#!/usr/bin/env bash
set -euo pipefail

UI_HOST=""; WEBMAIL_HOST=""; MAIL_HOST=""; SSL_AUTO=0
while [[ $# -gt 0 ]]; do
  case "$1" in
    --ui-host)      UI_HOST="$2";      shift 2 ;;
    --webmail-host) WEBMAIL_HOST="$2"; shift 2 ;;
    --mail-host)    MAIL_HOST="$2";    shift 2 ;;
    --ssl-auto)     SSL_AUTO="$2";     shift 2 ;;
    *) shift ;;
  esac
done

PHPV=$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')
PHP_FPM_SOCK="/run/php/php${PHPV}-fpm.sock"
[ -S "$PHP_FPM_SOCK" ] || PHP_FPM_SOCK="/run/php/php-fpm.sock"

APP_DIR="/var/www/mailwolt"
NGINX_SITE="/etc/nginx/sites-available/mailwolt.conf"
ACME_ROOT="/var/www/letsencrypt"
mkdir -p "${ACME_ROOT}/.well-known/acme-challenge"

# --- Phase 1: HTTP-only Vhosts mit ACME-Challenge ---
cat > "${NGINX_SITE}" <<CONF
server {
  listen 80;
  listen [::]:80;
  server_name ${UI_HOST} ${WEBMAIL_HOST};

  root ${APP_DIR}/public;
  index index.php index.html;

  location /.well-known/acme-challenge/ {
    root ${ACME_ROOT};
    try_files \$uri =404;
  }
  location / {
    try_files \$uri \$uri/ /index.php?\$query_string;
  }
  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:${PHP_FPM_SOCK};
  }
  location ^~ /livewire/ {
    try_files \$uri /index.php?\$query_string;
  }
}
CONF

nginx -t && systemctl reload nginx

# --- Phase 2: Let's Encrypt Zertifikate holen ---
# Prüfen ob Server globales IPv6 hat (nötig wenn AAAA-Records existieren)
has_global_ipv6() {
  ip -6 addr show scope global 2>/dev/null | grep -q 'inet6'
}

cert_needs_action() {
  local domain="$1"
  local cert="/etc/letsencrypt/live/${domain}/fullchain.pem"
  [ ! -f "${cert}" ] && return 0
  # 0 = gültig für >10 Tage → überspringen; 1 = läuft ab → erneuern
  openssl x509 -checkend 864000 -noout -in "${cert}" 2>/dev/null && return 1
  return 0
}

certbot_safe() {
  local domain="$1"
  local has_aaaa
  has_aaaa=$(dig +short AAAA "${domain}" 2>/dev/null | head -1)
  if [ -n "${has_aaaa}" ] && ! has_global_ipv6; then
    echo "[!] ${domain}: AAAA-Record vorhanden aber kein IPv6 auf diesem Server — Let's Encrypt würde fehlschlagen. Self-signed wird verwendet." >&2
    return 1
  fi
  certbot certonly --webroot \
    -w "${ACME_ROOT}" \
    -d "${domain}" \
    --non-interactive --agree-tos \
    --email "webmaster@${domain}" \
    --no-eff-email
}

if [ "${SSL_AUTO}" = "1" ]; then
  for DOMAIN in "${UI_HOST}" "${WEBMAIL_HOST}"; do
    [ -z "${DOMAIN}" ] && continue
    if cert_needs_action "${DOMAIN}"; then
      certbot_safe "${DOMAIN}" || true
    fi
  done
fi

# --- Phase 3: Finale Vhosts ---
# Nur HTTPS wenn LE-Cert tatsächlich vorhanden, sonst HTTP-only (kein self-signed Fallback)
UI_HAS_CERT=0
WM_HAS_CERT=0
[ -f "/etc/letsencrypt/live/${UI_HOST}/fullchain.pem" ]      && UI_HAS_CERT=1
[ -f "/etc/letsencrypt/live/${WEBMAIL_HOST}/fullchain.pem" ] && WM_HAS_CERT=1
(

if [ "${UI_HAS_CERT}" = "1" ] || [ "${WM_HAS_CERT}" = "1" ]; then
  # Mindestens ein Cert vorhanden → HTTP-Redirect Block
  cat <<CONF
server {
  listen 80;
  listen [::]:80;
  server_name ${UI_HOST} ${WEBMAIL_HOST};

