#!/usr/bin/env bash
# Add dapp.d-bis.org -> 192.168.11.58:80 to NPMplus primary (192.168.11.167:81)
# Usage: NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/add-dapp-proxy-host.sh
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
[ -f "$PROJECT_ROOT/.env" ] && set +u && source "$PROJECT_ROOT/.env" 2>/dev/null || true && set -u
NPM_URL="${NPM_URL:-https://192.168.11.167:81}"
NPM_EMAIL="${NPM_EMAIL:-admin@example.org}"
NPM_PASSWORD="${NPM_PASSWORD:-}"
DAPP_IP="${IP_DAPP_LXC:-192.168.11.58}"
[ -z "$NPM_PASSWORD" ] && echo "Set NPM_PASSWORD" && exit 1
COOKIE_JAR="/tmp/npm_dapp_$$"
trap "rm -f $COOKIE_JAR" EXIT
AUTH_JSON=$(jq -n --arg identity "$NPM_EMAIL" --arg secret "$NPM_PASSWORD" '{identity:$identity,secret:$secret}')
TOKEN_RESP=$(curl -sk -X POST "$NPM_URL/api/tokens" -H "Content-Type: application/json" -d "$AUTH_JSON" -c "$COOKIE_JAR")
TOKEN=$(echo "$TOKEN_RESP" | jq -r '.token // .accessToken // .data.token // empty')
if [ -z "$TOKEN" ]; then echo "Auth failed"; echo "$TOKEN_RESP" | jq . 2>/dev/null; exit 1; fi
BODY=$(jq -n --arg domain "dapp.d-bis.org" --arg host "$DAPP_IP" --argjson port 80 \
  '{domain_names:[$domain],forward_scheme:"http",forward_host:$host,forward_port:$port,allow_websocket_upgrade:true,certificate_id:null,ssl_forced:false}')
resp=$(curl -sk -X POST "$NPM_URL/api/nginx/proxy-hosts" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "$BODY")
id=$(echo "$resp" | jq -r '.id // empty')
if [ -n "$id" ]; then echo "Added: dapp.d-bis.org -> $DAPP_IP:80"; else echo "$resp" | jq . 2>/dev/null; exit 1; fi
echo "Request SSL in NPMplus UI for dapp.d-bis.org and enable Force SSL."