#!/usr/bin/env bash
# Install Filebeat configured for the mail stack.
# Run as root: sudo ./install.sh [ELK_HOST]
set -euo pipefail

ELK_HOST="${1:-${ELK_HOST:-logstash.internal}}"
ELK_PORT="${ELK_PORT:-5044}"
ENV_NAME="${ENV:-prod}"
HERE="$(cd "$(dirname "$0")" && pwd)"

if ! command -v filebeat >/dev/null; then
  echo "Filebeat is not installed. On Debian/Ubuntu:"
  echo "  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.15.0-amd64.deb"
  echo "  dpkg -i filebeat-8.15.0-amd64.deb"
  exit 1
fi

# Render config with substitutions and copy.
sed \
  -e "s|\${ELK_HOST:logstash.internal}|$ELK_HOST|g" \
  -e "s|\${ELK_PORT:5044}|$ELK_PORT|g" \
  -e "s|\${ENV:dev}|$ENV_NAME|g" \
  "$HERE/filebeat.yml" > /etc/filebeat/filebeat.yml

chown root:root /etc/filebeat/filebeat.yml
chmod 0644 /etc/filebeat/filebeat.yml

# Filebeat must be able to read mail logs.
usermod -a -G adm filebeat 2>/dev/null || true
usermod -a -G deeily filebeat 2>/dev/null || true

systemctl enable filebeat
systemctl restart filebeat
echo "Filebeat shipping logs → $ELK_HOST:$ELK_PORT (env=$ENV_NAME)"
systemctl --no-pager status filebeat | head -10