  location /.well-known/acme-challenge/ {
    root ${ACME_ROOT};
    try_files \$uri =404;
  }
  location / { return 301 https://\$host\$request_uri; }
}
CONF
else
  # Kein Cert → HTTP-only, App läuft auf Port 80 weiter
  cat <<CONF
server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name _;

  root ${APP_DIR}/public;
  index index.php index.html;

  location /.well-known/acme-challenge/ {
    root ${ACME_ROOT};
    try_files \$uri =404;
  }
  location / { try_files \$uri \$uri/ /index.php?\$query_string; }
  location ~ \.php\$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:${PHP_FPM_SOCK};
  }
  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
}
CONF
fi

if [ -n "${UI_HOST}" ] && [ "${UI_HAS_CERT}" = "1" ]; then
  cat <<CONF

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  http2 on;
  server_name ${UI_HOST};

  ssl_certificate     /etc/letsencrypt/live/${UI_HOST}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/${UI_HOST}/privkey.pem;
  ssl_protocols       TLSv1.2 TLSv1.3;

  root ${APP_DIR}/public;
  index index.php index.html;

  location / { try_files \$uri \$uri/ /index.php?\$query_string; }
  location ~ \.php\$ {
    include snippets/fastcgi-php.conf;
    fastcgi_param HTTPS on;
    fastcgi_pass unix:${PHP_FPM_SOCK};
  }
  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
}
CONF
fi

if [ -n "${WEBMAIL_HOST}" ] && [ "${WM_HAS_CERT}" = "1" ]; then
  cat <<CONF

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  http2 on;
  server_name ${WEBMAIL_HOST};

  ssl_certificate     /etc/letsencrypt/live/${WEBMAIL_HOST}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/${WEBMAIL_HOST}/privkey.pem;
  ssl_protocols       TLSv1.2 TLSv1.3;

  root ${APP_DIR}/public;
  index index.php index.html;

  location / { try_files \$uri \$uri/ /index.php?\$query_string; }
  location ~ \.php\$ {
    include snippets/fastcgi-php.conf;
    fastcgi_param HTTPS on;
    fastcgi_pass unix:${PHP_FPM_SOCK};
  }
  location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
  location ~* \.(jpg|jpeg|png|gif|css|js|ico|svg)\$ { expires 30d; access_log off; }
}
CONF
fi
) > "${NGINX_SITE}"

# State-Dateien schreiben — korrekt pro Domain, nicht pauschal "done"
STATE_DIR="/var/lib/mailwolt/wizard"
if [ -d "${STATE_DIR}" ]; then
  # UI: done nur wenn LE-Cert tatsächlich vorhanden, sonst error
  if [ -f "${STATE_DIR}/ui" ]; then
    if [ "${UI_HAS_CERT}" = "1" ]; then
      printf "done" > "${STATE_DIR}/ui"
    else
      printf "error" > "${STATE_DIR}/ui"
    fi
  fi
  # Webmail: done nur wenn LE-Cert tatsächlich vorhanden, sonst error
  if [ -f "${STATE_DIR}/webmail" ]; then
    if [ "${WM_HAS_CERT}" = "1" ]; then
      printf "done" > "${STATE_DIR}/webmail"
    else
      printf "error" > "${STATE_DIR}/webmail"
    fi
  fi
  # Mail-Domain: kein certbot im Wizard für MX → skip (kein Fehler, nur nicht zutreffend)
  [ -f "${STATE_DIR}/mail" ] && printf "skip" > "${STATE_DIR}/mail"

  # done-Signal: immer schreiben damit der 2s-Poll stoppt
  if [ "${UI_HAS_CERT}" = "1" ] || [ "${WM_HAS_CERT}" = "1" ]; then
    # Erst done schreiben, dann 6s warten bevor nginx auf HTTPS wechselt —
    # so hat der Browser Zeit den "Zum Login"-Button zu rendern bevor der Switch passiert
    printf "1" > "${STATE_DIR}/done"
    sleep 6
  else
    printf "0" > "${STATE_DIR}/done"
  fi
fi

nginx -t && systemctl reload nginx