#!/usr/bin/env bash
# Dedicated LXC: static nginx site for https://omdnl.org (and www).
#
# Defaults: VMID 10203, 192.168.11.222, Proxmox r630-01 (override PROXMOX_HOST).
#
# Usage (from a host with SSH to Proxmox):
#   bash scripts/deployment/provision-omdnl-org-web-lxc.sh [--dry-run]
# Then:
#   bash scripts/deployment/sync-omdnl-org-static-to-ct.sh
#   bash scripts/cloudflare/configure-omdnl-org-dns.sh
#   bash scripts/nginx-proxy-manager/upsert-omdnl-org-proxy-host.sh
# Request TLS in NPMplus UI (or scripts/request-npmplus-certificates.sh) once DNS resolves.
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
# shellcheck source=/dev/null
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true

PROXMOX_HOST="${PROXMOX_HOST:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
VMID="${OMDNL_ORG_WEB_VMID:-10203}"
IP_CT="${IP_OMDNL_ORG_WEB:-192.168.11.222}"
HOSTNAME_CT="${OMDNL_ORG_WEB_HOSTNAME:-omdnl-org-web}"
APP_DIR="${OMDNL_ORG_WEB_ROOT:-/var/www/omdnl.org/html}"
SITE_FILE="${OMDNL_ORG_NGINX_SITE:-/etc/nginx/sites-available/omdnl-org}"
NGINX_TEMPLATE="${PROJECT_ROOT}/config/nginx/omdnl-org.site.conf"
TEMPLATE_CT="${TEMPLATE:-local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst}"
STORAGE="${STORAGE:-local-lvm}"
NETWORK="${NETWORK:-vmbr0}"
GATEWAY="${NETWORK_GATEWAY:-192.168.11.1}"
SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
DRY_RUN=false
[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true

if [[ ! -f "$NGINX_TEMPLATE" ]]; then
  echo "ERROR: Missing $NGINX_TEMPLATE" >&2
  exit 1
fi

echo "=== Provision omdnl.org web LXC ==="
echo "Proxmox: ${PROXMOX_HOST}  VMID: ${VMID}  IP: ${IP_CT}"

if $DRY_RUN; then
  echo "[DRY-RUN] pct create ${VMID} if missing, apt nginx, install ${SITE_FILE}, enable site"
  exit 0
fi

if ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct list 2>/dev/null | grep -q '^${VMID} '"; then
  echo "CT ${VMID} already exists — skipping pct create"
else
  echo "Creating CT ${VMID} (${HOSTNAME_CT}) @ ${IP_CT}/24..."
  ssh $SSH_OPTS "root@${PROXMOX_HOST}" bash -s <<EOF
set -euo pipefail
pct create ${VMID} ${TEMPLATE_CT} \\
  --hostname ${HOSTNAME_CT} \\
  --memory 512 \\
  --cores 1 \\
  --rootfs ${STORAGE}:4 \\
  --net0 name=eth0,bridge=${NETWORK},ip=${IP_CT}/24,gw=${GATEWAY} \\
  --nameserver ${DNS_PRIMARY:-1.1.1.1} \\
  --description 'Static nginx: omdnl.org (SMOM + Absolute Realms central bank presence)' \\
  --start 1 \\
  --onboot 1 \\
  --unprivileged 1
EOF
  echo "Waiting for CT to boot..."
  sleep 15
fi

ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct status ${VMID}" | grep -q running || {
  echo "ERROR: CT ${VMID} not running — start with: ssh root@${PROXMOX_HOST} 'pct start ${VMID}'" >&2
  exit 1
}

echo "Installing nginx inside CT ${VMID}..."
ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -lc \"set -euo pipefail; export DEBIAN_FRONTEND=noninteractive; apt-get update -qq; apt-get install -y -qq nginx ca-certificates curl; mkdir -p '${APP_DIR}'; rm -f /etc/nginx/sites-enabled/default; systemctl enable nginx\""

echo "Installing nginx site config..."
scp $SSH_OPTS "$NGINX_TEMPLATE" "root@${PROXMOX_HOST}:/tmp/omdnl-org.site.conf"
ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct push ${VMID} /tmp/omdnl-org.site.conf ${SITE_FILE} && rm -f /tmp/omdnl-org.site.conf"
ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -lc \"ln -sf '${SITE_FILE}' /etc/nginx/sites-enabled/omdnl-org && nginx -t && systemctl reload nginx && sleep 1 && curl -fsS -H 'Host: omdnl.org' http://127.0.0.1/health >/dev/null\""

echo ""
echo "✅ Web LXC ${VMID} ready at ${IP_CT}:80"
echo "   Next: bash scripts/deployment/sync-omdnl-org-static-to-ct.sh"