#!/usr/bin/env bash
set -euo pipefail

# Load IP configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true


# Migrate configurations to NPMplus after installation
# Run this after NPMplus is installed and running

set -e

PROXMOX_HOST="${1:-192.168.11.11}"
CONTAINER_ID="${2}"
NPM_URL="${3}"

if [ -z "$CONTAINER_ID" ] || [ -z "$NPM_URL" ]; then
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "🔄 NPMplus Configuration Migration"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo ""
    echo "Usage: $0 [PROXMOX_HOST] [CONTAINER_ID] [NPM_URL]"
    echo ""
    echo "Example:"
    echo "  $0 ${PROXMOX_HOST_R630_01:-192.168.11.11} 106 https://192.168.11.27:81"
    echo ""
    echo "Or run interactively:"
    read -p "Proxmox Host [${PROXMOX_HOST_R630_01:-192.168.11.11}]: " PROXMOX_HOST
    PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.11}"
    read -p "NPMplus Container ID: " CONTAINER_ID
    read -p "NPMplus URL (https://IP:81): " NPM_URL
    echo ""
fi

EMAIL="admin@example.org"
read -sp "NPMplus Admin Password: " PASSWORD
echo ""

echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "🔐 Authenticating to NPMplus..."
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

# Create migration script to run inside container
MIGRATE_SCRIPT=$(cat << 'MIGRATE_EOF'
#!/usr/bin/env bash
set -e

NPM_URL="${1}"
EMAIL="${2}"
PASSWORD="${3}"

echo "🔐 Authenticating..."
TOKEN_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/tokens" \
  -H "Content-Type: application/json" \
  -d "{\"identity\":\"$EMAIL\",\"secret\":\"$PASSWORD\"}")

TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token // empty' 2>/dev/null || echo "")

if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
  ERROR_MSG=$(echo "$TOKEN_RESPONSE" | jq -r '.error.message // "Unknown error"' 2>/dev/null || echo "$TOKEN_RESPONSE")
  echo "❌ Authentication failed: $ERROR_MSG"
  exit 1
fi

echo "✅ Authentication successful"
echo ""

# Function to create proxy host
create_proxy_host() {
  local domain=$1
  local scheme=$2
  local hostname=$3
  local port=$4
  local websocket=$5
  
  echo "📋 Processing $domain..."
  
  # Check if exists
  EXISTING=$(curl -s -k -X GET "$NPM_URL/api/nginx/proxy-hosts" \
    -H "Authorization: Bearer $TOKEN" | jq -r ".result[] | select(.domain_names[] == \"$domain\") | .id" 2>/dev/null || echo "")
  
  local HOST_ID
  if [ -n "$EXISTING" ] && [ "$EXISTING" != "null" ]; then
    echo "  ℹ️  Already exists (ID: $EXISTING)"
    HOST_ID=$EXISTING
  else
    # Create new
    echo "  ➕ Creating proxy host..."
    RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/nginx/proxy-hosts" \
      -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type: application/json" \
      -d "{
        \"domain_names\": [\"$domain\"],
        \"forward_scheme\": \"$scheme\",
        \"forward_hostname\": \"$hostname\",
        \"forward_port\": $port,
        \"allow_websocket_upgrade\": $websocket,
        \"block_exploits\": true,
        \"cache_enabled\": false,
        \"ssl_forced\": true,
        \"http2_support\": true,
        \"hsts_enabled\": true,
        \"hsts_subdomains\": true,
        \"access_list_id\": 0,
        \"certificate_id\": 0
      }")
    
    HOST_ID=$(echo "$RESPONSE" | jq -r '.id // empty' 2>/dev/null || echo "")
    
    if [ -z "$HOST_ID" ] || [ "$HOST_ID" = "null" ]; then
      ERROR=$(echo "$RESPONSE" | jq -r '.error.message // .error // "Unknown error"' 2>/dev/null || echo "$RESPONSE")
      echo "  ❌ Failed: $ERROR"
      return 1
    fi
    
    echo "  ✅ Created (ID: $HOST_ID)"
  fi
  
  # Request SSL certificate
  echo "  🔒 Requesting SSL certificate..."
  CERT_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/nginx/certificates" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "{
      \"domain_names\": [\"$domain\"],
      \"provider\": \"letsencrypt\",
      \"letsencrypt_email\": \"nsatoshi2007@hotmail.com\",
      \"letsencrypt_agree\": true
    }")
  
  CERT_ID=$(echo "$CERT_RESPONSE" | jq -r '.id // empty' 2>/dev/null || echo "")
  
  if [ -z "$CERT_ID" ] || [ "$CERT_ID" = "null" ]; then
    ERROR=$(echo "$CERT_RESPONSE" | jq -r '.error.message // .error // "Check manually"' 2>/dev/null || echo "$CERT_RESPONSE")
    echo "  ⚠️  Certificate request: $ERROR"
    echo "  ℹ️  Certificate may be processing or domain may need DNS verification"
  else
    echo "  ✅ Certificate requested (ID: $CERT_ID)"
    
