install.sh

#!/usr/bin/env bash
# ============================================================================
#  Web.Casa — One-Click Install Script
#  https://web.casa
#
#  Supports: Ubuntu 20+, Debian 11+, CentOS Stream 8+, AlmaLinux 8+, Fedora 38+
#           openAnolis, Alibaba Cloud Linux, openEuler, openCloudOS, Kylin (银河麒麟)
#
#  Usage:
#    curl -fsSL https://raw.githubusercontent.com/web-casa/webcasa/main/install.sh | bash
#    or:
#    bash install.sh
#
#  Options:
#    --uninstall             Remove WebCasa (keeps data by default)
#    --purge                 Remove WebCasa and all data
#    --no-caddy              Skip Caddy installation
#    --no-podman             Skip Podman install (expert; WebCasa will fail until Podman is manually set up)
#    --port PORT             Set panel port (default: 39921)
#    --from-source           Build from source instead of downloading pre-built binary
#    --upgrade               Upgrade to latest version (pre-built binary)
#    --upgrade-from-source   Upgrade to latest version (build from source)
#    --pro                   Install Pro edition (requires RHEL-based OS 9/10)
#    -y, --yes               Non-interactive mode (skip prompts)
# ============================================================================

set -euo pipefail

# ==================== Load Pinned Versions ====================
# VERSIONS file contains GO_MAJOR, NODE_MAJOR, KOPIA etc.
SCRIPT_SELF_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" && pwd 2>/dev/null || echo ".")"
if [[ -f "$SCRIPT_SELF_DIR/VERSIONS" ]]; then
    # shellcheck source=VERSIONS
    source "$SCRIPT_SELF_DIR/VERSIONS"
fi
# Defaults if VERSIONS file is missing (e.g. curl|bash without local clone)
: "${GO_MAJOR:=1.26}"
: "${NODE_MAJOR:=24}"
: "${CADDY:=2.11.2}"
: "${KOPIA:=0.22.3}"

# ==================== Configuration ====================
# Auto-detect version: local VERSION file → GitHub latest release → fallback
SCRIPT_SELF="${BASH_SOURCE[0]:-}"
if [[ -n "$SCRIPT_SELF" && -f "$(dirname "$SCRIPT_SELF")/VERSION" ]]; then
    WEBCASA_VERSION="$(cat "$(dirname "$SCRIPT_SELF")/VERSION" | tr -d '[:space:]')"
elif command -v curl &>/dev/null; then
    WEBCASA_VERSION="$(curl -fsSL https://api.github.com/repos/web-casa/webcasa/releases/latest 2>/dev/null | grep -oP '"tag_name":\s*"v?\K[^"]+' || echo "0.9.3")"
else
    WEBCASA_VERSION="0.9.3"
fi
GITHUB_REPO="web-casa/webcasa"
INSTALL_DIR="/usr/local/bin"
DATA_DIR="/var/lib/webcasa"
LOG_DIR="/var/log/webcasa"
CONFIG_DIR="/etc/webcasa"
SERVICE_USER="webcasa"
PANEL_PORT="39921"
SKIP_CADDY=false
SKIP_PODMAN=false
UNINSTALL=false
PURGE=false
NON_INTERACTIVE=false
FROM_SOURCE=false
PRO_MODE=false
UPGRADE=false
UPGRADE_FROM_SOURCE=false

# ==================== Colors ====================
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
BOLD='\033[1m'
NC='\033[0m'

# ==================== Helpers ====================
info()    { echo -e "${BLUE}[INFO]${NC} $*"; }
success() { echo -e "${GREEN}[OK]${NC}   $*"; }
warn()    { echo -e "${YELLOW}[WARN]${NC} $*"; }
error()   { echo -e "${RED}[ERR]${NC}  $*" >&2; }
fatal()   { error "$*"; exit 1; }
step()    { echo -e "\n${CYAN}${BOLD}▶ $*${NC}"; }

check_root() {
    if [[ $EUID -ne 0 ]]; then
        fatal "This script must be run as root. Try: sudo bash install.sh"
    fi
}

# ==================== OS Detection ====================
detect_os() {
    if [[ ! -f /etc/os-release ]]; then
        fatal "Cannot detect OS: /etc/os-release not found"
    fi

    . /etc/os-release

    OS_ID="${ID,,}"
    OS_VERSION_ID="${VERSION_ID:-}"
    OS_NAME="${PRETTY_NAME:-$ID}"

    # Normalize OS family
    case "$OS_ID" in
        ubuntu)                 OS_FAMILY="debian" ;;
        debian)                 OS_FAMILY="debian" ;;
        centos)                 OS_FAMILY="rhel" ;;
        almalinux|alma)         OS_FAMILY="rhel" ;;
        rocky|rockylinux)       OS_FAMILY="rhel" ;;
        fedora)                 OS_FAMILY="rhel" ;;
        rhel|redhat)            OS_FAMILY="rhel" ;;
        # Chinese domestic distributions
        anolis)                 OS_FAMILY="rhel" ;;  # openAnolis (Alibaba)
        alinux)                 OS_FAMILY="rhel" ;;  # Alibaba Cloud Linux
        openeuler|openEuler)    OS_FAMILY="rhel" ;;  # openEuler (Huawei)
        opencloudos)            OS_FAMILY="rhel" ;;  # openCloudOS (Tencent)
        kylin)
            # Kylin Desktop is Ubuntu-based (apt), Kylin Server is CentOS-based (dnf/yum)
            if command -v apt-get &>/dev/null && ! command -v dnf &>/dev/null; then
                OS_FAMILY="debian"
            else
                OS_FAMILY="rhel"
            fi
            ;;  # Kylin 银河麒麟
        *)
            # Last-resort auto-detection by package manager
            if command -v apt-get &>/dev/null; then
                warn "Unknown OS '$OS_ID', detected apt — treating as Debian-family"
                OS_FAMILY="debian"
            elif command -v dnf &>/dev/null || command -v yum &>/dev/null; then
                warn "Unknown OS '$OS_ID', detected dnf/yum — treating as RHEL-family"
                OS_FAMILY="rhel"
            else
                fatal "Unsupported OS: $OS_NAME ($OS_ID)."
            fi
            ;;
    esac

    # Detect architecture
    ARCH=$(uname -m)
    case "$ARCH" in
        x86_64)     ARCH_SUFFIX="linux-amd64"; GO_ARCH="amd64" ;;
        aarch64)    ARCH_SUFFIX="linux-arm64"; GO_ARCH="arm64" ;;
        *)          fatal "Unsupported architecture: $ARCH" ;;
    esac

    info "Detected OS: ${BOLD}$OS_NAME${NC} ($OS_FAMILY/$ARCH)"
}

# ==================== Pro Edition OS Check ====================
check_pro_os() {
    step "Checking Pro edition OS requirements"

