#!/usr/bin/env bash
# Install and configure Nginx on RPC containers (2500-2502) with SSL on port 443
# Usage: ./install-nginx-rpc.sh [vmid1] [vmid2] [vmid3]
# If no VMIDs provided, defaults to 2500, 2501, 2502

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}"

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

info() { echo -e "${GREEN}[INFO]${NC} $1"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
error() { echo -e "${RED}[ERROR]${NC} $1"; }

# Get VMIDs (default to 2500-2502)
if [[ $# -eq 0 ]]; then
    VMIDS=(2500 2501 2502)
else
    VMIDS=("$@")
fi

# RPC container mapping
declare -A RPC_IPS=(
    [2500]="192.168.11.250"
    [2501]="192.168.11.251"
    [2502]="192.168.11.252"
)

declare -A RPC_HOSTNAMES=(
    [2500]="besu-rpc-1"
    [2501]="besu-rpc-2"
    [2502]="besu-rpc-3"
)

# Domain mappings for each container
declare -A RPC_HTTP_DOMAINS=(
    [2501]="rpc-http-pub.d-bis.org"
    [2502]="rpc-http-prv.d-bis.org"
)

declare -A RPC_WS_DOMAINS=(
    [2501]="rpc-ws-pub.d-bis.org"
    [2502]="rpc-ws-prv.d-bis.org"
)

info "Installing Nginx on RPC containers..."
info "Proxmox Host: $PROXMOX_HOST"
info "Containers: ${VMIDS[*]}"
echo ""

# Function to install Nginx on a container
install_nginx_on_container() {
    local vmid=$1
    local ip="${RPC_IPS[$vmid]}"
    local hostname="${RPC_HOSTNAMES[$vmid]}"
    local http_domain="${RPC_HTTP_DOMAINS[$vmid]:-}"
    local ws_domain="${RPC_WS_DOMAINS[$vmid]:-}"
    
    echo "=========================================="
    info "Processing VMID $vmid ($hostname - $ip)"
    echo "=========================================="
    
    # Check if container is running
    STATUS=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
        "pct status $vmid 2>/dev/null | awk '{print \$2}'" 2>/dev/null || echo "unknown")
    
    if [[ "$STATUS" != "running" ]]; then
        warn "Container $vmid is not running (status: $STATUS), skipping..."
        return 1
    fi
    
    # Check if Nginx is already installed
    if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
        "pct exec $vmid -- which nginx >/dev/null 2>&1"; then
        warn "Nginx is already installed on VMID $vmid"
        read -p "Reinstall/update configuration? (y/N): " -n 1 -r
        echo
        if [[ ! $REPLY =~ ^[Yy]$ ]]; then
            info "Skipping VMID $vmid"
            return 0
        fi
    fi
    
    # Install Nginx
    info "Installing Nginx on VMID $vmid..."
    ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
        "pct exec $vmid -- bash -c '
            export DEBIAN_FRONTEND=noninteractive
            apt-get update -qq
            apt-get install -y -qq nginx openssl
        '" || {
        error "Failed to install Nginx on VMID $vmid"
        return 1
    }
    info "✓ Nginx installed"
    
    # Generate self-signed SSL certificate (or use Let's Encrypt later)
    info "Generating SSL certificate..."
    # Use first domain if available, otherwise use hostname
    local cert_cn="${http_domain:-$hostname}"
    ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
        "pct exec $vmid -- bash -c '
            mkdir -p /etc/nginx/ssl
            openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \\
                -keyout /etc/nginx/ssl/rpc.key \\
                -out /etc/nginx/ssl/rpc.crt \\
                -subj \"/CN=$cert_cn/O=RPC Node/C=US\" 2>/dev/null
            chmod 600 /etc/nginx/ssl/rpc.key
            chmod 644 /etc/nginx/ssl/rpc.crt
        '" || {
        error "Failed to generate SSL certificate"
        return 1
    }
    info "✓ SSL certificate generated for $cert_cn"
    
