# TLS 1.2 + Fallback-Versionen aktivieren (Windows Server 2016)
[Net.ServicePointManager]::SecurityProtocol = `
    [Net.SecurityProtocolType]::Tls12 -bor `
    [Net.SecurityProtocolType]::Tls11 -bor `
    [Net.SecurityProtocolType]::Tls

# Adminrechte pruefen und ggf. neu starten
$isAdmin = ([Security.Principal.WindowsPrincipal] `
    [Security.Principal.WindowsIdentity]::GetCurrent() `
).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if (-not $isAdmin) {
    Start-Process powershell.exe `
        "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" `
        -Verb RunAs
    exit
}

Write-Host "============================================================"
Write-Host " upterm Setup"
Write-Host "============================================================"
Write-Host ""

# 1. Execution Policy pruefen
Write-Host "[1/4] Pruefe Execution Policy..."
$policy = Get-ExecutionPolicy -Scope CurrentUser
if ($policy -in @('Bypass', 'Unrestricted', 'RemoteSigned')) {
    Write-Host "      OK (aktuell: $policy)"
} else {
    try {
        Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
        Write-Host "      OK"
    } catch {
        $effective = Get-ExecutionPolicy
        if ($effective -in @('Bypass', 'Unrestricted', 'RemoteSigned')) {
            Write-Host "      GPO-Override - Policy '$effective' ist ausreichend"
        } else {
            Write-Host "FEHLER: Execution Policy '$effective' blockiert Ausfuehrung."
            Read-Host "Enter zum Beenden"; exit 1
        }
    }
}

# Hilfsfunktion: Scoop-Installer herunterladen und ausfuehren
function Install-Scoop {
    $url = 'https://get.scoop.sh'
    $tmp = "$env:TEMP\scoop-install.ps1"

    # Versuch 1: Invoke-RestMethod
    try {
        Invoke-RestMethod -Uri $url | Invoke-Expression
        return $true
    } catch {}

    # Versuch 2: WebClient
    try {
        (New-Object System.Net.WebClient).DownloadString($url) | Invoke-Expression
        return $true
    } catch {}

    # Versuch 3: WebClient mit SSL-Bypass (Windows Server 2016 fehlende Zertifikatskette)
    Write-Host "      Versuche SSL-Bypass fuer Scoop-Download (Server 2016)..."
    $prevCb = [Net.ServicePointManager]::ServerCertificateValidationCallback
    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    try {
        (New-Object System.Net.WebClient).DownloadString($url) | Invoke-Expression
        return $true
    } catch {
        Write-Host "FEHLER: Scoop-Download fehlgeschlagen: $_"
        Write-Host ""
        Write-Host "Moegliche Ursachen auf Windows Server 2016:"
        Write-Host "  - Fehlende Root-Zertifikate (Windows Update ausfuehren)"
        Write-Host "  - Proxy blockiert HTTPS"
        Write-Host "  - get.scoop.sh nicht erreichbar"
        return $false
    } finally {
        [Net.ServicePointManager]::ServerCertificateValidationCallback = $prevCb
    }
}

# 2. Scoop pruefen / installieren
Write-Host "[2/4] Pruefe Scoop..."
$scoopShims = "$env:USERPROFILE\scoop\shims"
$scoopInstalled = (Test-Path "$scoopShims\scoop.ps1") -or (Test-Path "$scoopShims\scoop.cmd")

if (-not $scoopInstalled) {
    Write-Host "      Scoop nicht gefunden - wird installiert..."
    if (-not (Install-Scoop)) {
        Read-Host "Enter zum Beenden"; exit 1
    }
    if (-not ((Test-Path "$scoopShims\scoop.ps1") -or (Test-Path "$scoopShims\scoop.cmd"))) {
        Write-Host "FEHLER: Scoop-Installation fehlgeschlagen (Verzeichnis fehlt)."
        Read-Host "Enter zum Beenden"; exit 1
    }
    Write-Host "      Scoop installiert."
} else {
    Write-Host "      Scoop bereits vorhanden."
}

# PATH dieser Session aktualisieren
if ($env:PATH -notlike "*$scoopShims*") {
    $env:PATH = "$env:PATH;$scoopShims"
}

# 3. 7zip mit lessmsi-Workaround
Write-Host "[3/4] Installiere 7zip via lessmsi..."
scoop config use_lessmsi true
$7zipOk = $false
try { scoop install 7zip 2>&1 | Out-Null; $7zipOk = $true } catch {}

if (-not $7zipOk) {
    Write-Host "      7zip fehlgeschlagen - bereinige und versuche erneut..."
    try { scoop uninstall 7zip } catch {}
    try { scoop cache rm 7zip } catch {}
    Remove-Item -Recurse -Force "$env:USERPROFILE\scoop\apps\7zip" -ErrorAction SilentlyContinue
    try { scoop install 7zip; $7zipOk = $true } catch {
        Write-Host "FEHLER: 7zip konnte nicht installiert werden: $_"
        Read-Host "Enter zum Beenden"; exit 1
    }
}
Write-Host "      OK"

# 4. upterm
Write-Host "[4/4] Installiere upterm..."
try { scoop bucket add upterm https://github.com/owenthereal/scoop-upterm } catch {}
try {
    scoop install upterm
} catch {
    Write-Host "FEHLER: upterm Installation fehlgeschlagen: $_"
    Read-Host "Enter zum Beenden"; exit 1
}
Write-Host "      OK"

Write-Host ""
Write-Host "============================================================"
Write-Host " Installation abgeschlossen!"
Write-Host "============================================================"
Write-Host ""
Write-Host " PowerShell NEU STARTEN, dann Session teilen mit:"
Write-Host ""
Write-Host "   upterm host --server ssh://upterm.ebesch.de:2222 --accept"
Write-Host ""
Write-Host " Client verbindet sich mit:"
Write-Host "   ssh TOKEN:HASH@upterm.ebesch.de -p 2222"
Write-Host ""
Read-Host "Enter zum Beenden"