    case "$OS_ID" in
        rocky|rockylinux|almalinux|alma|centos|rhel|redhat|ol)
            local MAJOR="${OS_VERSION_ID%%.*}"
            if [[ "$MAJOR" -lt 9 ]]; then
                fatal "Pro edition requires ${OS_NAME} 9+. Detected version: ${OS_VERSION_ID}\n  Supported: Rocky/AlmaLinux/CentOS Stream/RHEL/Oracle Linux 9 or 10\n  For other OS, install Lite edition (without --pro flag)"
            fi
            ;;
        anolis)
            local MAJOR="${OS_VERSION_ID%%.*}"
            if [[ "$MAJOR" -lt 9 ]]; then
                fatal "Pro edition requires openAnolis 9+. Detected version: ${OS_VERSION_ID}"
            fi
            ;;
        alinux)
            local MAJOR="${OS_VERSION_ID%%.*}"
            if [[ "$MAJOR" -lt 3 ]]; then
                fatal "Pro edition requires Alibaba Cloud Linux 3+. Detected version: ${OS_VERSION_ID}"
            fi
            ;;
        opencloudos)
            local MAJOR="${OS_VERSION_ID%%.*}"
            if [[ "$MAJOR" -lt 9 ]]; then
                fatal "Pro edition requires openCloudOS 9+. Detected version: ${OS_VERSION_ID}"
            fi
            ;;
        *)
            fatal "Pro edition requires a RHEL-based OS.\n  Supported: Rocky Linux 9/10, AlmaLinux 9/10, CentOS Stream 9/10,\n             RHEL 9/10, Oracle Linux 9/10, openAnolis 9+,\n             Alibaba Cloud Linux 3+, openCloudOS 9+\n  Detected: ${OS_NAME} (${OS_ID})\n  For other OS, install Lite edition (without --pro flag)"
            ;;
    esac

    success "OS check passed: ${OS_NAME} is supported for Pro edition"
}

# ==================== Parse Arguments ====================
parse_args() {
    while [[ $# -gt 0 ]]; do
        case "$1" in
            --uninstall)    UNINSTALL=true; shift ;;
            --purge)        PURGE=true; UNINSTALL=true; shift ;;
            --no-caddy)     SKIP_CADDY=true; shift ;;
            --no-podman)    SKIP_PODMAN=true; shift ;;
            --port)         PANEL_PORT="$2"; shift 2 ;;
            --from-source)  FROM_SOURCE=true; shift ;;
            --upgrade)      UPGRADE=true; shift ;;
            --upgrade-from-source) UPGRADE_FROM_SOURCE=true; FROM_SOURCE=true; shift ;;
            --pro)          PRO_MODE=true; shift ;;
            -y|--yes)       NON_INTERACTIVE=true; shift ;;
            -h|--help)      usage; exit 0 ;;
            *)              warn "Unknown option: $1"; shift ;;
        esac
    done
}

usage() {
    cat <<EOF
${BOLD}Web.Casa Installer v${WEBCASA_VERSION}${NC}
https://web.casa

Usage: bash install.sh [OPTIONS]

Options:
  --uninstall      Remove Web.Casa (keeps data)
  --purge          Remove Web.Casa and all data
  --no-caddy       Skip Caddy installation
  --no-podman      Skip Podman installation (expert mode; manual runtime required)
  --port PORT      Set panel port (default: 39921)
  --from-source              Build from source (requires Go + Node.js)
  --upgrade                  Upgrade to latest version (pre-built binary)
  --upgrade-from-source      Upgrade to latest version (build from source)
  --pro                      Install Pro edition (RHEL-based OS 9/10 only)
  -y, --yes        Non-interactive mode (skip prompts)
  -h, --help       Show this help

Supported OS (Lite):
  Ubuntu 20.04+, Debian 11+, CentOS Stream 8+,
  AlmaLinux 8+, Rocky Linux 8+, Fedora 38+,
  openAnolis, Alibaba Cloud Linux, openEuler,
  openCloudOS, Kylin (银河麒麟)

Supported OS (Pro — --pro flag):
  Rocky Linux 9/10, AlmaLinux 9/10, CentOS Stream 9/10,
  RHEL 9/10, Oracle Linux 9/10, openAnolis 9+,
  Alibaba Cloud Linux 3+, openCloudOS 9+

Features (Pro):
  Reverse Proxy Management, File Manager, Web Terminal,
  Docker Management, Project Deploy (Git), AI Assistant
EOF
}

# ==================== Uninstall ====================
do_uninstall() {
    step "Uninstalling WebCasa"

    # Stop and disable service
    if systemctl is-active --quiet webcasa 2>/dev/null; then
        info "Stopping WebCasa service..."
        systemctl stop webcasa
    fi
    if systemctl is-enabled --quiet webcasa 2>/dev/null; then
        systemctl disable webcasa
    fi

    # Remove files
    rm -f /etc/systemd/system/webcasa.service
    rm -f "$INSTALL_DIR/webcasa-server"
    rm -f "$INSTALL_DIR/webcasa"
    systemctl daemon-reload

    if $PURGE; then
        warn "Purging all data..."
        rm -rf "$DATA_DIR"
        rm -rf "$LOG_DIR"
        rm -rf "$CONFIG_DIR"
        # Remove podman group membership (v0.12+); also drop stale docker group
        # membership in case the user ran an earlier version.
        if id "$SERVICE_USER" &>/dev/null; then
            gpasswd -d "$SERVICE_USER" podman 2>/dev/null || true
            gpasswd -d "$SERVICE_USER" docker 2>/dev/null || true
        fi
        userdel -r "$SERVICE_USER" 2>/dev/null || true
        groupdel "$SERVICE_USER" 2>/dev/null || true
        rm -f /etc/sudoers.d/webcasa
        # Our podman.socket drop-in + nodocker marker are WebCasa-specific.
        # podman / podman-compose packages themselves are left installed for
        # sysadmins who want to keep using the container runtime.
        rm -f /etc/systemd/system/podman.socket.d/10-webcasa-group.conf
        rmdir /etc/systemd/system/podman.socket.d 2>/dev/null || true
        rm -f /etc/containers/nodocker
        systemctl daemon-reload 2>/dev/null || true

        # Remove our /var/run/docker.sock symlink ONLY if it still points
        # at the Podman socket. If the admin later installed Docker CE or
        # another runtime, the symlink target will have changed — leave it.
        if [[ -L /var/run/docker.sock ]]; then
            local _link_target
            _link_target=$(readlink /var/run/docker.sock)
            if [[ "$_link_target" == "/run/podman/podman.sock" ]]; then
                rm -f /var/run/docker.sock
                info "Removed /var/run/docker.sock symlink"
            fi
        fi

        # Restart podman.socket so the removed drop-in is re-evaluated and
        # the socket returns to its default (root:root) permissions. Without
        # this, a running socket keeps its custom SocketGroup=podman mode
        # 0660 until the next reboot or manual restart.
        if systemctl is-active --quiet podman.socket 2>/dev/null; then
            systemctl restart podman.socket 2>/dev/null || true
            info "Restarted podman.socket (defaults restored)"
        fi

        success "Web.Casa completely removed (including data)"
    else
        info "Data preserved at: $DATA_DIR"
        info "Config preserved at: $CONFIG_DIR"
        success "Web.Casa removed (data kept). Use --purge to remove everything."
    fi

    exit 0
}

# ==================== Install Dependencies ====================
install_deps() {
    step "Installing base dependencies"
    case "$OS_FAMILY" in
        debian)
            apt-get update -qq
            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq \
                curl wget ca-certificates tar gzip xz-utils sqlite3 jq git bash > /dev/null
            ;;
        rhel)
            if command -v dnf &>/dev/null; then
                dnf install -y -q curl wget ca-certificates tar gzip xz which sqlite jq git bash
            else
                yum install -y -q curl wget ca-certificates tar gzip xz which sqlite jq git bash
            fi
            ;;
    esac
    success "Dependencies installed"
}

# ==================== Install Podman ====================
# v0.12: Podman replaces Docker as the sole container runtime. Both
# AlmaLinux 9 and 10 ship Podman 5.6 in AppStream, so the install is
# identical across OS versions. Docker CLI compatibility is preserved via
# the podman-docker shim; app-store containers that mount /var/run/docker.sock
# work transparently via a symlink to /run/podman/podman.sock.
install_podman() {
    if $SKIP_PODMAN; then
        warn "Skipping Podman install (--no-podman). WebCasa container/deploy plugins will fail until a runtime is configured manually."
        return
    fi

