#!/usr/bin/env bash
# Install Nginx on LXC 5800 to serve HTTPS on 443 (self-signed cert) and proxy to Mifos on 80.
# Use with Cloudflare Tunnel Service https://192.168.11.85:443 and Origin config "No TLS Verify".
# Run from project root: ./scripts/mifos/install-nginx-https-5800.sh
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true

HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
VMID="${MIFOS_VMID:-5800}"
SSH_OPTS="-o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
DOMAIN="mifos.d-bis.org"

# Commands to run inside 5800
INNER_SCRIPT='
set -e
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get install -y -qq nginx openssl

SSL_DIR="/etc/nginx/ssl"
mkdir -p "$SSL_DIR"
if [ ! -f "$SSL_DIR/mifos.crt" ]; then
  openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
    -keyout "$SSL_DIR/mifos.key" -out "$SSL_DIR/mifos.crt" \
    -subj "/CN=mifos.d-bis.org" -addext "subjectAltName=DNS:mifos.d-bis.org,DNS:192.168.11.85,IP:192.168.11.85,IP:127.0.0.1"
  chmod 600 "$SSL_DIR/mifos.key"
  chmod 644 "$SSL_DIR/mifos.crt"
  echo "Created self-signed cert in $SSL_DIR"
fi

# Nginx snippet for 443 -> 80 (single-quoted heredoc so nginx gets literal $host etc.)
cat > /etc/nginx/sites-available/mifos-https << '\''NGINX_EOF'\''
server {
    listen 443 ssl;
    server_name mifos.d-bis.org 192.168.11.85 127.0.0.1;
    ssl_certificate     /etc/nginx/ssl/mifos.crt;
    ssl_certificate_key /etc/nginx/ssl/mifos.key;
    location / {
        proxy_pass http://127.0.0.1:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
NGINX_EOF

ln -sf /etc/nginx/sites-available/mifos-https /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default
nginx -t && systemctl enable nginx && systemctl reload nginx
echo "Nginx HTTPS (443) -> http://127.0.0.1:80 enabled."
'

echo "Installing Nginx + self-signed SSL in LXC $VMID on $HOST (HTTPS 443 -> Mifos:80)..."
ssh $SSH_OPTS root@$HOST "pct exec $VMID -- bash -s" <<< "$INNER_SCRIPT"
echo "Done. In Cloudflare: set Service to https://192.168.11.85:443 and add Origin configuration 'No TLS Verify'."
echo "Verify: ssh root@$HOST 'pct exec $VMID -- curl -sk https://127.0.0.1:443 -o /dev/null -w \"%{http_code}\n\"'"