#!/usr/bin/env bash
set -e

GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'

if [ ! -f ".env" ]; then
    echo -e "${RED}[ERROR] .env file not found. Skipping SSL setup.${NC}"
    exit 1
fi

source .env

SSL_MODE="${SSL_MODE:-none}"
NGINX_CONF_DIR="./nginx/conf.d"
NGINX_SSL_DIR="./nginx/ssl"

mkdir -p "$NGINX_CONF_DIR" "$NGINX_SSL_DIR"

# ── Helper: write HTTP-only config ──
write_http_conf() {
    cat > "$NGINX_CONF_DIR/gitea.conf" <<'NGINX'
server {
    listen 80;
    server_name _;

    location / {
        proxy_pass http://gitea:3000;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 512M;
    }
}
NGINX
}

# ── Helper: write HTTPS config (works for both letsencrypt & custom) ──
write_https_conf() {
    local cert_path="$1"
    local key_path="$2"

    cat > "$NGINX_CONF_DIR/gitea.conf" <<NGINX
server {
    listen 80;
    server_name ${GITEA_DOMAIN};

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://\$host\$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name ${GITEA_DOMAIN};

    ssl_certificate     ${cert_path};
    ssl_certificate_key ${key_path};
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://gitea:3000;
        proxy_set_header Host              \$host;
        proxy_set_header X-Real-IP         \$remote_addr;
        proxy_set_header X-Forwarded-For   \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        client_max_body_size 512M;
    }
}
NGINX
}

# ── Main logic ──
case "$SSL_MODE" in

  none)
    echo -e "${YELLOW}[SSL] Mode: none — HTTP only${NC}"
    write_http_conf
    ;;

  letsencrypt)
    echo -e "${GREEN}[SSL] Mode: letsencrypt${NC}"

    if [[ -z "$LETSENCRYPT_EMAIL" ]]; then
        echo -e "${RED}[ERROR] LETSENCRYPT_EMAIL is required for letsencrypt mode.${NC}"
        exit 1
    fi
    if [[ -z "$GITEA_DOMAIN" ]]; then
        echo -e "${RED}[ERROR] GITEA_DOMAIN is required for letsencrypt mode.${NC}"
        exit 1
    fi

    CERT="/etc/letsencrypt/live/${GITEA_DOMAIN}/fullchain.pem"
    KEY="/etc/letsencrypt/live/${GITEA_DOMAIN}/privkey.pem"

    # If certs don't exist yet, start with HTTP-only so Nginx can boot
    # for the ACME challenge. After certbot runs we'll switch to HTTPS.
    if docker volume inspect gitea-deployment_certbot_certs >/dev/null 2>&1 && \
       docker run --rm -v gitea-deployment_certbot_certs:/etc/letsencrypt alpine \
         test -f "/etc/letsencrypt/live/${GITEA_DOMAIN}/fullchain.pem" 2>/dev/null; then
        echo "[SSL] Existing Let's Encrypt certs found. Writing HTTPS config."
        write_https_conf "$CERT" "$KEY"
    else
        echo "[SSL] No certs yet. Writing temporary HTTP config for ACME challenge."
        write_http_conf
    fi
    ;;

  custom)
    echo -e "${GREEN}[SSL] Mode: custom${NC}"

    if [[ -z "$SSL_CERT_PATH" || -z "$SSL_KEY_PATH" ]]; then
        echo -e "${RED}[ERROR] SSL_CERT_PATH and SSL_KEY_PATH are required for custom mode.${NC}"
        exit 1
    fi
    if [[ ! -f "$SSL_CERT_PATH" ]]; then
        echo -e "${RED}[ERROR] Certificate not found: $SSL_CERT_PATH${NC}"
        exit 1
    fi
    if [[ ! -f "$SSL_KEY_PATH" ]]; then
        echo -e "${RED}[ERROR] Key not found: $SSL_KEY_PATH${NC}"
        exit 1
    fi

    cp "$SSL_CERT_PATH" "$NGINX_SSL_DIR/cert.pem"
    cp "$SSL_KEY_PATH"  "$NGINX_SSL_DIR/key.pem"
    chmod 600 "$NGINX_SSL_DIR/key.pem"

    write_https_conf "/etc/nginx/ssl/cert.pem" "/etc/nginx/ssl/key.pem"
    echo -e "${GREEN}[SSL] Custom certificates copied to $NGINX_SSL_DIR${NC}"
    ;;

  *)
    echo -e "${RED}[ERROR] Unknown SSL_MODE: $SSL_MODE (expected: none, letsencrypt, custom)${NC}"
    exit 1
    ;;
esac

echo -e "${GREEN}[SSL] Nginx config written to $NGINX_CONF_DIR/gitea.conf${NC}"