    # Only rhel-family is supported; Debian/Ubuntu path is unmaintained.
    if [[ "$OS_FAMILY" != "rhel" ]]; then
        fatal "v0.12 requires an EL9/EL10-family distro (AlmaLinux / Rocky / RHEL / CentOS Stream / Fedora). Detected OS family: $OS_FAMILY"
    fi

    step "Installing Podman 5.6 from AppStream"

    local PKG_MGR="dnf"
    if ! command -v dnf &>/dev/null; then
        PKG_MGR="yum"
    fi

    # podman / podman-docker ship in AppStream, but podman-compose is only
    # in EPEL (not yet in RHEL AppStream as of EL10). Enable EPEL first so
    # the core install transaction succeeds on a minimal image.
    # Note: `dnf repoquery` returns 0 even when no packages match — check
    # for non-empty stdout instead of relying on exit status.
    if ! $PKG_MGR repoquery --quiet podman-compose 2>/dev/null | grep -q .; then
        info "podman-compose not in base repos; enabling EPEL ..."
        $PKG_MGR install -y -q epel-release
    fi

    # Install the core stack in a single transaction:
    #   podman          — the container engine
    #   podman-docker   — /usr/bin/docker shim forwarding to podman
    #   podman-compose  — Python-based Compose v3 reimplementation (EPEL)
    $PKG_MGR install -y -q podman podman-docker podman-compose

    # The podman RPM does NOT create a `podman` unix group — the rootful
    # socket defaults to root:root mode 0600, leaving non-root users locked
    # out. Create the group ourselves + drop-in so the socket becomes
    # root:podman mode 0660. The WebCasa service (running as webcasa user)
    # connects via SupplementaryGroups=podman.
    if ! getent group podman &>/dev/null; then
        groupadd -r podman || fatal "Failed to create 'podman' group; cannot proceed (check: tail /var/log/messages)"
    fi
    # Post-condition: group must exist now, otherwise SocketGroup=podman in
    # the drop-in below would leave the socket root:root and webcasa locked out.
    getent group podman &>/dev/null || fatal "'podman' group missing after groupadd; aborting"

    install -d -m 755 /etc/systemd/system/podman.socket.d
    cat > /etc/systemd/system/podman.socket.d/10-webcasa-group.conf <<'SOCKCONF'
# Added by WebCasa install.sh — allow the podman group to access the
# rootful Podman socket so non-root services (webcasa) can use it.
[Socket]
SocketMode=0660
SocketGroup=podman
SOCKCONF

    # Silence "Emulate Docker CLI using podman" motd from podman-docker.
    install -d -m 755 /etc/containers
    : > /etc/containers/nodocker

    # Short-name resolution: EL9/EL10 ship `short-name-mode = enforcing` by
    # default, which means a compose file referencing `portainer/portainer-ce`
    # (no registry prefix — the Tipi catalogue WebCasa imports uses these
    # everywhere) is rejected with "short-name resolution enforced but cannot
    # prompt without a TTY" in any non-interactive context. WebCasa installs
    # apps via SSE/CLI, never with a TTY attached, so without this drop-in
    # the entire app-store breaks.
    #
    # Drop file (not main config) so we don't collide with admin overrides.
    # Per containers-registries.conf.d(5), drop-ins load alphabetically and
    # LATER files override earlier ones ("last wins") — so we pick the
    # highest-priority name (999-*) to survive any future system package
    # that installs its own 100-*.conf / 500-*.conf.
    install -d -m 755 /etc/containers/registries.conf.d
    # Remove the earlier (pre-v0.12.0 beta) 000- prefix if present — it
    # was backwards-ordered and could be silently overridden.
    rm -f /etc/containers/registries.conf.d/000-webcasa-shortnames.conf
    cat > /etc/containers/registries.conf.d/999-webcasa-shortnames.conf <<'REGCONF'
# Added by WebCasa install.sh — let app-store compose files reference
# images by short name (e.g. portainer/portainer-ce:tag) without an
# explicit docker.io/ prefix. Resolves to docker.io.
unqualified-search-registries = ['docker.io']
short-name-mode = 'permissive'
REGCONF

    # NOTE: docker.sock-mounting apps (portainer, dockge, dozzle, etc.)
    # need `security_opt: ['label=disable']` per-service to bypass the
    # silent SELinux dontaudit denial that blocks container_t from
    # accessing var_run_t sockets. There is no off-the-shelf SELinux
    # boolean that fixes this (container_manage_cgroup, container_use_*
    # are all unrelated). The injection happens at compose-render time
    # in plugins/appstore/renderer.go:injectSocketLabelDisable, not in
    # install.sh — the renderer has the per-service context to know
    # which compose services need it.

    # Container-install detection: install.sh is exercised inside a plain
    # Docker container by scripts/test-install.sh (no PID 1 = systemd, no
    # /run/systemd/system). In that case skip every systemctl call — the
    # drop-in + group + package files are on disk and will apply as soon
    # as the host boots real systemd. Real installs on a VM/bare-metal
    # always have /run/systemd/system.
    if [[ -d /run/systemd/system ]]; then
        systemctl daemon-reload

        # Enable + restart the system-wide rootful socket. `enable --now`
        # alone is a no-op on already-running sockets (e.g. re-running
        # install.sh), so the drop-in above would not re-chgrp an existing
        # socket. `restart` forces systemd to tear down and re-create the
        # socket with the new SocketGroup=podman ownership.
        systemctl enable podman.socket
        systemctl restart podman.socket

        # Wait up to 10s for the socket file to appear (systemd is async).
        for _ in $(seq 1 10); do
            [[ -S /run/podman/podman.sock ]] && break
            sleep 1
        done
        [[ -S /run/podman/podman.sock ]] || fatal "podman.socket failed to start; check: journalctl -u podman.socket"
    else
        info "No systemd detected (containerised install?); skipping podman.socket enable and socket-ready wait"
    fi

    # Docker socket compatibility: app-store containers that bind-mount
    # /var/run/docker.sock (portainer, dockge, dozzle, ...) continue to
    # work without modification. Decision tree:
    #   - no entry at all -> create symlink
    #   - existing symlink pointing at our Podman socket -> leave (idempotent)
    #   - existing symlink pointing elsewhere (dead or to another target) ->
    #     leave with a warning; admin has a non-default setup
    #   - existing regular file/socket -> leave with a warning; don't clobber
    install -d -m 755 /var/run
    if [[ -L /var/run/docker.sock ]]; then
        local _target
        _target=$(readlink /var/run/docker.sock)
        if [[ "$_target" == "/run/podman/podman.sock" ]]; then
            info "/var/run/docker.sock already points at Podman socket"
        else
            warn "/var/run/docker.sock is a symlink to $_target; leaving untouched — app-store containers that mount docker.sock may not work"
        fi
    elif [[ -e /var/run/docker.sock ]]; then
        warn "/var/run/docker.sock exists as a non-symlink (real file/socket); leaving untouched"
    else
        ln -sf /run/podman/podman.sock /var/run/docker.sock
        info "Linked /var/run/docker.sock → /run/podman/podman.sock"
    fi

    # Smoke-test the podman-docker shim against a LIVE server — only
    # meaningful when systemd is running the socket. Containerised installs
    # (no /run/systemd/system) still have the packages + group + drop-in on
    # disk; just skip the liveness probe.
    if [[ -d /run/systemd/system ]]; then
        if ! docker version --format '{{.Server.Version}}' &>/dev/null; then
            fatal "podman-docker shim is installed but 'docker version' failed. Investigate 'podman info' and 'systemctl status podman.socket'."
        fi
    fi

    local podman_ver
    podman_ver=$(podman version --format '{{.Version}}' 2>/dev/null || echo "unknown")
    success "Podman ${podman_ver} installed"
}

