#!/usr/bin/env bash

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
RENDER_SCRIPT="$SCRIPT_DIR/render-rpc-access-gate-nginx.sh"

PRODUCT_SLUG=""
SERVER_NAME=""
SSH_HOST=""
REMOTE_PATH=""
REMOTE_TEST_CMD="nginx -t"
REMOTE_RELOAD_CMD="systemctl reload nginx"
INTERNAL_SECRET="${ACCESS_INTERNAL_SECRET:-}"
VALIDATOR_URL="http://127.0.0.1:8081/api/v1/access/internal/validate-key"
UPSTREAM_URL=""
APPLY=0

usage() {
  cat <<'EOF'
Safely render and install an explorer-managed RPC edge gate onto a remote nginx host.

Default mode is plan-only. Use --apply to copy the rendered config, run nginx -t,
and reload nginx over SSH.

Usage:
  bash explorer-monorepo/scripts/install-rpc-access-gate-nginx-via-ssh.sh \
    --product thirdweb-rpc \
    --server-name thirdweb-rpc.example.org \
    --ssh-host root@192.168.11.217 \
    --internal-secret "$ACCESS_INTERNAL_SECRET" \
    [--remote-path /etc/nginx/conf.d/thirdweb-rpc-gated.conf] \
    [--validator-url http://127.0.0.1:8081/api/v1/access/internal/validate-key] \
    [--upstream http://192.168.11.217:8545] \
    [--apply]
EOF
}

while [[ $# -gt 0 ]]; do
  case "$1" in
    --product)
      PRODUCT_SLUG="$2"
      shift 2
      ;;
    --server-name)
      SERVER_NAME="$2"
      shift 2
      ;;
    --ssh-host)
      SSH_HOST="$2"
      shift 2
      ;;
    --remote-path)
      REMOTE_PATH="$2"
      shift 2
      ;;
    --internal-secret)
      INTERNAL_SECRET="$2"
      shift 2
      ;;
    --validator-url)
      VALIDATOR_URL="$2"
      shift 2
      ;;
    --upstream)
      UPSTREAM_URL="$2"
      shift 2
      ;;
    --remote-test-cmd)
      REMOTE_TEST_CMD="$2"
      shift 2
      ;;
    --remote-reload-cmd)
      REMOTE_RELOAD_CMD="$2"
      shift 2
      ;;
    --apply)
      APPLY=1
      shift
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "Unknown argument: $1" >&2
      usage >&2
      exit 1
      ;;
  esac
done

if [[ -z "$PRODUCT_SLUG" || -z "$SERVER_NAME" || -z "$SSH_HOST" ]]; then
  echo "ERROR: --product, --server-name, and --ssh-host are required." >&2
  exit 1
fi

if [[ -z "$INTERNAL_SECRET" ]]; then
  echo "ERROR: --internal-secret is required. Set ACCESS_INTERNAL_SECRET or pass --internal-secret." >&2
  exit 1
fi

REMOTE_PATH="${REMOTE_PATH:-/etc/nginx/conf.d/${PRODUCT_SLUG}-gated.conf}"
TMP_RENDER="$(mktemp)"
trap 'rm -f "$TMP_RENDER"' EXIT

render_args=(
  --product "$PRODUCT_SLUG"
  --server-name "$SERVER_NAME"
  --internal-secret "$INTERNAL_SECRET"
  --validator-url "$VALIDATOR_URL"
  --output "$TMP_RENDER"
)

if [[ -n "$UPSTREAM_URL" ]]; then
  render_args+=(--upstream "$UPSTREAM_URL")
fi

bash "$RENDER_SCRIPT" "${render_args[@]}" >/dev/null

echo "== RPC access gate installer =="
echo "Product:      $PRODUCT_SLUG"
echo "Server name:  $SERVER_NAME"
echo "SSH host:     $SSH_HOST"
echo "Remote path:  $REMOTE_PATH"
echo "Validator:    $VALIDATOR_URL"
if [[ -n "$UPSTREAM_URL" ]]; then
  echo "Upstream:     $UPSTREAM_URL"
fi
echo
echo "-- Rendered config preview --"
sed -n '1,220p' "$TMP_RENDER"
echo

if [[ "$APPLY" -ne 1 ]]; then
  cat <<EOF
Plan only. No remote changes were made.

To apply:
  bash explorer-monorepo/scripts/install-rpc-access-gate-nginx-via-ssh.sh \\
    --product "$PRODUCT_SLUG" \\
    --server-name "$SERVER_NAME" \\
    --ssh-host "$SSH_HOST" \\
    --internal-secret '***' \\
    --apply
EOF
  exit 0
fi

echo "Copying rendered config to $SSH_HOST:$REMOTE_PATH ..."
scp "$TMP_RENDER" "$SSH_HOST:$REMOTE_PATH"

echo "Testing nginx config on $SSH_HOST ..."
ssh "$SSH_HOST" "$REMOTE_TEST_CMD"

echo "Reloading nginx on $SSH_HOST ..."
ssh "$SSH_HOST" "$REMOTE_RELOAD_CMD"

echo "Install complete."