{% extends "base.html" %}
{% block title %}Settings — rosbackup-ng{% endblock %}
{% block page_title %}Settings{% endblock %}
{% block content %}
<div class="card">
  {% if error %}<div class="banner banner-warn">{{ error }}</div>{% endif %}
  <p class="muted">Global defaults from <span class="mono">global.yaml</span>. Devices and groups
    can override most of these. A <span class="mono">.bak</span> of the previous file is written
    on every save; groups, storage backends and notifications are preserved untouched.</p>
  <form class="run-form settings-form" method="post" action="/ui/settings">
    <input type="hidden" name="csrf_token" value="{{ request.state.session.csrf_token }}">

    <div class="settings-grid">
    <fieldset>
      <legend>🖥️ System</legend>
      <div class="form-rows">
        <p class="muted full">Hostname (optional) rewrites <span class="mono">127.0.0.1</span> in
          user-clickable absolute links such as the Prometheus URL. Instance name (optional) is shown
          under the logo and exported via Prometheus / InfluxDB to identify this deployment.</p>
        <label for="system_hostname">Hostname</label>
        <input type="text" id="system_hostname" name="system_hostname" autocomplete="off"
               value="{{ system.get('hostname', '') }}" placeholder="e.g. backup.example.com">
        <label for="system_instance_name">Instance name</label>
        <input type="text" id="system_instance_name" name="system_instance_name" autocomplete="off"
               value="{{ system.get('instance_name', '') }}" placeholder="e.g. HQ / production">
      </div>
    </fieldset>

    <fieldset>
      <legend>⚙️ General</legend>
      <div class="form-rows">
        <label for="backup_path_parent">Backup path</label>
        <input type="text" id="backup_path_parent" name="backup_path_parent"
               value="{{ raw.get('backup_path_parent', 'backups') }}">
        <label for="timezone">Timezone</label>
        {% if timezones %}
        {% set cur_tz = raw.get('timezone', '') or '' %}
        <select id="timezone" name="timezone">
          <option value="">System default</option>
          {% for tz in timezones %}<option value="{{ tz }}" {{ 'selected' if tz == cur_tz }}>{{ tz }}</option>{% endfor %}
        </select>
        {% else %}
        <input type="text" id="timezone" name="timezone" value="{{ raw.get('timezone', '') or '' }}"
               autocomplete="off" placeholder="Asia/Manila">
        {% endif %}
        <label for="datetime_format">Date/time format</label>
        <select id="datetime_format" name="datetime_format">
          {% for key, fmt in datetime_formats.items() %}<option value="{{ key }}" {{ 'selected' if key == selected_datetime_format }}>{{ fmt[0] }}</option>{% endfor %}
        </select>
        <label for="max_parallel_backups">Max parallel</label>
        <input type="number" id="max_parallel_backups" name="max_parallel_backups" min="1"
               value="{{ raw.get('max_parallel_backups', 25) }}">
        <label class="check full"><input type="checkbox" name="parallel_execution" value="1"
               {{ 'checked' if raw.get('parallel_execution', true) }}> Run device backups in parallel</label>
      </div>
    </fieldset>

    <fieldset>
      <legend>🗄️ Retention</legend>
      <div class="form-rows">
        <p class="muted full">Defaults to 365 days for backups, 90 for logs. Blank keeps them forever.</p>
        <label for="backup_retention_days">Backups</label>
        <span class="unit"><input type="number" id="backup_retention_days" name="backup_retention_days"
               min="1" value="{{ (raw['backup_retention_days'] if 'backup_retention_days' in raw else 365) or '' }}" placeholder="∞"> <span class="muted">days</span></span>
        <label for="log_retention_days">Logs</label>
        <span class="unit"><input type="number" id="log_retention_days" name="log_retention_days"
               min="1" value="{{ (raw['log_retention_days'] if 'log_retention_days' in raw else 90) or '' }}" placeholder="∞"> <span class="muted">days</span></span>
      </div>
    </fieldset>