# ==================== Install Caddy ====================
install_caddy() {
    if $SKIP_CADDY; then
        warn "Skipping Caddy installation (--no-caddy)"
        return
    fi

    step "Installing Caddy v${CADDY}"

    if command -v caddy &>/dev/null; then
        local CURRENT_VER
        CURRENT_VER=$(caddy version 2>/dev/null | awk '{print $1}' | sed 's/^v//' || echo "unknown")
        if [[ "$CURRENT_VER" == "$CADDY" ]]; then
            success "Caddy ${CURRENT_VER} already installed (up to date)"
            return
        fi
        info "Caddy ${CURRENT_VER} → ${CADDY} (upgrading...)"
    fi

    # Map architecture to Caddy release naming
    local CADDY_ARCH
    case "$(uname -m)" in
        x86_64)  CADDY_ARCH="amd64" ;;
        aarch64) CADDY_ARCH="arm64" ;;
        *)       fatal "Unsupported architecture for Caddy: $(uname -m)" ;;
    esac

    local CADDY_URL="https://github.com/caddyserver/caddy/releases/download/v${CADDY}/caddy_${CADDY}_linux_${CADDY_ARCH}.tar.gz"
    local CADDY_TMP
    CADDY_TMP=$(mktemp -d)

    info "Downloading from ${CADDY_URL}..."
    curl -fsSL "$CADDY_URL" -o "${CADDY_TMP}/caddy.tar.gz" || fatal "Failed to download Caddy v${CADDY}"

    tar -xzf "${CADDY_TMP}/caddy.tar.gz" -C "$CADDY_TMP" || fatal "Failed to extract Caddy archive"

    if [[ ! -f "${CADDY_TMP}/caddy" ]]; then
        fatal "Caddy binary not found in archive"
    fi

    install -m 0755 "${CADDY_TMP}/caddy" /usr/local/bin/caddy
    rm -rf "$CADDY_TMP"

    # Allow Caddy to bind to privileged ports (80, 443)
    setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy 2>/dev/null || true

    success "Caddy $(caddy version 2>/dev/null || echo "$CADDY") installed to /usr/local/bin/caddy"
}

# ==================== Install WebCasa (Download Pre-built) ====================
install_prebuilt() {
    step "Installing WebCasa v${WEBCASA_VERSION}"

    # Check GLIBC version (pre-built binary requires >= 2.32)
    local GLIBC_VER="0.0"
    if command -v ldd &>/dev/null; then
        # Try isolating the version string (e.g. "2.35") from the first line securely
        local RAW_VER
        RAW_VER=$(ldd --version 2>&1 | awk 'NR==1 {print $NF}')
        # Ensure the string only contains numbers and a dot
        if [[ "$RAW_VER" =~ ^[0-9]+\.[0-9]+ ]]; then
            GLIBC_VER="$RAW_VER"
        fi
    fi

    local GLIBC_MAJOR="${GLIBC_VER%%.*}"
    local GLIBC_MINOR="${GLIBC_VER##*.}"
    if [[ "$GLIBC_MAJOR" -lt 2 ]] || { [[ "$GLIBC_MAJOR" -eq 2 ]] && [[ "$GLIBC_MINOR" -lt 32 ]]; }; then
        error "系统 GLIBC 版本为 ${GLIBC_VER}，预编译二进制需要 GLIBC >= 2.32"
        error "AlmaLinux/CentOS/RHEL 8 等旧发行版不支持预编译安装"
        error "请升级到 RHEL 9 系列或 Ubuntu 22.04+，或使用源码编译："
        error "  bash install.sh --from-source"
        exit 1
    fi

    # Determine download URL
    local TARBALL="webcasa-${ARCH_SUFFIX}.tar.gz"
    local URL="https://github.com/${GITHUB_REPO}/releases/download/v${WEBCASA_VERSION}/${TARBALL}"

    info "Downloading from ${URL} ..."
    wget -q --show-progress -O "/tmp/${TARBALL}" "$URL" || {
        error "Download failed. The release v${WEBCASA_VERSION} may not exist."
        error "Try: bash install.sh --from-source"
        exit 1
    }

    # Verify checksum if available
    local SHA_URL="${URL}.sha256"
    if wget -q -O "/tmp/${TARBALL}.sha256" "$SHA_URL" 2>/dev/null; then
        info "Verifying checksum..."
        cd /tmp && sha256sum -c "${TARBALL}.sha256" && success "Checksum verified" || warn "Checksum mismatch!"
    fi

    # Extract
    info "Extracting..."
    tar -xzf "/tmp/${TARBALL}" -C /tmp/

    local EXTRACT_DIR="/tmp/webcasa-${ARCH_SUFFIX}"

    # Install server binary (renamed from webcasa to webcasa-server)
    cp -f "${EXTRACT_DIR}/webcasa" "$INSTALL_DIR/webcasa-server"
    chmod 755 "$INSTALL_DIR/webcasa-server"

    # Install frontend
    mkdir -p "$DATA_DIR/web"
    cp -r "${EXTRACT_DIR}/web/dist" "$DATA_DIR/web/"

    # Cleanup
    rm -rf "/tmp/${TARBALL}" "/tmp/${TARBALL}.sha256" "$EXTRACT_DIR"

    success "WebCasa v${WEBCASA_VERSION} installed"
}

# ==================== Install WebCasa (Build from Source) ====================
install_from_source() {
    step "Building WebCasa from source"

    # Install Go
    install_go

    # Install Node.js
    install_nodejs

    # Install build tools
    case "$OS_FAMILY" in
        debian) DEBIAN_FRONTEND=noninteractive apt-get install -y -qq gcc make git > /dev/null ;;
        rhel)
            if command -v dnf &>/dev/null; then
                dnf install -y -q gcc make git
            else
                yum install -y -q gcc make git
            fi
            ;;
    esac

    # Determine source directory
    SCRIPT_DIR="$(cd "$(dirname "${SCRIPT_SELF:-$0}")" && pwd)"

    if [[ -f "$SCRIPT_DIR/main.go" ]]; then
        SRC_DIR="$SCRIPT_DIR"
    elif [[ -f "$SCRIPT_DIR/../main.go" ]]; then
        SRC_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
    else
        info "Cloning WebCasa source..."
        SRC_DIR="/tmp/webcasa-build"
        rm -rf "$SRC_DIR"
        git clone --depth 1 https://github.com/${GITHUB_REPO}.git "$SRC_DIR"
    fi

    info "Source directory: $SRC_DIR"

    # Build frontend
    info "Building frontend..."
    cd "$SRC_DIR/web"
    npm ci 2>&1
    npm run build 2>&1
    success "Frontend built"

    # Build backend
    info "Building Go backend..."
    cd "$SRC_DIR"
    export PATH=$PATH:/usr/local/go/bin
    export CGO_ENABLED=1
    go build -ldflags="-s -w -X main.Version=${WEBCASA_VERSION}" -o webcasa .
    success "Backend built"

    # Install server binary (renamed from webcasa to webcasa-server)
    cp -f webcasa "$INSTALL_DIR/webcasa-server"
    chmod 755 "$INSTALL_DIR/webcasa-server"

    # Install frontend
    mkdir -p "$DATA_DIR/web/dist"
    cp -r web/dist/* "$DATA_DIR/web/dist/"

    success "WebCasa v${WEBCASA_VERSION} installed"
}

install_cli_script() {
    step "Installing CLI management tool"

    local CLI_SRC=""

