#!/usr/bin/env bash
# Run the NPM add-dapp-proxy-host logic on a Proxmox host (so it can reach NPMplus at 192.168.11.167).
# Usage: From project root, source .env then:
#   bash scripts/nginx-proxy-manager/add-dapp-proxy-host-via-ssh.sh
#   Or: PROXMOX_HOST=192.168.11.12 NPM_EMAIL=... NPM_PASSWORD=... bash scripts/nginx-proxy-manager/add-dapp-proxy-host-via-ssh.sh
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
[ -f "$PROJECT_ROOT/.env" ] && set +u && source "$PROJECT_ROOT/.env" 2>/dev/null || true && set -u

# Host that can reach NPMplus (192.168.11.167:81). Try NPMPLUS_SSH_HOST if default cannot reach it (e.g. NPMplus VM itself).
PROXMOX_HOST="${NPMPLUS_SSH_HOST:-${PROXMOX_HOST_R630_02:-192.168.11.12}}"
NPM_EMAIL="${NPM_EMAIL:-admin@example.org}"
NPM_PASSWORD="${NPM_PASSWORD:-}"
DAPP_IP="${IP_DAPP_LXC:-192.168.11.58}"
NPM_URL="${NPM_URL:-https://192.168.11.167:81}"

[ -z "$NPM_PASSWORD" ] && echo "Set NPM_PASSWORD (e.g. source .env)" && exit 1

# Remote script: use Python's JSON parser so reruns are idempotent and preserve cert / Force SSL state.
REMOTE_SCRIPT='
set -euo pipefail
python3 - <<'"'"'PY'"'"'
import json
import os
import subprocess
import sys

def curl(*args):
    return subprocess.check_output(["curl", "-skS", *args], text=True)

npm_password = os.environ.get("NPM_PASSWORD", "")
if not npm_password:
    print("NPM_PASSWORD not set on remote")
    sys.exit(1)

auth_payload = json.dumps({
    "identity": os.environ.get("NPM_EMAIL", "admin@example.org"),
    "secret": npm_password,
})
token_resp = json.loads(curl("-X", "POST", f"{os.environ['NPM_URL']}/api/tokens", "-H", "Content-Type: application/json", "-d", auth_payload))
token = token_resp.get("token") or token_resp.get("accessToken") or (token_resp.get("data") or {}).get("token")
if not token:
    print(f"Auth failed. Response: {json.dumps(token_resp)}")
    sys.exit(1)

auth_header = ["-H", f"Authorization: Bearer {token}"]
hosts_resp = json.loads(curl("-X", "GET", f"{os.environ['NPM_URL']}/api/nginx/proxy-hosts", *auth_header))
if isinstance(hosts_resp, dict):
    hosts = hosts_resp.get("data") or hosts_resp.get("proxy_hosts") or []
else:
    hosts = hosts_resp

existing = None
for host in hosts:
    if "dapp.d-bis.org" in (host.get("domain_names") or []):
        existing = host
        break

payload = {
    "domain_names": ["dapp.d-bis.org"],
    "forward_scheme": "http",
    "forward_host": os.environ["DAPP_IP"],
    "forward_port": 80,
    "allow_websocket_upgrade": True,
    "block_exploits": False,
}

if existing:
    payload["certificate_id"] = existing.get("certificate_id")
    payload["ssl_forced"] = existing.get("ssl_forced", False)
    resp = json.loads(curl("-X", "PUT", f"{os.environ['NPM_URL']}/api/nginx/proxy-hosts/{existing['id']}", *auth_header, "-H", "Content-Type: application/json", "-d", json.dumps(payload)))
    if resp.get("id"):
        print(f"Updated: dapp.d-bis.org -> {os.environ['DAPP_IP']}:80")
        sys.exit(0)
    print(f"Update failed: {json.dumps(resp)}")
    sys.exit(1)

payload["certificate_id"] = None
payload["ssl_forced"] = False
resp = json.loads(curl("-X", "POST", f"{os.environ['NPM_URL']}/api/nginx/proxy-hosts", *auth_header, "-H", "Content-Type: application/json", "-d", json.dumps(payload)))
if resp.get("id"):
    print(f"Added: dapp.d-bis.org -> {os.environ['DAPP_IP']}:80")
    print("Request SSL in NPMplus UI for dapp.d-bis.org and enable Force SSL if this is a new host.")
    sys.exit(0)
print(f"Create failed: {json.dumps(resp)}")
sys.exit(1)
PY
'

echo "Running NPM add proxy host from Proxmox host $PROXMOX_HOST (must be on same LAN as NPMplus 192.168.11.167)..."
# Escape single quotes in password for remote export: ' -> '\''
PASS_ESC="${NPM_PASSWORD//\'/\'\\\'\'}"
OUTPUT=$(ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new root@"$PROXMOX_HOST" \
  "export NPM_EMAIL='${NPM_EMAIL//\'/\'\\\'\'}' NPM_PASSWORD='$PASS_ESC' NPM_URL='$NPM_URL' DAPP_IP='$DAPP_IP'; bash -s" <<< "$REMOTE_SCRIPT" 2>&1) || true
echo "$OUTPUT"
if ! echo "$OUTPUT" | grep -qE "Added: dapp.d-bis.org|Updated: dapp.d-bis.org"; then
  echo "Failed. Ensure this machine can SSH to $PROXMOX_HOST and that host can reach $NPM_URL (same LAN)." >&2
  exit 1
fi