#!/usr/bin/env bash
# Generate Besu node key (/data/besu/key) only for VMIDs that are missing from
# static-nodes.json (no enode in the list yet). Key file = 64 hex chars (32 bytes).
# After running, use: bash scripts/besu/collect-enodes-from-all-besu-nodes.sh --missing-only
#
# Usage: bash scripts/besu/generate-node-keys-for-missing-vmids.sh [--dry-run] [--collect] [--force]
#   --collect  Run collect-enodes-from-all-besu-nodes.sh --missing-only after generating keys.
#   --force    Overwrite existing key file with new 64-hex key (fixes PEM/wrong-format keys).

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true

DRY_RUN=false
RUN_COLLECT=false
FORCE=false
for arg in "${@:-}"; do
  [[ "$arg" == "--dry-run" ]] && DRY_RUN=true
  [[ "$arg" == "--collect" ]] && RUN_COLLECT=true
  [[ "$arg" == "--force" ]] && FORCE=true
done

STATIC_FILE="${PROJECT_ROOT}/config/besu-node-lists/static-nodes.json"
SSH_OPTS="-o ConnectTimeout=8 -o StrictHostKeyChecking=accept-new"

BESU_VMIDS=(1000 1001 1002 1003 1004 1500 1501 1502 1503 1504 1505 1506 1507 1508 2101 2102 2201 2301 2303 2304 2305 2306 2400 2401 2402 2403 2500 2501 2502 2503 2504 2505)
declare -A HOST_BY_VMID
for v in 1000 1001 1002 1500 1501 1502 2101 2500 2501 2502 2503 2504 2505; do HOST_BY_VMID[$v]="${PROXMOX_R630_01:-192.168.11.11}"; done
for v in 2201 2303 2401; do HOST_BY_VMID[$v]="${PROXMOX_R630_02:-192.168.11.12}"; done
for v in 1003 1004 1503 1504 1505 1506 1507 1508 2102 2301 2304 2305 2306 2400 2402 2403; do HOST_BY_VMID[$v]="${PROXMOX_ML110:-192.168.11.10}"; done
declare -A IP_BY_VMID
IP_BY_VMID[1000]=192.168.11.100
IP_BY_VMID[1001]=192.168.11.101
IP_BY_VMID[1002]=192.168.11.102
IP_BY_VMID[1003]=192.168.11.103
IP_BY_VMID[1004]=192.168.11.104
IP_BY_VMID[1500]=192.168.11.150
IP_BY_VMID[1501]=192.168.11.151
IP_BY_VMID[1502]=192.168.11.152
IP_BY_VMID[1503]=192.168.11.153
IP_BY_VMID[1504]=192.168.11.154
IP_BY_VMID[1505]=192.168.11.213
IP_BY_VMID[1506]=192.168.11.214
IP_BY_VMID[1507]=192.168.11.244
IP_BY_VMID[1508]=192.168.11.245
IP_BY_VMID[2101]=192.168.11.211
IP_BY_VMID[2102]=192.168.11.212
IP_BY_VMID[2201]=192.168.11.221
IP_BY_VMID[2301]=192.168.11.232
IP_BY_VMID[2303]=192.168.11.233
IP_BY_VMID[2304]=192.168.11.234
IP_BY_VMID[2305]=192.168.11.235
IP_BY_VMID[2306]=192.168.11.236
IP_BY_VMID[2400]=192.168.11.240
IP_BY_VMID[2401]=192.168.11.241
IP_BY_VMID[2402]=192.168.11.242
IP_BY_VMID[2403]=192.168.11.243
IP_BY_VMID[2500]=192.168.11.172
IP_BY_VMID[2501]=192.168.11.173
IP_BY_VMID[2502]=192.168.11.174
IP_BY_VMID[2503]=192.168.11.246
IP_BY_VMID[2504]=192.168.11.247
IP_BY_VMID[2505]=192.168.11.248

# Which VMIDs are missing (IP not in current static-nodes.json)
declare -A EXISTING_IP
[[ -f "$STATIC_FILE" ]] && while IFS= read -r enode; do
  [[ -z "$enode" ]] && continue
  ip=$(echo "$enode" | sed -n 's|enode://[a-fA-F0-9]*@\([0-9.]*\):.*|\1|p')
  [[ -n "$ip" ]] && EXISTING_IP[$ip]=1
done < <(jq -r '.[]' "$STATIC_FILE" 2>/dev/null)

VMIDS_TO_FIX=()
for vmid in "${BESU_VMIDS[@]}"; do
  ip="${IP_BY_VMID[$vmid]:-}"
  [[ -z "$ip" ]] && continue
  [[ -z "${EXISTING_IP[$ip]:-}" ]] && VMIDS_TO_FIX+=( "$vmid" )
done

if [[ ${#VMIDS_TO_FIX[@]} -eq 0 ]]; then
  echo "All 32 IPs already in static-nodes.json. No keys to generate."
  exit 0
fi

echo "Generating node keys for ${#VMIDS_TO_FIX[@]} VMIDs (missing from list): ${VMIDS_TO_FIX[*]}"
echo ""

for vmid in "${VMIDS_TO_FIX[@]}"; do
  host="${HOST_BY_VMID[$vmid]:-}"
  ip="${IP_BY_VMID[$vmid]:-}"
  [[ -z "$host" ]] && echo "  $vmid: no host" && continue
  if $DRY_RUN; then
    echo "  [dry-run] VMID $vmid @ $host: would ensure /data/besu/key (64 hex)"
    continue
  fi
  FORCE_VAL=false
  $FORCE && FORCE_VAL=true
  result=$(ssh $SSH_OPTS "root@$host" "pct exec $vmid -- bash -c '
    mkdir -p /data/besu
    FORCE_VAL=\"$FORCE_VAL\"
    if [ -f /data/besu/key ] || [ -f /data/besu/nodekey ]; then
      if [ \"\$FORCE_VAL\" != true ]; then
        echo SKIP
        exit 0
      fi
    fi
    if command -v openssl >/dev/null 2>&1; then
      openssl rand -hex 32 > /data/besu/key && chmod 600 /data/besu/key && (chown besu:besu /data/besu/key 2>/dev/null || chown root:root /data/besu/key) && echo OK
    else
      echo NOOPENSSL
      exit 1
    fi
  '" 2>/dev/null || echo "FAIL")
  if [[ "$result" == *"OK"* ]]; then
    echo "  $vmid $ip: key generated"
  elif [[ "$result" == *"SKIP"* ]]; then
    echo "  $vmid $ip: key already present (skip)"
  else
    echo "  $vmid $ip: $result"
  fi
done

echo ""
if $RUN_COLLECT && ! $DRY_RUN; then
  echo "Running collect-enodes-from-all-besu-nodes.sh --missing-only..."
  bash "${SCRIPT_DIR}/collect-enodes-from-all-besu-nodes.sh" --missing-only
fi