#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

log "Nginx konfigurieren …"

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"

NGINX_SITE="/etc/nginx/sites-available/${APP_USER}.conf"
NGINX_SITE_LINK="/etc/nginx/sites-enabled/${APP_USER}.conf"
ACME_ROOT="/var/www/letsencrypt"
install -d -m 0755 "$ACME_ROOT"

# Default-Sites konsequent entfernen (verhindert doppelten default_server)
rm -f /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default || true

# HTTP/2 prüfen
NGINX_HTTP2_SUFFIX=""
if nginx -V 2>&1 | grep -q http_v2; then
  NGINX_HTTP2_SUFFIX=" http2"
fi

# PHP-FPM Socket oder TCP ermitteln und fastcgi_pass bauen
detect_php_fpm_sock(){
  for v in 8.3 8.2 8.1 8.0 7.4; do
    s="/run/php/php${v}-fpm.sock"
    [[ -S "$s" ]] && { echo "unix:${s}"; return; }
  done
  [[ -S "/run/php/php-fpm.sock" ]] && { echo "unix:/run/php/php-fpm.sock"; return; }
  echo "127.0.0.1:9000"
}
PHP_FPM_TARGET="$(detect_php_fpm_sock)"
if [[ "$PHP_FPM_TARGET" == unix:* ]]; then
  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET#unix:};"
else
  FASTCGI_PASS="fastcgi_pass ${PHP_FPM_TARGET};"
fi

# Prüfen, ob UI-Zert vorhanden ist
UI_CERT="/etc/ssl/ui/fullchain.pem"
UI_KEY="/etc/ssl/ui/privkey.pem"
SSL_ENABLED=0
[[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SSL_ENABLED=1

TPL="${ROOT_DIR}/config/nginx/site.conf.tmpl"
[[ -f "$TPL" ]] || die "Nginx-Template fehlt: $TPL"
render="$(cat "$TPL")"

# --------- Bausteine, die in das Template eingesetzt werden ---------

# (A) HTTP-Body, wenn KEIN SSL → App direkt über Port 80
HTTP_BODY_APP="$(cat <<'HTTP'
  root ${APP_DIR}/public;
  index index.php index.html;

  access_log /var/log/nginx/${APP_USER}_access.log;
  error_log  /var/log/nginx/${APP_USER}_error.log;

  client_max_body_size 25m;

  location / { try_files $uri $uri/ /index.php?$query_string; }
  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    __FASTCGI_PASS__
    try_files $uri =404;
  }
  location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }
HTTP
)"

# (B) HTTP-Body, wenn SSL → nur Redirect auf 443
HTTP_BODY_REDIRECT='return 301 https://$host$request_uri;'

# (C) kompletter SSL-Serverblock (wird nur eingefügt, wenn SSL aktiv)
SSL_BLOCK="$(cat <<'SSL'
server {
  listen 443 ssl${NGINX_HTTP2_SUFFIX};
  listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
  server_name _;

  ssl_certificate     ${UI_CERT};
  ssl_certificate_key ${UI_KEY};
  ssl_protocols       TLSv1.2 TLSv1.3;

  root ${APP_DIR}/public;
  index index.php index.html;

  access_log /var/log/nginx/${APP_USER}_ssl_access.log;
  error_log  /var/log/nginx/${APP_USER}_ssl_error.log;

  client_max_body_size 25m;

  location / { try_files $uri $uri/ /index.php?$query_string; }
  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    __FASTCGI_PASS__
    try_files $uri =404;
  }
  location ^~ /livewire/ { try_files $uri /index.php?$query_string; }
  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)$ { expires 30d; access_log off; }

  # WebSocket: Laravel Reverb
  location /ws/ {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_read_timeout 60s;
    proxy_send_timeout 60s;
    proxy_pass http://127.0.0.1:8080/;
  }

  # Reverb HTTP API
  location /apps/ {
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_read_timeout 60s;
    proxy_send_timeout 60s;
    proxy_pass http://127.0.0.1:8080/apps/;
  }
}
SSL
)"

# --------- Platzhalter ersetzen ---------
if [[ $SSL_ENABLED -eq 1 ]]; then
  render="${render/__HTTP_BODY__/$HTTP_BODY_REDIRECT}"
  render="${render/__SSL_SERVER_BLOCK__/$SSL_BLOCK}"
else
  render="${render/__HTTP_BODY__/$HTTP_BODY_APP}"
  # HTTPS-Block komplett entfernen
  render="${render/__SSL_SERVER_BLOCK__/}"
fi

# Variablen & __FASTCGI_PASS__ im fertigen Render ersetzen
render="$(echo "$render" \
  | sed "s|\${APP_DIR}|${APP_DIR}|g; s|\${APP_USER}|${APP_USER}|g; \
         s|\${UI_CERT}|${UI_CERT}|g; s|\${UI_KEY}|${UI_KEY}|g; \
         s|\${NGINX_HTTP2_SUFFIX}|${NGINX_HTTP2_SUFFIX}|g; \
         s|__FASTCGI_PASS__|${FASTCGI_PASS}|g")"

# Schreiben/aktivieren
echo "$render" > "$NGINX_SITE"
ln -sf "$NGINX_SITE" "$NGINX_SITE_LINK"

# Test & reload
if nginx -t; then
  systemctl enable --now nginx >/dev/null 2>&1 || true
  systemctl reload nginx || true
else
  die "nginx -t fehlgeschlagen – siehe /var/log/nginx/*.log"
fi