#!/bin/bash

# VPN Gateway Health Check Script
# Comprehensive system health monitoring
# Version: 1.0.0

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

# Scoring
TOTAL_SCORE=0
MAX_SCORE=100
ISSUES=()

check_mark() {
    echo -e "${GREEN}✓${NC}"
}

x_mark() {
    echo -e "${RED}✗${NC}"
}

warning_mark() {
    echo -e "${YELLOW}⚠${NC}"
}

add_score() {
    TOTAL_SCORE=$((TOTAL_SCORE + $1))
}

add_issue() {
    ISSUES+=("$1")
}

echo -e "${BLUE}=== VPN Gateway Health Check ===${NC}"
echo ""

# 1. Check Services
echo -n "Checking services... "
services_ok=true
for service in vpn-webui vpn-killswitch vpn-security-monitor; do
    if systemctl is-active $service >/dev/null 2>&1; then
        add_score 10
    else
        services_ok=false
        add_issue "Service $service is not running"
    fi
done
[ "$services_ok" = true ] && check_mark || x_mark

# 2. Check Killswitch
echo -n "Checking killswitch... "
if iptables -L OUTPUT -n | grep -q "policy DROP"; then
    add_score 20
    check_mark
else
    add_issue "Killswitch not active!"
    x_mark
fi

# 3. Check VPN Connection
echo -n "Checking VPN connection... "
if wg show wg0 >/dev/null 2>&1; then
    add_score 15
    check_mark
else
    add_issue "VPN not connected"
    warning_mark
fi

# 4. Check for leaks
echo -n "Checking for leaks... "
if ! ping -c 1 -W 1 8.8.8.8 >/dev/null 2>&1; then
    if wg show wg0 >/dev/null 2>&1; then
        add_issue "VPN connected but no internet"
        warning_mark
    else
        add_score 15
        check_mark
    fi
else
    if wg show wg0 >/dev/null 2>&1; then
        add_score 15
        check_mark
    else
        add_issue "CRITICAL: Internet accessible without VPN!"
        x_mark
    fi
fi

# 5. Check DNS
echo -n "Checking DNS configuration... "
dns_ok=true
while read -r dns; do
    case "$dns" in
        127.0.0.1|10.*|172.*|192.168.*|100.64.*)
            ;;
        *)
            dns_ok=false
            add_issue "Public DNS detected: $dns"
            ;;
    esac
done < <(grep "^nameserver" /etc/resolv.conf | awk '{print $2}')
if [ "$dns_ok" = true ]; then
    add_score 10
    check_mark
else
    warning_mark
fi

# 6. Check disk space
echo -n "Checking disk space... "
disk_usage=$(df /opt/vpn-gateway | tail -1 | awk '{print $5}' | sed 's/%//')
if [ "$disk_usage" -lt 80 ]; then
    add_score 5
    check_mark
elif [ "$disk_usage" -lt 90 ]; then
    add_issue "Disk usage high: ${disk_usage}%"
    warning_mark
else
    add_issue "Critical disk usage: ${disk_usage}%"
    x_mark
fi

# 7. Check WebUI accessibility
echo -n "Checking WebUI... "
if curl -s http://localhost:5000/api/status >/dev/null 2>&1; then
    add_score 10
    check_mark
else
    add_issue "WebUI not accessible"
    x_mark
fi

# Results
echo ""
echo -e "${BLUE}=== Health Score: $TOTAL_SCORE/$MAX_SCORE ===${NC}"
echo ""

if [ $TOTAL_SCORE -ge 90 ]; then
    echo -e "${GREEN}System Status: EXCELLENT${NC}"
elif [ $TOTAL_SCORE -ge 70 ]; then
    echo -e "${GREEN}System Status: GOOD${NC}"
elif [ $TOTAL_SCORE -ge 50 ]; then
    echo -e "${YELLOW}System Status: WARNING${NC}"
else
    echo -e "${RED}System Status: CRITICAL${NC}"
fi

if [ ${#ISSUES[@]} -gt 0 ]; then
    echo ""
    echo "Issues found:"
    for issue in "${ISSUES[@]}"; do
        echo "  - $issue"
    done
fi

exit $((100 - TOTAL_SCORE))