#!/usr/bin/env bash
set -euo pipefail

if [ "$#" -lt 3 ]; then
  echo "Usage: $0 <DOMAIN> <INSTALL_ID> <FRONTEND_PORT>" >&2
  exit 1
fi

DOMAIN="$1"
INSTALL_ID="$2"
FRONTEND_PORT="$3"

if ! printf '%s' "${DOMAIN}" | grep -Eq '^[A-Za-z0-9.-]+$'; then
  echo "[vozex-proxy-sync] Invalid domain: ${DOMAIN}" >&2
  exit 1
fi

if ! printf '%s' "${FRONTEND_PORT}" | grep -Eq '^[0-9]+$'; then
  echo "[vozex-proxy-sync] Invalid frontend port: ${FRONTEND_PORT}" >&2
  exit 1
fi

VHOST_DIR="${AAPANEL_NGINX_VHOST_DIR:-/www/server/panel/vhost/nginx}"
WEBROOT_BASE="${VOZEX_SITE_WEBROOT_BASE:-/www/wwwroot/vozex.cloud/customer-sites}"
ACME_ROOT="${VOZEX_ACME_WEBROOT:-/www/wwwroot/vozex.cloud/_acme-challenge}"
NGINX_BIN="${VOZEX_NGINX_BIN:-nginx}"
CERT_ROOT="${VOZEX_CERT_ROOT:-/etc/letsencrypt/live}"
CONFIG_PATH="${VHOST_DIR}/${DOMAIN}.conf"
SITE_ROOT="${WEBROOT_BASE}/${DOMAIN}"
FULLCHAIN="${CERT_ROOT}/${DOMAIN}/fullchain.pem"
PRIVKEY="${CERT_ROOT}/${DOMAIN}/privkey.pem"
TMP_FILE="$(mktemp)"

mkdir -p "${VHOST_DIR}" "${SITE_ROOT}" "${ACME_ROOT}/.well-known/acme-challenge"

cat > "${SITE_ROOT}/index.html" <<EOF
<!doctype html>
<html lang="en">
<head><meta charset="utf-8"><title>${DOMAIN}</title></head>
<body><p>${DOMAIN} is managed by Vozex.</p></body>
</html>
EOF

cat > "${TMP_FILE}" <<EOF
server {
    listen 80;
    listen [::]:80;
    server_name ${DOMAIN};

    root ${SITE_ROOT};
    index index.html;

    location ^~ /.well-known/acme-challenge/ {
        root ${ACME_ROOT};
        default_type "text/plain";
        try_files \$uri =404;
    }

    location / {
        proxy_pass http://127.0.0.1:${FRONTEND_PORT};
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host \$host;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 300s;
    }
}
EOF

if [ -f "${FULLCHAIN}" ] && [ -f "${PRIVKEY}" ]; then
  cat > "${TMP_FILE}" <<EOF
server {
    listen 80;
    listen [::]:80;
    server_name ${DOMAIN};

    root ${SITE_ROOT};
    index index.html;

    location ^~ /.well-known/acme-challenge/ {
        root ${ACME_ROOT};
        default_type "text/plain";
        try_files \$uri =404;
    }

    location / {
        return 301 https://\$host\$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${DOMAIN};

    ssl_certificate ${FULLCHAIN};
    ssl_certificate_key ${PRIVKEY};
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    root ${SITE_ROOT};
    index index.html;

    location ^~ /.well-known/acme-challenge/ {
        root ${ACME_ROOT};
        default_type "text/plain";
        try_files \$uri =404;
    }

    location / {
        proxy_pass http://127.0.0.1:${FRONTEND_PORT};
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host \$host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 300s;
    }
}
EOF
fi

mv "${TMP_FILE}" "${CONFIG_PATH}"

"${NGINX_BIN}" -t
"${NGINX_BIN}" -s reload

printf '%s\n' "${CONFIG_PATH}"