash -c 'cat >/etc/sysctl.d/99-no-forwarding.conf <<EOF
net.ipv4.ip_forward=0
net.ipv6.conf.all.forwarding=0
EOF'
sudo sysctl --system

echo "[*] Install Node-RED via the official script..."
bash <(curl -sL https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered)

echo "[*] Enable Node-RED as a service..."
sudo systemctl enable nodered --now

echo "[*] (Optional) Lock down firewall to your subnets only..."
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow Node-RED editor/UI from both subnets (adjust nets if different)
sudo ufw allow from 192.168.50.0/24 to any port 1880 proto tcp
sudo ufw allow from 192.168.10.0/24 to any port 1880 proto tcp
sudo ufw --force enable

echo "[*] Done. Current addresses:"
ip -4 addr show eth0 | sed -n 's/ *inet \([0-9.\/]*\).*/eth0: \1/p'
ip -4 addr show wlan0 | sed -n 's/ *inet \([0-9.\/]*\).*/wlan0: \1/p'
echo "Node-RED should be reachable at: http://<eth0-ip>:1880 and/or http://<wlan0-ip>:1880"