#!/usr/bin/env bash
# Add Cloudflare A records for domains that verification reports as "Not found"
# (export only lists A records; these may be missing or CNAME). Creates DNS-only A to PUBLIC_IP.
# Usage: bash scripts/verify/add-missing-cloudflare-a-records.sh [--dry-run]

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
cd "$PROJECT_ROOT"

[ -f .env ] && set +u && source .env 2>/dev/null; set -u

DRY_RUN=false
[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true

CLOUDFLARE_API_TOKEN="${CLOUDFLARE_API_TOKEN:-}"
CLOUDFLARE_EMAIL="${CLOUDFLARE_EMAIL:-}"
CLOUDFLARE_API_KEY="${CLOUDFLARE_API_KEY:-}"
PUBLIC_IP="${PUBLIC_IP:-76.53.10.36}"
ZONE_D_BIS="${CLOUDFLARE_ZONE_ID_D_BIS_ORG:-${CLOUDFLARE_ZONE_ID:-}}"
ZONE_DEFI_ORACLE="${CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO:-}"

if [ -n "$CLOUDFLARE_API_TOKEN" ]; then
  AUTH_HEADER="Authorization: Bearer $CLOUDFLARE_API_TOKEN"
elif [ -n "$CLOUDFLARE_EMAIL" ] && [ -n "$CLOUDFLARE_API_KEY" ]; then
  AUTH_HEADER="X-Auth-Email: $CLOUDFLARE_EMAIL"$'\n'"X-Auth-Key: $CLOUDFLARE_API_KEY"
else
  echo "Set CLOUDFLARE_API_TOKEN or CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY in .env"
  exit 1
fi

# name (FQDN), zone_id
RECORDS=(
  "rpc-http-pub.d-bis.org|$ZONE_D_BIS"
  "rpc-http-prv.d-bis.org|$ZONE_D_BIS"
  "rpc-fireblocks.d-bis.org|$ZONE_D_BIS"
  "ws.rpc-fireblocks.d-bis.org|$ZONE_D_BIS"
)
RECORDS_DEFI=(
  "rpc.public-0138.defi-oracle.io|$ZONE_DEFI_ORACLE"
)

add_record() {
  local name="$1"
  local zone_id="$2"
  [ -z "$zone_id" ] && return 1
  local data
  data=$(jq -n --arg type "A" --arg name "$name" --arg content "$PUBLIC_IP" '{type:$type,name:$name,content:$content,ttl:1,proxied:false}')
  if [[ "$DRY_RUN" == true ]]; then
    echo "[DRY-RUN] Would create A $name -> $PUBLIC_IP in zone $zone_id"
    return 0
  fi
  if [ -n "$CLOUDFLARE_API_TOKEN" ]; then
    curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records" \
      -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
      -H "Content-Type: application/json" \
      -d "$data"
  else
    curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records" \
      -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \
      -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \
      -H "Content-Type: application/json" \
      -d "$data"
  fi
}

echo "Adding missing A records (PUBLIC_IP=$PUBLIC_IP, DNS only)..."
for entry in "${RECORDS[@]}"; do
  IFS='|' read -r name zone_id <<< "$entry"
  result=$(add_record "$name" "$zone_id")
  if [[ "$DRY_RUN" != true ]]; then
    success=$(echo "$result" | jq -r '.success // false')
    if [[ "$success" == "true" ]]; then
      echo "Created A $name -> $PUBLIC_IP"
    else
      err=$(echo "$result" | jq -r '.errors[0].message // .message // "unknown"')
      if echo "$result" | jq -e '.errors[] | select(.code == 81057)' &>/dev/null; then
        echo "A $name already exists (skip)"
      else
        echo "Failed $name: $err"
      fi
    fi
  fi
done
for entry in "${RECORDS_DEFI[@]}"; do
  IFS='|' read -r name zone_id <<< "$entry"
  [ -z "$zone_id" ] && echo "Skip $name (no defi-oracle zone id)" && continue
  result=$(add_record "$name" "$zone_id")
  if [[ "$DRY_RUN" != true ]]; then
    success=$(echo "$result" | jq -r '.success // false')
    if [[ "$success" == "true" ]]; then
      echo "Created A $name -> $PUBLIC_IP"
    else
      if echo "$result" | jq -e '.errors[] | select(.code == 81057)' &>/dev/null; then
        echo "A $name already exists (skip)"
      else
        err=$(echo "$result" | jq -r '.errors[0].message // .message // "unknown"')
        echo "Failed $name: $err"
      fi
    fi
  fi
done
echo "Done."