    <fieldset>
      <legend>🔑 SSH defaults</legend>
      <div class="form-rows">
        <label for="ssh_user">User</label>
        <input type="text" id="ssh_user" name="ssh_user" value="{{ ssh.get('user', '') }}" placeholder="rosbackup" autocomplete="off">
        <label for="ssh_port">Port</label>
        <input type="number" id="ssh_port" name="ssh_port" min="1" max="65535" value="{{ ssh.get('port', '') }}" placeholder="22">
        {% if ssh_secrets %}
        <label for="ssh_key_secret">Default SSH key</label>
        <select id="ssh_key_secret" name="ssh_key_secret">
          <option value="">— none / legacy path —</option>
          {% for s in ssh_secrets %}<option value="{{ s }}" {{ 'selected' if ssh.get('key_secret') == s }}>{{ s }}</option>{% endfor %}
        </select>
        {% elif vault_unlocked %}
        <p class="muted full">No SSH keys in the vault yet. <a href="/vault/new">Store a key →</a> to use it as the default.</p>
        {% else %}
        <p class="muted full">The <a href="/vault">vault</a> is locked — set <span class="mono">ROSBACKUP_SECRET_KEY</span> to choose a default key from it.</p>
        {% endif %}
        <label for="ssh_timeout">Timeout</label>
        <span class="unit"><input type="number" id="ssh_timeout" name="ssh_timeout" min="1" value="{{ ssh.get('timeout', '') }}" placeholder="5"> <span class="muted">seconds</span></span>
      </div>
    </fieldset>

    <fieldset>
      <legend>💾 Router-side tmpfs staging</legend>
      <div class="form-rows">
        <p class="muted full">Applies <strong>on each RouterOS device</strong>, not the rosbackup
          server. The backup is assembled in a small RAM disk (tmpfs) on the router and then
          downloaded, so the router's flash isn't written on every backup (saves flash wear).</p>
        <label class="check full"><input type="checkbox" name="tmpfs_enabled" value="1"
               {{ 'checked' if tmpfs.get('enabled', true) }}> Stage the backup in the router's RAM (tmpfs)</label>
        <label class="check full"><input type="checkbox" name="tmpfs_fallback" value="1"
               {{ 'checked' if tmpfs.get('fallback_enabled', true) }}> Fall back to the router's flash if RAM staging is unavailable</label>
        <label class="check full"><input type="checkbox" name="tmpfs_size_auto" value="1"
               {{ 'checked' if tmpfs.get('size_auto', true) }}> Auto-size the RAM disk from the router's free memory</label>
        <label for="tmpfs_size_mb">Size</label>
        <span class="unit"><input type="number" id="tmpfs_size_mb" name="tmpfs_size_mb" min="1" value="{{ tmpfs.get('size_mb', '') }}" placeholder="50"> <span class="muted">MB on the router (when not auto-sized)</span></span>
      </div>
    </fieldset>

    <fieldset>
      <legend>🛡 Security</legend>
      <div class="form-rows">
        <p class="muted full">Trust broken / possible MITM — the device is disabled and marked
          for security review; re-enable it after verifying and re-pinning the key.</p>
        <label class="check full"><input type="checkbox" name="security_disable_on_key_change" value="1"
               {{ 'checked' if security.get('disable_on_host_key_change', True) }}>
          Auto-disable a device whose SSH host key changes between runs</label>
      </div>
    </fieldset>