    # Check if scripts/webcasa-cli.sh exists locally (build from source / local install)
    if [[ -n "${SRC_DIR:-}" && -f "${SRC_DIR}/scripts/webcasa-cli.sh" ]]; then
        CLI_SRC="${SRC_DIR}/scripts/webcasa-cli.sh"
    elif [[ -f "${SCRIPT_SELF_DIR}/scripts/webcasa-cli.sh" ]]; then
        CLI_SRC="${SCRIPT_SELF_DIR}/scripts/webcasa-cli.sh"
    fi

    if [[ -n "$CLI_SRC" ]]; then
        cp -f "$CLI_SRC" "$INSTALL_DIR/webcasa"
    else
        # Download from GitHub
        info "Downloading CLI script..."
        curl -fsSL "https://raw.githubusercontent.com/${GITHUB_REPO}/v${WEBCASA_VERSION}/scripts/webcasa-cli.sh" \
            -o "$INSTALL_DIR/webcasa" || {
            # Fallback to main branch
            curl -fsSL "https://raw.githubusercontent.com/${GITHUB_REPO}/main/scripts/webcasa-cli.sh" \
                -o "$INSTALL_DIR/webcasa" || {
                warn "Failed to download CLI script, creating minimal wrapper"
                cat > "$INSTALL_DIR/webcasa" <<'MINEOF'
#!/usr/bin/env bash
echo "Web.Casa CLI (minimal). Reinstall for full functionality."
echo "Usage: webcasa-server --version"
exec /usr/local/bin/webcasa-server "$@"
MINEOF
            }
        }
    fi

    chmod 755 "$INSTALL_DIR/webcasa"
    # Embed actual version into the CLI script
    sed -i "s/^VERSION=.*/VERSION=\"${WEBCASA_VERSION}\"/" "$INSTALL_DIR/webcasa"

    success "CLI tool installed: ${INSTALL_DIR}/webcasa"
}

install_go() {
    # GO_MAJOR is loaded from VERSIONS file

    if command -v go &>/dev/null; then
        CURRENT_GO=$(go version | grep -oP 'go\K[0-9]+\.[0-9]+')
        if printf '%s\n%s' "1.22" "$CURRENT_GO" | sort -V | head -1 | grep -q "^1.22$"; then
            info "Go $CURRENT_GO already installed"
            return
        fi
    fi

    # Auto-detect latest patch version
    info "Fetching latest Go ${GO_MAJOR}.x version..."
    local GO_VERSION
    GO_VERSION=$(curl -fsSL "https://go.dev/dl/?mode=json" | \
        grep -oP "go${GO_MAJOR}\.[0-9]+" | head -1 | sed 's/^go//')

    if [[ -z "$GO_VERSION" ]]; then
        # Fallback to .0
        GO_VERSION="${GO_MAJOR}.0"
        warn "Could not detect latest Go version, falling back to $GO_VERSION"
    fi

    info "Installing Go $GO_VERSION ..."
    local GO_TAR="go${GO_VERSION}.linux-${GO_ARCH}.tar.gz"
    wget -q --show-progress -O "/tmp/${GO_TAR}" "https://go.dev/dl/${GO_TAR}"
    rm -rf /usr/local/go
    tar -C /usr/local -xzf "/tmp/${GO_TAR}"
    rm -f "/tmp/${GO_TAR}"
    echo 'export PATH=$PATH:/usr/local/go/bin' > /etc/profile.d/go.sh
    export PATH=$PATH:/usr/local/go/bin
    success "Go $(go version | grep -oP 'go\K\S+') installed"
}

install_nodejs() {
    # NODE_MAJOR is loaded from VERSIONS file

    if command -v node &>/dev/null; then
        NODE_VER=$(node --version | tr -d 'v' | cut -d. -f1)
        if [[ "$NODE_VER" -ge "$NODE_MAJOR" ]]; then
            info "Node.js $(node --version) already installed"
            return
        fi
    fi

    info "Fetching latest Node.js v${NODE_MAJOR}.x ..."
    local NODE_FULL_VER
    NODE_FULL_VER=$(curl -fsSL "https://nodejs.org/dist/latest-v${NODE_MAJOR}.x/" \
        | grep -oP 'node-v\K[0-9]+\.[0-9]+\.[0-9]+' | head -1)

    [[ -z "$NODE_FULL_VER" ]] && fatal "Failed to fetch Node.js version"

    # Node.js uses "x64" not "amd64"
    local NODE_ARCH="$GO_ARCH"
    [[ "$NODE_ARCH" == "amd64" ]] && NODE_ARCH="x64"

    local NODE_TAR="node-v${NODE_FULL_VER}-linux-${NODE_ARCH}.tar.xz"
    info "Downloading Node.js v${NODE_FULL_VER} ..."
    wget -q --show-progress -O "/tmp/${NODE_TAR}" "https://nodejs.org/dist/v${NODE_FULL_VER}/${NODE_TAR}"
    tar -C /usr/local --strip-components=1 -xJf "/tmp/${NODE_TAR}"
    rm -f "/tmp/${NODE_TAR}"
    hash -r
    success "Node.js $(node --version) installed"
}

# ==================== Setup System ====================
setup_user() {
    step "Setting up system user and directories"

    if ! id "$SERVICE_USER" &>/dev/null; then
        # Set HOME to $DATA_DIR (already managed below) so Podman / CLI tools
        # looking for $HOME/.config/containers don't warn about a missing
        # /home/webcasa. --no-create-home leaves the directory-create step
        # below in charge of ownership.
        useradd --system --no-create-home --home-dir "$DATA_DIR" --shell /usr/sbin/nologin "$SERVICE_USER"
        info "Created system user: $SERVICE_USER (home: $DATA_DIR)"
    else
        info "User $SERVICE_USER already exists"
    fi

    # Add user to podman group so WebCasa can talk to the rootful Podman socket.
    # Created unconditionally by the podman RPM; the check stays defensive for
    # environments where Podman is skipped via --no-podman or pre-existing.
    if getent group podman &>/dev/null; then
        usermod -aG podman "$SERVICE_USER" 2>/dev/null || true
        info "Added $SERVICE_USER to podman group"
    else
        warn "podman group not present yet — will be added after install_podman runs"
    fi

    mkdir -p "$DATA_DIR"/{backups,web/dist}
    mkdir -p "$DATA_DIR"/plugins/{docker,deploy,filemanager,ai}
    mkdir -p "$LOG_DIR"
    mkdir -p "$CONFIG_DIR"

    chown -R "$SERVICE_USER:$SERVICE_USER" "$DATA_DIR"
    chown -R "$SERVICE_USER:$SERVICE_USER" "$LOG_DIR"

    success "Directories created"
}

setup_config() {
    step "Configuring WebCasa"

    ENV_FILE="$CONFIG_DIR/webcasa.env"

    if [[ -f "$ENV_FILE" ]]; then
        info "Config file already exists, preserving: $ENV_FILE"
        # Merge any new variables that may not exist in old config
        local NEED_RELOAD=false
        if ! grep -q "GIN_MODE" "$ENV_FILE"; then
            echo "" >> "$ENV_FILE"
            echo "GIN_MODE=release" >> "$ENV_FILE"
            NEED_RELOAD=true
        fi
        if $NEED_RELOAD; then
            info "Added new config entries to existing $ENV_FILE"
        fi
    else
        JWT_SECRET=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 48)
        CADDY_BIN=$(command -v caddy 2>/dev/null || echo "/usr/local/bin/caddy")

        cat > "$ENV_FILE" <<ENVEOF
# Web.Casa Configuration
# Generated on $(date -Iseconds)
# https://web.casa