    # Create Nginx configuration
    info "Creating Nginx configuration..."
    
    # Build server_name list
    local server_names="$hostname $ip"
    if [[ -n "$http_domain" ]]; then
        server_names="$server_names $http_domain"
    fi
    if [[ -n "$ws_domain" ]]; then
        server_names="$server_names $ws_domain"
    fi
    
    ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
        "pct exec $vmid -- bash" <<EOF
cat > /etc/nginx/sites-available/rpc <<NGINX_CONFIG
# HTTP to HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name $server_names;
    
    # Redirect all HTTP to HTTPS
    return 301 https://\$host\$request_uri;
}

# HTTPS server - HTTP RPC API (for rpc-http-*.d-bis.org)
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${http_domain:-$hostname} $hostname $ip;

    # SSL configuration
    ssl_certificate /etc/nginx/ssl/rpc.crt;
    ssl_certificate_key /etc/nginx/ssl/rpc.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Logging
    access_log /var/log/nginx/rpc-http-access.log;
    error_log /var/log/nginx/rpc-http-error.log;

    # Increase timeouts for RPC calls
    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;
    send_timeout 300s;

    # HTTP RPC endpoint
    location / {
        proxy_pass http://127.0.0.1:8545;
        proxy_http_version 1.1;
        
        # Headers
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_set_header Connection "";
        
        # Buffer settings
        proxy_buffering off;
        proxy_request_buffering off;
    }

    # Health check endpoint
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }
}

# HTTPS server - WebSocket RPC API (for rpc-ws-*.d-bis.org)
$(if [[ -n "$ws_domain" ]]; then echo "server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name $ws_domain;"; fi)

    # SSL configuration
    ssl_certificate /etc/nginx/ssl/rpc.crt;
    ssl_certificate_key /etc/nginx/ssl/rpc.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Logging
    access_log /var/log/nginx/rpc-ws-access.log;
    error_log /var/log/nginx/rpc-ws-error.log;

    # WebSocket RPC endpoint
    location / {
        proxy_pass http://127.0.0.1:8546;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_read_timeout 86400;
        proxy_send_timeout 86400;
    }

    # Health check endpoint
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }
}
$(if [[ -n "$ws_domain" ]]; then echo ""; fi)
NGINX_CONFIG

# Enable the site
ln -sf /etc/nginx/sites-available/rpc /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default

# Test configuration
nginx -t

# Reload Nginx
systemctl enable nginx
systemctl restart nginx
EOF

    if [[ $? -eq 0 ]]; then
        info "✓ Nginx configured and started"
    else
        error "Failed to configure Nginx"
        return 1
    fi
    
    # Verify Nginx is running
    if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
        "pct exec $vmid -- systemctl is-active nginx >/dev/null 2>&1"; then
        info "✓ Nginx service is active"
    else
        error "Nginx service is not active"
        return 1
    fi
    
    # Check if port 443 is listening
    if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
        "pct exec $vmid -- ss -tuln | grep -q ':443'"; then
        info "✓ Port 443 is listening"
    else
        warn "Port 443 may not be listening"
    fi
    
    echo ""
    return 0
}

# Install on each container
SUCCESS=0
FAILED=0

for vmid in "${VMIDS[@]}"; do
    if install_nginx_on_container "$vmid"; then
        ((SUCCESS++))
    else
        ((FAILED++))
    fi
    echo ""
done

# Summary
echo "=========================================="
info "Installation Summary:"
echo "  Success: $SUCCESS"
echo "  Failed:  $FAILED"
echo "  Total:   ${#VMIDS[@]}"
echo "=========================================="

if [[ $FAILED -gt 0 ]]; then
    exit 1
fi

info "Nginx installation complete!"
echo ""
info "Next steps:"
echo "  1. Test HTTPS: curl -k https://<container-ip>:443"
echo "  2. Test RPC: curl -k -X POST https://<container-ip>:443 -H 'Content-Type: application/json' -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_blockNumber\",\"params\":[],\"id\":1}'"
echo "  3. Replace self-signed certificate with Let's Encrypt if needed"
echo "  4. Configure DNS records to point to container IPs"