    <fieldset>
      <legend>📡 Latency monitoring</legend>
      <div class="form-rows">
        <p class="muted full">Ping each device host on an interval and chart round-trip time.
          {% if latency_running %}Monitoring is active.{% else %}Currently off.{% endif %}
          Changes apply after a server restart.</p>
        <label class="check full"><input type="checkbox" name="latency_enabled" value="1"
               data-enable-target=".latency-field"
               {{ 'checked' if latency.get('enabled', True) }}> Ping device hosts and chart round-trip time</label>
        <label for="latency_interval">Poll interval</label>
        <span class="unit"><input type="number" class="latency-field" id="latency_interval" name="latency_interval" min="1" value="{{ latency.get('interval_s', '') }}" placeholder="30" {{ '' if latency.get('enabled', True) else 'disabled' }}> <span class="muted">seconds</span></span>
        <label for="latency_timeout">Ping timeout</label>
        <span class="unit"><input type="number" class="latency-field" id="latency_timeout" name="latency_timeout" min="1" value="{{ latency.get('timeout_s', '') }}" placeholder="1" {{ '' if latency.get('enabled', True) else 'disabled' }}> <span class="muted">seconds</span></span>
        <label for="latency_window_min">Sparkline window</label>
        <span class="unit"><input type="number" class="latency-field" id="latency_window_min" name="latency_window_min" min="1" value="{{ (latency.get('window_s', 300) // 60) if latency.get('window_s') else '' }}" placeholder="5" {{ '' if latency.get('enabled', True) else 'disabled' }}> <span class="muted">minutes</span></span>
        <label class="check full"><input type="checkbox" class="latency-field" name="latency_skip_offline" value="1"
               {{ 'checked' if latency.get('skip_offline', True) }} {{ '' if latency.get('enabled', True) else 'disabled' }}> Skip devices monitored as offline when running backups, upgrades or downgrades</label>
        <p class="muted full">Not-yet-probed hosts are still included.</p>
      </div>
    </fieldset>

    <fieldset>
      <legend>📈 Metrics export</legend>
      <div class="form-rows">
        <p class="muted full">Two paths out: a <strong>Prometheus pull</strong> endpoint and an optional
          <strong>InfluxDB push</strong>. Each has its own on/off switch and a set of category toggles
          for exactly what gets exported. InfluxDB credentials come from the
          <a href="/vault">vault</a> (referenced by name) — never stored in <span class="mono">global.yaml</span>.</p>

        <label class="check full"><input type="checkbox" name="prometheus_enabled" value="1"
               {{ 'checked' if prometheus.get('enabled', true) }}> Serve the Prometheus <span class="mono">/metrics</span> endpoint</label>
        <label>Endpoint</label>
        <a class="mono" href="{{ metrics_url }}" target="_blank" rel="noopener">{{ metrics_url }}</a>
        <p class="muted full">Scrape with <span class="mono">Authorization: Bearer &lt;API token&gt;</span>
          (create a token under Security → Tokens / the CLI).</p>
        <label class="check full"><input type="checkbox" name="prometheus_public" value="1"
               {{ 'checked' if prometheus.get('public') }}> Allow <strong>public</strong> (unauthenticated) access to <span class="mono">/metrics</span></label>
        <label for="prometheus_allow_from">Restrict public access to</label>
        <textarea id="prometheus_allow_from" name="prometheus_allow_from" rows="3" autocomplete="off"
                  placeholder="10.0.0.0/8&#10;192.168.1.5&#10;2001:db8::/32">{{ (prometheus.get('allow_from') or []) | join('\n') }}</textarea>
        <p class="muted full">IPv4/IPv6 addresses or CIDR prefixes, one per line (a bare address means
          <span class="mono">/32</span> or <span class="mono">/128</span>). Blank = any IP when public is on.
          Only governs <em>unauthenticated</em> scrapes — token/session access works regardless.</p>
        <p class="subhead full">Prometheus categories</p>
        {% for c in export_categories %}
        <label class="check full"><input type="checkbox" name="prom_cat_{{ c }}" value="1"
               {{ 'checked' if prometheus.get('categories', {}).get(c, true) }}> {{ category_labels[c] }}</label>
        {% endfor %}