WEBCASA_PORT=${PANEL_PORT}
WEBCASA_DATA_DIR=${DATA_DIR}
WEBCASA_DB_PATH=${DATA_DIR}/webcasa.db
WEBCASA_JWT_SECRET=${JWT_SECRET}
WEBCASA_CADDY_BIN=${CADDY_BIN}
WEBCASA_CADDYFILE_PATH=${DATA_DIR}/Caddyfile
WEBCASA_LOG_DIR=${LOG_DIR}
WEBCASA_ADMIN_API=http://localhost:2019
GIN_MODE=release
ENVEOF

        chmod 600 "$ENV_FILE"
        chown root:root "$ENV_FILE"
        success "Config written to $ENV_FILE"
    fi

    # Create default Caddyfile so Caddy can start immediately
    CADDYFILE="${DATA_DIR}/Caddyfile"
    if [[ ! -f "$CADDYFILE" ]]; then
        cat > "$CADDYFILE" <<CFEOF
# ============================================
# Auto-generated by Web.Casa (https://web.casa)
# DO NOT EDIT MANUALLY — changes will be overwritten
# ============================================

{
	admin localhost:2019
	log {
		output file ${LOG_DIR}/caddy.log {
			roll_size 100MiB
			roll_keep 5
		}
		level INFO
	}
}
CFEOF
        chown "$SERVICE_USER:$SERVICE_USER" "$CADDYFILE"
        success "Default Caddyfile created"
    fi
}

setup_selinux_policy() {
    # v0.13+: custom webcasa_t SELinux policy module. Shipped but
    # **OPT-IN ONLY** because the baseline allow-rules are still being
    # sized against real production workloads — exec'd children (caddy,
    # curl, podman CLI) inherit webcasa_t and need more rules than the
    # v0.13.0 module grants, so defaulting to install it would break
    # every fresh install on SELinux-enforcing EL9/EL10 hosts.
    #
    # Enable via ENABLE_SELINUX_POLICY=1 env var (or the --enable-selinux-policy
    # flag) only if you accept the preview status. Plain v0.13 install
    # continues to run the service as unconfined_service_t (same as v0.12).
    # See policy/README.md + docs/selinux.md for the full story.
    if [[ "${ENABLE_SELINUX_POLICY:-0}" != "1" ]]; then
        return 0
    fi
    local pp
    pp=$(find "$SCRIPT_DIR/policy" -maxdepth 1 -name 'webcasa.pp' 2>/dev/null | head -1)
    if [[ -z "$pp" ]]; then
        warn "ENABLE_SELINUX_POLICY=1 requested but policy/webcasa.pp not found in $SCRIPT_DIR/policy (run 'make' in policy/ first, or re-download the release tarball)"
        return 0
    fi
    if ! command -v getenforce &>/dev/null || [[ "$(getenforce 2>/dev/null)" == "Disabled" ]]; then
        info "SELinux disabled — skipping webcasa_t policy install"
        return 0
    fi
    if ! command -v semodule &>/dev/null; then
        warn "semodule missing (policycoreutils not installed?); skipping webcasa_t policy install"
        return 0
    fi
    step "Installing webcasa_t SELinux policy (preview)"
    warn "webcasa_t policy is v0.13 PREVIEW. Iterating plugins (deploy/monitoring/backup/etc.) may trigger AVC denials. Capture with: ausearch -m AVC -ts recent | grep webcasa_t"
    semodule -i "$pp" 2>&1 | grep -v "^libsepol\." || true
    restorecon -Rv "$INSTALL_DIR/webcasa-server" "$CONFIG_DIR" "$DATA_DIR" "$LOG_DIR" 2>/dev/null || true
    if [[ -n "$PANEL_PORT" && "$PANEL_PORT" -ne 80 && "$PANEL_PORT" -ne 443 ]]; then
        if command -v semanage &>/dev/null; then
            semanage port -a -t http_port_t -p tcp "$PANEL_PORT" 2>/dev/null || \
                semanage port -m -t http_port_t -p tcp "$PANEL_PORT" 2>/dev/null || true
        fi
    fi
    success "webcasa_t policy installed (preview — monitor AVCs)"
}

setup_systemd() {
    step "Setting up systemd service"
    setup_selinux_policy

    cat > /etc/systemd/system/webcasa.service <<SVCEOF
[Unit]
Description=Web.Casa — Server Management Panel (https://web.casa)
Documentation=https://github.com/${GITHUB_REPO}
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=${SERVICE_USER}
Group=${SERVICE_USER}
# Grant access to /run/podman/podman.sock (owned root:podman) so the Docker
# Go SDK + podman-docker CLI shim work without the service running as root.
SupplementaryGroups=podman
ExecStart=${INSTALL_DIR}/webcasa-server
WorkingDirectory=${DATA_DIR}
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

# Environment
EnvironmentFile=-${CONFIG_DIR}/webcasa.env
# Route all podman/docker CLI invocations (e.g. shell-outs to 'docker compose')
# to the rootful system socket. Without this the podman-docker shim forks a
# per-user rootless engine for the webcasa user — which requires subuid/subgid
# entries that system accounts lack and would run container workloads with
# different network/storage semantics than the system daemon.
Environment=CONTAINER_HOST=unix:///run/podman/podman.sock
Environment=DOCKER_HOST=unix:///run/podman/podman.sock

# Security
# NoNewPrivileges MUST stay false: WebCasa forks `caddy start` (see
# internal/caddy/manager.go) which inherits the systemd sandbox. With
# NoNewPrivileges=1, Linux ignores file capabilities (setcap) on the
# Caddy binary — Caddy then fails to bind 80/443 even though it has
# CAP_NET_BIND_SERVICE in its file capabilities. Until the Caddy
# management path is split into its own hardened unit, keep this off.
NoNewPrivileges=false
PrivateTmp=true

# WebCasa itself listens on a non-privileged port ($PANEL_PORT), but it
# spawns Caddy via exec.Command("caddy", "start", ...). Grant the
# capability via ambient set so the forked Caddy can bind 80/443 when
# the server's file caps are lost to NoNewPrivileges interactions
# elsewhere. This matches the v0.11 behavior and is the minimal cap
# needed (no CAP_SYS_ADMIN, no CAP_NET_ADMIN, etc.).
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# SELinux domain (v0.13+ preview, off by default). The policy module
# itself handles transition via init_daemon_domain() in the .te file, so
# we don't need SELinuxContext= here even when the preview is enabled.
# Left as a comment so operators know where to inject an override.
# SELinuxContext=system_u:system_r:webcasa_t:s0

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=webcasa

[Install]
WantedBy=multi-user.target
SVCEOF

    systemctl daemon-reload
    systemctl enable webcasa

    success "Systemd service installed and enabled"
}

setup_firewall() {
    step "Configuring firewall"

    if command -v ufw &>/dev/null; then
        ufw allow "$PANEL_PORT"/tcp comment "WebCasa" > /dev/null 2>&1 || true
        ufw allow 80/tcp comment "HTTP" > /dev/null 2>&1 || true
        ufw allow 443/tcp comment "HTTPS" > /dev/null 2>&1 || true
        success "UFW rules added (ports $PANEL_PORT, 80, 443)"
    elif command -v firewall-cmd &>/dev/null; then
        firewall-cmd --permanent --add-port="${PANEL_PORT}/tcp" > /dev/null 2>&1 || true
        firewall-cmd --permanent --add-service=http > /dev/null 2>&1 || true
        firewall-cmd --permanent --add-service=https > /dev/null 2>&1 || true
        firewall-cmd --reload > /dev/null 2>&1 || true
        success "Firewalld rules added (ports $PANEL_PORT, 80, 443)"
    else
        warn "No firewall detected. Make sure ports $PANEL_PORT, 80, 443 are open."
    fi
}

setup_caddy_permissions() {
    if $SKIP_CADDY; then return; fi

    local CADDY_BIN
    CADDY_BIN=$(command -v caddy 2>/dev/null || echo "")
    if [[ -n "$CADDY_BIN" ]]; then
        # Allow Caddy to bind to privileged ports (80, 443)
        setcap 'cap_net_bind_service=+ep' "$CADDY_BIN" 2>/dev/null || true
    fi
}

