#!/usr/bin/env bash
set -euo pipefail

repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
env_file="${repo_root}/.env"
template_file="${repo_root}/.env.example"

if [[ ! -f "${template_file}" ]]; then
  echo "Missing ${template_file}. Run from the repo root."
  exit 1
fi

if [[ -f "${env_file}" ]]; then
  read -r -p ".env already exists. Overwrite? (y/N): " overwrite
  if [[ "${overwrite}" =~ ^[Yy]$ ]]; then
    cp "${template_file}" "${env_file}"
  fi
else
  cp "${template_file}" "${env_file}"
fi

set_kv() {
  local key="$1"
  local value="$2"
  local esc
  esc="${value//\\/\\\\}"
  esc="${esc//&/\\&}"
  esc="${esc//|/\\|}"
  if grep -q "^${key}=" "${env_file}"; then
    sed -i -E "s|^${key}=.*|${key}=${esc}|" "${env_file}"
  else
    echo "${key}=${value}" >> "${env_file}"
  fi
}

read_kv() {
  local key="$1"
  local line
  line="$(grep -m1 -E "^${key}=" "${env_file}" || true)"
  if [[ -z "${line}" ]]; then
    return 1
  fi
  echo "${line#*=}"
}

prompt() {
  local key="$1"
  local default="$2"
  local label="$3"
  local value
  read -r -p "${label} [${default}]: " value
  value="${value:-$default}"
  set_kv "${key}" "${value}"
}

echo "Configure local dev settings (press Enter to keep defaults)."
prompt "NEXTCLOUD_PORT" "8080" "Nextcloud port"
prompt "NEXTCLOUD_ADMIN_USER" "admin" "Nextcloud admin user"
prompt "NEXTCLOUD_ADMIN_PASSWORD" "admin123" "Nextcloud admin password"
prompt "NEXTCLOUD_TRUSTED_DOMAINS" "localhost 127.0.0.1 app" "Nextcloud trusted domains"

prompt "BROKER_PORT" "3000" "Broker port"
prompt "NEXTCLOUD_PUBLIC_URL" "http://localhost:8080" "Public Nextcloud URL"
set_kv "BROKER_CORS_ALLOWED_ORIGINS" "$(grep -E "^NEXTCLOUD_PUBLIC_URL=" "${env_file}" | cut -d= -f2-)"
prompt "OIDC_ISSUER" "http://broker:3000" "OIDC issuer (broker URL reachable by Nextcloud + browser)"
prompt "OIDC_REDIRECT_URI_ALLOWLIST" "http://localhost:8080/apps/user_oidc/code" "OIDC redirect allowlist"

read -r -p "Start bundled External Auth container? (y/N): " start_ext_auth
start_ext_auth="${start_ext_auth:-N}"
if [[ "${start_ext_auth}" =~ ^[Yy]$ ]]; then
  set_kv "QORTAL_EXTERNAL_AUTH_BASE_URL" "http://external_auth:3191"
  set_kv "EXTERNAL_AUTH_CONTEXT" "../Qortal-External-Auth"
  set_kv "EXTERNAL_AUTH_DOCKERFILE" "Dockerfile"
  set_kv "EXTERNAL_AUTH_PORT" "3191"
  read -r -p "Qortal node API key for External Auth (leave blank if not required): " qortal_auth_node_api_key
  set_kv "QORTAL_AUTH_NODE_API_KEY" "${qortal_auth_node_api_key}"
  set_kv "QORTAL_AUTH_NODE_API_KEY_MODE" "paths"
  set_kv "QORTAL_AUTH_NODE_API_KEY_PATHS" "/"
  mkdir -p "${repo_root}/external-auth/data"
else
  prompt "QORTAL_EXTERNAL_AUTH_BASE_URL" "http://gateway.docker.internal:3191" "External Auth base URL"
fi
read -r -p "External Auth app ID (leave blank to set later): " app_id
set_kv "QORTAL_EXTERNAL_AUTH_APP_ID" "${app_id}"
read -r -p "External Auth app secret (leave blank to set later): " app_secret
set_kv "QORTAL_EXTERNAL_AUTH_APP_SECRET" "${app_secret}"

if [[ -x "${repo_root}/scripts/select-qortal-p2p-port.sh" ]]; then
  "${repo_root}/scripts/select-qortal-p2p-port.sh" "${env_file}"
fi
if [[ -f "${repo_root}/scripts/ensure-broker-internal-token.sh" ]]; then
  bash "${repo_root}/scripts/ensure-broker-internal-token.sh" "${env_file}"
fi

broker_internal_api_token="$(read_kv "BROKER_INTERNAL_API_TOKEN" || true)"
if [[ -z "${broker_internal_api_token}" ]]; then
  echo "BROKER_INTERNAL_API_TOKEN is missing in ${env_file}"
  echo "Run: bash scripts/ensure-broker-internal-token.sh ${env_file}"
  exit 1
fi
export BROKER_INTERNAL_API_TOKEN="${broker_internal_api_token}"

broker_cors_allowed_origins="$(read_kv "BROKER_CORS_ALLOWED_ORIGINS" || true)"
if [[ -n "${broker_cors_allowed_origins}" ]]; then
  export BROKER_CORS_ALLOWED_ORIGINS="${broker_cors_allowed_origins}"
fi
echo "Broker auth env loaded from ${env_file}: token_set=yes cors_origins=${broker_cors_allowed_origins:-<empty>}"

echo
mkdir -p "${repo_root}/nextcloud/html" "${repo_root}/nextcloud/data" "${repo_root}/qortal/data"
if [[ -x "${repo_root}/scripts/ensure-qortal-settings.sh" ]]; then
  "${repo_root}/scripts/ensure-qortal-settings.sh"
fi
echo "Starting local dev stack..."
if [[ "${start_ext_auth}" =~ ^[Yy]$ ]]; then
  (cd "${repo_root}" && COMPOSE_PROFILES=external-auth make up)
else
  (cd "${repo_root}" && make up)
fi

echo
read -r -p "Install/enable user_oidc app now? (y/N): " install_oidc
if [[ "${install_oidc}" =~ ^[Yy]$ ]]; then
  (cd "${repo_root}" && make install-oidc)
fi

cat <<EOF

Next steps:
1) Wait for Nextcloud to finish installing (watch logs):
   make logs
2) Configure OIDC provider (if not already):
   make occ cmd="user_oidc:provider qortal -c nextcloud-local -s dev-secret -d http://broker:3000/.well-known/openid-configuration --scope='openid profile email' --mapping-uid=sub --mapping-display-name=name --mapping-email=email"

Note: If you use http://broker:3000, add a hosts entry:
  127.0.0.1 broker
EOF