        <label class="check full"><input type="checkbox" name="influx_enabled" value="1"
               {{ 'checked' if influxdb.get('enabled') }}> Push metrics to InfluxDB v2</label>
        <label for="influx_url">InfluxDB URL</label>
        <input type="text" id="influx_url" name="influx_url" autocomplete="off"
               value="{{ influxdb.get('url', '') }}" placeholder="https://influx.example.com:8086">
        <label for="influx_org">Org</label>
        <input type="text" id="influx_org" name="influx_org" value="{{ influxdb.get('org', '') }}" autocomplete="off">
        <label for="influx_bucket">Bucket</label>
        <input type="text" id="influx_bucket" name="influx_bucket" value="{{ influxdb.get('bucket', '') }}" autocomplete="off">
        {% set auth = influxdb.get('auth_mode', 'token') %}
        <label for="influx_auth_mode">Auth</label>
        <select id="influx_auth_mode" name="influx_auth_mode" data-type-switch="influx-auth">
          <option value="token" {{ 'selected' if auth == 'token' }}>API token (v2)</option>
          <option value="userpass" {{ 'selected' if auth == 'userpass' }}>Username + password (v1)</option>
        </select>
        <div class="form-rows full" data-type-group="influx-auth" data-type-value="token">
          <label for="influx_token_secret">API token</label>
          {% if cred_secrets %}
          <select id="influx_token_secret" name="influx_token_secret">
            <option value="">— select a vault entry —</option>
            {% for s in cred_secrets %}<option value="{{ s }}" {{ 'selected' if influxdb.get('token_secret') == s }}>{{ s }}</option>{% endfor %}
          </select>
          {% elif vault_unlocked %}
          <p class="muted full">No passwords in the vault yet. <a href="/vault/new">Store the token →</a> to reference it here.</p>
          {% else %}
          <p class="muted full">The <a href="/vault">vault</a> is locked — set <span class="mono">ROSBACKUP_SECRET_KEY</span> to store the token.</p>
          {% endif %}
        </div>
        <div class="form-rows full" data-type-group="influx-auth" data-type-value="userpass">
          <label for="influx_username">Username</label>
          <input type="text" id="influx_username" name="influx_username" value="{{ influxdb.get('username', '') }}" autocomplete="off">
          <label for="influx_password_secret">Password</label>
          {% if cred_secrets %}
          <select id="influx_password_secret" name="influx_password_secret">
            <option value="">— select a vault entry —</option>
            {% for s in cred_secrets %}<option value="{{ s }}" {{ 'selected' if influxdb.get('password_secret') == s }}>{{ s }}</option>{% endfor %}
          </select>
          {% elif vault_unlocked %}
          <p class="muted full">No passwords in the vault yet. <a href="/vault/new">Store the password →</a> to reference it here.</p>
          {% else %}
          <p class="muted full">The <a href="/vault">vault</a> is locked — set <span class="mono">ROSBACKUP_SECRET_KEY</span> to store the password.</p>
          {% endif %}
        </div>
        <label for="influx_interval">Push interval</label>
        <span class="unit"><input type="number" id="influx_interval" name="influx_interval" min="1" value="{{ influxdb.get('interval_s', '') }}" placeholder="60"> <span class="muted">seconds</span></span>
        <p class="subhead full">InfluxDB categories</p>
        {% for c in export_categories %}
        <label class="check full"><input type="checkbox" name="influx_cat_{{ c }}" value="1"
               {{ 'checked' if influxdb.get('categories', {}).get(c, true) }}> {{ category_labels[c] }}</label>
        {% endfor %}
      </div>
    </fieldset>

    <fieldset>
      <legend>⬆️ Firmware versions</legend>
      <div class="form-rows">
        {% set ttl_now = upgrade.get('cache_ttl_hours', 8760) %}
        <p class="muted full">How long the fetched MikroTik version index is cached. The Upgrade page
          also has a manual Refresh button.</p>
        <label for="upgrade_cache_ttl">Version cache TTL</label>
        <select id="upgrade_cache_ttl" name="upgrade_cache_ttl">
          {% for label, hours in upgrade_ttl_options %}<option value="{{ hours }}" {{ 'selected' if hours == ttl_now }}>{{ label }}</option>{% endfor %}
        </select>
      </div>
    </fieldset>

    <fieldset>
      <legend>🔐 Web capabilities</legend>
      <div class="form-rows">
        <p class="muted full">Groups can further restrict these per member (deny-wins); never re-grant.</p>
        <label class="check full"><input type="checkbox" name="allow_download" value="1"
               {{ 'checked' if web.get('allow_download', true) }}> Allow downloading backups over the web</label>
        <label class="check full"><input type="checkbox" name="allow_restore" value="1"
               {{ 'checked' if web.get('allow_restore', true) }}> Allow push-restore over the web</label>
      </div>
    </fieldset>
    </div>

    <div class="form-actions-bar">
      <button type="submit" class="btn primary">Save settings</button>
    </div>
  </form>
</div>
{% endblock %}