# ==================== Interactive Prompts ====================
prompt_port() {
    if $NON_INTERACTIVE; then
        info "Panel port: $PANEL_PORT (non-interactive mode)"
        return
    fi

    echo ""
    echo -e "${BOLD}Panel Port Configuration${NC}"
    echo -e "   Web.Casa will listen on this port for the management UI."
    echo -e "   Default: ${GREEN}${PANEL_PORT}${NC}"
    echo ""

    read -t 15 -p "   Enter panel port [${PANEL_PORT}]: " INPUT_PORT || true
    echo ""

    if [[ -n "$INPUT_PORT" ]]; then
        if [[ "$INPUT_PORT" =~ ^[0-9]+$ ]] && [ "$INPUT_PORT" -ge 1 ] && [ "$INPUT_PORT" -le 65535 ]; then
            PANEL_PORT="$INPUT_PORT"
            success "Panel port set to: $PANEL_PORT"
        else
            warn "Invalid port '$INPUT_PORT', using default: $PANEL_PORT"
        fi
    else
        info "Using default port: $PANEL_PORT"
    fi
}
# ==================== Start Service ====================
start_service() {
    step "Starting WebCasa"

    systemctl start webcasa
    sleep 2

    if systemctl is-active --quiet webcasa; then
        success "WebCasa is running!"
    else
        error "WebCasa failed to start. Check logs with:"
        echo "  journalctl -u webcasa -n 50 --no-pager"
        exit 1
    fi
}

# ==================== Detect Public IP ====================
detect_public_ip() {
    step "Detecting public IP addresses"

    PUBLIC_IPV4=""
    PUBLIC_IPV6=""

    # Detect IPv4 (priority: icanhazip → api.ip.sb → ifconfig.me → Cloudflare trace)
    for svc in "https://ipv4.icanhazip.com" "https://api.ip.sb/ip" "https://ifconfig.me/ip"; do
        PUBLIC_IPV4=$(curl -4 -fsSL --connect-timeout 3 --max-time 5 "$svc" 2>/dev/null | tr -d '[:space:]') || true
        if [[ -n "$PUBLIC_IPV4" ]]; then break; fi
    done
    # Fallback: Cloudflare trace (parse ip= field)
    if [[ -z "$PUBLIC_IPV4" ]]; then
        PUBLIC_IPV4=$(curl -4 -fsSL --connect-timeout 3 --max-time 5 "https://1.1.1.1/cdn-cgi/trace" 2>/dev/null | grep -oP '^ip=\K.*') || true
    fi

    # Detect IPv6 (priority: icanhazip → api.ip.sb → Cloudflare trace)
    for svc in "https://ipv6.icanhazip.com" "https://api.ip.sb/ip" "https://ifconfig.me/ip"; do
        PUBLIC_IPV6=$(curl -6 -fsSL --connect-timeout 3 --max-time 5 "$svc" 2>/dev/null | tr -d '[:space:]') || true
        if [[ -n "$PUBLIC_IPV6" ]]; then break; fi
    done
    if [[ -z "$PUBLIC_IPV6" ]]; then
        PUBLIC_IPV6=$(curl -6 -fsSL --connect-timeout 3 --max-time 5 "https://[2606:4700:4700::1111]/cdn-cgi/trace" 2>/dev/null | grep -oP '^ip=\K.*') || true
    fi

    # Write to SQLite settings table
    local DB_PATH="${DATA_DIR}/webcasa.db"

    # Wait for WebCasa to create the database (up to 10 seconds)
    local WAIT_COUNT=0
    while [[ ! -f "$DB_PATH" ]] && [[ $WAIT_COUNT -lt 10 ]]; do
        sleep 1
        WAIT_COUNT=$((WAIT_COUNT + 1))
    done

    if command -v sqlite3 &>/dev/null && [[ -f "$DB_PATH" ]]; then
        # Ensure settings table exists
        sqlite3 "$DB_PATH" "CREATE TABLE IF NOT EXISTS settings (key TEXT PRIMARY KEY, value TEXT);" 2>/dev/null || true
        if [[ -n "$PUBLIC_IPV4" ]]; then
            sqlite3 "$DB_PATH" "INSERT OR REPLACE INTO settings (key, value) VALUES ('server_ipv4', '$PUBLIC_IPV4');" 2>/dev/null || true
        fi
        if [[ -n "$PUBLIC_IPV6" ]]; then
            sqlite3 "$DB_PATH" "INSERT OR REPLACE INTO settings (key, value) VALUES ('server_ipv6', '$PUBLIC_IPV6');" 2>/dev/null || true
        fi
    else
        warn "无法写入 IP 到数据库（sqlite3 不可用或数据库未创建）"
    fi

    if [[ -n "$PUBLIC_IPV4" ]]; then
        success "IPv4: $PUBLIC_IPV4"
    else
        warn "IPv4 not detected"
    fi
    if [[ -n "$PUBLIC_IPV6" ]]; then
        success "IPv6: $PUBLIC_IPV6"
    else
        info "IPv6 not available"
    fi
}

# ==================== Print Summary ====================
print_summary() {
    # Use detected public IP, fallback to LAN IP
    local DISPLAY_IP="${PUBLIC_IPV4:-$(hostname -I 2>/dev/null | awk '{print $1}' || echo "YOUR_SERVER_IP")}"

    echo ""
    echo -e "${GREEN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
    echo -e "${GREEN}${BOLD}║           Web.Casa Installation Complete!                ║${NC}"
    echo -e "${GREEN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}"
    echo ""
    echo -e "  ${BOLD}Panel URL:${NC}      http://${DISPLAY_IP}:${PANEL_PORT}"
    echo -e "  ${BOLD}Local URL:${NC}      http://localhost:${PANEL_PORT}"
    if [[ -n "$PUBLIC_IPV4" ]]; then
        echo -e "  ${BOLD}IPv4:${NC}           ${PUBLIC_IPV4}"
    fi
    if [[ -n "$PUBLIC_IPV6" ]]; then
        echo -e "  ${BOLD}IPv6:${NC}           ${PUBLIC_IPV6}"
    fi
    echo ""
    echo -e "  ${BOLD}Config:${NC}         ${CONFIG_DIR}/webcasa.env"
    echo -e "  ${BOLD}Data:${NC}           ${DATA_DIR}/"
    echo -e "  ${BOLD}Logs:${NC}           ${LOG_DIR}/"
    echo -e "  ${BOLD}Binary:${NC}         ${INSTALL_DIR}/webcasa-server"
    echo -e "  ${BOLD}CLI:${NC}            ${INSTALL_DIR}/webcasa"
    echo ""
    echo -e "  ${BOLD}Management Commands:${NC}"
    echo -e "    webcasa                     ${CYAN}# Interactive menu${NC}"
    echo -e "    webcasa panel restart       ${CYAN}# Restart panel${NC}"
    echo -e "    webcasa caddy restart       ${CYAN}# Restart Caddy${NC}"
    echo -e "    webcasa info                ${CYAN}# System info${NC}"
    echo -e "    webcasa help                ${CYAN}# All commands${NC}"
    echo ""
    echo -e "  ${BOLD}Included Features:${NC}"
    echo -e "    Reverse Proxy  │  File Manager  │  Web Terminal"
    echo -e "    Container Mgmt │  Project Deploy │  AI Assistant"
    echo ""
    if command -v podman &>/dev/null; then
        local _ver
        _ver=$(podman version --format '{{.Version}}' 2>/dev/null || echo "?")
        echo -e "  ${BOLD}Container Runtime:${NC} Podman ${_ver} (rootful, socket: /run/podman/podman.sock)"
    elif $SKIP_PODMAN; then
        echo -e "  ${YELLOW}Note: Podman install skipped (--no-podman). Container / deploy plugins will be unavailable until a runtime is wired up manually.${NC}"
    fi
    echo -e "  ${YELLOW}First visit: create your admin account at the URL above${NC}"
    echo ""
}