    # Update proxy host with certificate
    if [ -n "$CERT_ID" ] && [ "$CERT_ID" != "null" ] && [ "$CERT_ID" != "0" ]; then
      sleep 2  # Wait a moment for certificate to be processed
      UPDATE_RESPONSE=$(curl -s -k -X PUT "$NPM_URL/api/nginx/proxy-hosts/$HOST_ID" \
        -H "Authorization: Bearer $TOKEN" \
        -H "Content-Type: application/json" \
        -d "{
          \"certificate_id\": $CERT_ID,
          \"ssl_forced\": true
        }")
      
      echo "  ✅ SSL configured for $domain"
    fi
  fi
  
  return 0
}

# Configure all 19 domains
echo "🚀 Starting domain configuration (19 domains)..."
echo ""

SUCCESS=0
FAILED=0

# sankofa.nexus (5 domains) — portal :3000 / Phoenix API :4000 (not Blockscout)
create_proxy_host "sankofa.nexus" "http" "192.168.11.51" "3000" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "www.sankofa.nexus" "http" "192.168.11.51" "3000" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "phoenix.sankofa.nexus" "http" "192.168.11.50" "4000" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "www.phoenix.sankofa.nexus" "http" "192.168.11.50" "4000" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "the-order.sankofa.nexus" "http" "192.168.11.39" "80" "false" && ((SUCCESS++)) || ((FAILED++))

# d-bis.org (9 domains)
create_proxy_host "explorer.d-bis.org" "http" "${IP_BLOCKSCOUT:-${IP_DEVICE_14:-${IP_DEVICE_14:-${IP_DEVICE_14:-${IP_DEVICE_14:-${IP_DEVICE_14:-192.168.11.14}}}}}0}" "80" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "rpc-http-pub.d-bis.org" "https" "${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-192.168.11.252}}}}}}}" "443" "true" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "rpc-ws-pub.d-bis.org" "https" "${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-192.168.11.252}}}}}}}" "443" "true" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "rpc-http-prv.d-bis.org" "https" "${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-192.168.11.251}}}}}}}" "443" "true" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "rpc-ws-prv.d-bis.org" "https" "${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-${RPC_ALI_1:-192.168.11.251}}}}}}}" "443" "true" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "dbis-admin.d-bis.org" "http" "${IP_DBIS_FRONTEND:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-192.168.11.13}}}}}0}" "80" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "dbis-api.d-bis.org" "http" "${IP_DBIS_API:-${IP_DBIS_API:-192.168.11.155}}" "3000" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "dbis-api-2.d-bis.org" "http" "${IP_DBIS_API_2:-${IP_DBIS_API_2:-192.168.11.156}}" "3000" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "secure.d-bis.org" "http" "${IP_DBIS_FRONTEND:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-${IP_SERVICE_13:-192.168.11.13}}}}}0}" "80" "false" && ((SUCCESS++)) || ((FAILED++))

# mim4u.org (4 domains)
create_proxy_host "mim4u.org" "http" "${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-192.168.11.36}}}}}}" "80" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "www.mim4u.org" "http" "${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-192.168.11.36}}}}}}" "80" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "secure.mim4u.org" "http" "${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-192.168.11.36}}}}}}" "80" "false" && ((SUCCESS++)) || ((FAILED++))
create_proxy_host "training.mim4u.org" "http" "${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-${IP_SERVICE_36:-192.168.11.36}}}}}}" "80" "false" && ((SUCCESS++)) || ((FAILED++))

# defi-oracle.io (1 domain)
create_proxy_host "rpc.public-0138.defi-oracle.io" "https" "${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-${RPC_ALI_2:-192.168.11.252}}}}}}}" "443" "true" && ((SUCCESS++)) || ((FAILED++))

echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "📊 Configuration Summary"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "✅ Successful: $SUCCESS"
echo "⚠️  Failed: $FAILED"
echo "📋 Total: 19"
echo ""
echo "⏳ SSL certificates may take 1-2 minutes to be issued"
MIGRATE_EOF
)

# Write script to temp file and copy to container
TEMP_SCRIPT="/tmp/migrate-npmplus-$$.sh"
echo "$MIGRATE_SCRIPT" > "$TEMP_SCRIPT"
chmod +x "$TEMP_SCRIPT"

# Copy to Proxmox host
scp "$TEMP_SCRIPT" root@"$PROXMOX_HOST":/tmp/migrate-npmplus.sh

# Run inside container
echo "🚀 Running migration script in NPMplus container..."
ssh root@"$PROXMOX_HOST" "pct exec $CONTAINER_ID -- bash /tmp/migrate-npmplus.sh '$NPM_URL' '$EMAIL' '$PASSWORD'"

# Cleanup
rm -f "$TEMP_SCRIPT"
ssh root@"$PROXMOX_HOST" "rm -f /tmp/migrate-npmplus.sh"

echo ""
echo "✅ Migration complete!"
echo ""
echo "📋 Next steps:"
echo "  1. Update UDM Pro port forwarding to new container IP"
echo "  2. Test all domains: bash scripts/check-east-west-ssl-status.sh"
echo "  3. Verify SSL certificates are issued"
echo ""