# ==================== Upgrade ====================
do_upgrade() {
    local BUILD_MODE="$1" # "prebuilt" or "source"

    # Verify WebCasa is installed — migrate from old binary name if needed
    if [[ ! -f "$INSTALL_DIR/webcasa-server" ]]; then
        if [[ -f "$INSTALL_DIR/webcasa" ]] && file "$INSTALL_DIR/webcasa" 2>/dev/null | grep -q "ELF"; then
            info "Migrating old binary name: webcasa → webcasa-server"
            mv -f "$INSTALL_DIR/webcasa" "$INSTALL_DIR/webcasa-server"
        else
            fatal "WebCasa is not installed. Run install.sh without --upgrade first."
        fi
    fi

    # v0.12+ depends on Podman. If the existing install predates the
    # Podman migration (e.g. legacy v0.11 box with docker-ce), upgrading
    # to a v0.12 binary produces a broken service. Detect and require a
    # fresh install in that case rather than silently leaving the box in
    # a mixed state.
    if ! command -v podman &>/dev/null; then
        fatal "Podman not detected. WebCasa v0.12+ requires Podman as the sole container runtime.\n  Run install.sh without --upgrade to do a full (re)install, or install Podman manually:\n    dnf install -y podman podman-docker podman-compose"
    fi

    # Show current version
    local CURRENT_VERSION
    CURRENT_VERSION=$("$INSTALL_DIR/webcasa-server" --version 2>/dev/null || echo "unknown")
    info "Current version: ${CURRENT_VERSION}"
    info "Target version:  ${WEBCASA_VERSION}"

    if [[ "$CURRENT_VERSION" == "$WEBCASA_VERSION" ]]; then
        warn "Already running v${WEBCASA_VERSION}."
        if ! $NON_INTERACTIVE; then
            read -p "   Continue anyway? [y/N]: " CONFIRM || true
            [[ "$CONFIRM" =~ ^[yY] ]] || { info "Upgrade cancelled."; exit 0; }
        fi
    fi

    # Stop service
    step "Stopping WebCasa service"
    if systemctl is-active --quiet webcasa 2>/dev/null; then
        systemctl stop webcasa
        success "Service stopped"
    else
        info "Service is not running"
    fi

    # Backup current binary
    if [[ -f "$INSTALL_DIR/webcasa-server" ]]; then
        cp -f "$INSTALL_DIR/webcasa-server" "$INSTALL_DIR/webcasa-server.bak"
        info "Backed up current binary to webcasa-server.bak"
    fi

    # Build or download new version.
    # Run in subshell so that exit 1 inside install_prebuilt/install_from_source
    # only exits the subshell, allowing rollback logic to execute.
    local INSTALL_OK=true
    set +e
    if [[ "$BUILD_MODE" == "source" ]]; then
        ( install_from_source )
    else
        ( install_prebuilt )
    fi
    if [[ $? -ne 0 ]]; then
        INSTALL_OK=false
    fi
    set -e

    if [[ "$INSTALL_OK" != "true" ]]; then
        error "Install step failed during upgrade!"
        if [[ -f "$INSTALL_DIR/webcasa-server.bak" ]]; then
            warn "Rolling back to previous binary..."
            mv -f "$INSTALL_DIR/webcasa-server.bak" "$INSTALL_DIR/webcasa-server"
        fi
        warn "Restarting previous version..."
        systemctl start webcasa || true
        if systemctl is-active --quiet webcasa; then
            success "Rollback successful. Previous version restored."
        else
            error "Rollback failed. Check logs: journalctl -u webcasa -n 50 --no-pager"
        fi
        exit 1
    fi

    # Update CLI management script
    install_cli_script

    # Upgrade Caddy if a newer version is pinned
    install_caddy
    setup_caddy_permissions

    # Update systemd service in case it changed
    setup_systemd

    # Restart service
    step "Starting WebCasa service"
    systemctl start webcasa
    sleep 2

    if systemctl is-active --quiet webcasa; then
        # Remove backup on success
        rm -f "$INSTALL_DIR/webcasa-server.bak"
        success "WebCasa upgraded to v${WEBCASA_VERSION}!"
    else
        # Rollback on failure
        error "WebCasa failed to start after upgrade!"
        if [[ -f "$INSTALL_DIR/webcasa-server.bak" ]]; then
            warn "Rolling back to previous version..."
            mv -f "$INSTALL_DIR/webcasa-server.bak" "$INSTALL_DIR/webcasa-server"
            systemctl start webcasa
            if systemctl is-active --quiet webcasa; then
                success "Rollback successful. Previous version restored."
            else
                fatal "Rollback failed. Check logs: journalctl -u webcasa -n 50 --no-pager"
            fi
        fi
        exit 1
    fi

    echo ""
    echo -e "${GREEN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
    echo -e "${GREEN}${BOLD}║            Web.Casa Upgrade Complete!                    ║${NC}"
    echo -e "${GREEN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}"
    echo ""
    echo -e "  ${BOLD}Version:${NC}  ${CURRENT_VERSION} → ${WEBCASA_VERSION}"
    echo -e "  ${BOLD}Binary:${NC}   ${INSTALL_DIR}/webcasa-server"
    echo -e "  ${BOLD}CLI:${NC}      ${INSTALL_DIR}/webcasa"
    echo -e "  ${BOLD}Status:${NC}   $(systemctl is-active webcasa)"
    echo ""

    exit 0
}

# ==================== Main ====================
main() {
    echo -e "${GREEN}${BOLD}"
    echo ' __        __   _       ____                '
    echo ' \ \      / /__| |__   / ___|__ _ ___  __ _ '
    echo '  \ \ /\ / / _ \  _ \ | |   / _` / __|/ _` |'
    echo '   \ V  V /  __/ |_) || |__| (_| \__ \ (_| |'
    echo '    \_/\_/ \___|_.__/  \____\__,_|___/\__,_|'
    echo '                                             '
    echo -e "${NC}"
    echo -e "  ${BOLD}One-Click Installer v${WEBCASA_VERSION}${NC}"
    echo -e "  ${CYAN}https://web.casa${NC}"
    echo ""

    parse_args "$@"
    check_root
    detect_os

    # Pro edition: enforce RHEL-based OS 9/10
    if $PRO_MODE; then
        check_pro_os
    fi

    # Auto-detect piped input (curl | bash)
    if [[ ! -t 0 ]]; then
        NON_INTERACTIVE=true
    fi

    if $UNINSTALL; then
        do_uninstall
    fi

    # Upgrade mode: skip full install, only replace binary + frontend
    if $UPGRADE_FROM_SOURCE; then
        do_upgrade "source"
    fi
    if $UPGRADE; then
        do_upgrade "prebuilt"
    fi

    # Interactive port prompt
    prompt_port

    install_deps
    install_podman
    install_caddy
    setup_user

    # Install WebCasa binary + frontend
    if $FROM_SOURCE; then
        info "Building from source (--from-source)"
        install_from_source
    else
        install_prebuilt
    fi

    # Install CLI management script
    install_cli_script

    setup_config
    setup_systemd
    setup_caddy_permissions
    setup_firewall
    start_service
    detect_public_ip
    print_summary
}

main "$@"