#!/usr/bin/env bash
set -euo pipefail

repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
env_file="${repo_root}/.env.devprod"
template_file="${repo_root}/.env.devprod.example"

if [[ ! -f "${template_file}" ]]; then
  echo "Missing ${template_file}. Run from the repo root."
  exit 1
fi

if [[ -f "${env_file}" ]]; then
  read -r -p ".env.devprod already exists. Overwrite? (y/N): " overwrite
  if [[ "${overwrite}" =~ ^[Yy]$ ]]; then
    cp "${template_file}" "${env_file}"
  fi
else
  cp "${template_file}" "${env_file}"
fi

set_kv() {
  local key="$1"
  local value="$2"
  local esc
  esc="${value//\\/\\\\}"
  esc="${esc//&/\\&}"
  esc="${esc//|/\\|}"
  if grep -q "^${key}=" "${env_file}"; then
    sed -i -E "s|^${key}=.*|${key}=${esc}|" "${env_file}"
  else
    echo "${key}=${value}" >> "${env_file}"
  fi
}

read_kv() {
  local key="$1"
  local line
  line="$(grep -m1 -E "^${key}=" "${env_file}" || true)"
  if [[ -z "${line}" ]]; then
    return 1
  fi
  echo "${line#*=}"
}

prompt() {
  local key="$1"
  local default="$2"
  local label="$3"
  local value
  read -r -p "${label} [${default}]: " value
  value="${value:-$default}"
  set_kv "${key}" "${value}"
}

echo "Configure dev-prod settings (press Enter to keep defaults)."
read -r -p "Use internal Caddy TLS? (y/N): " use_internal_tls
use_internal_tls="${use_internal_tls:-N}"
prompt "NEXTCLOUD_DOMAIN" "cloud.example.test" "Nextcloud domain"
prompt "BROKER_DOMAIN" "qortalbroker.example.test" "Broker domain"
if [[ "${use_internal_tls}" =~ ^[Yy]$ ]]; then
  prompt "CADDY_EMAIL" "admin@example.test" "Caddy/Let's Encrypt email"
  prompt "CADDY_HTTP_PORT" "80" "Caddy HTTP port"
  prompt "CADDY_HTTPS_PORT" "443" "Caddy HTTPS port"
  prompt "CADDY_TLS" "tls internal" "Caddy TLS directive"
else
  set_kv "CADDY_EMAIL" "admin@example.test"
  set_kv "CADDY_HTTP_PORT" "80"
  set_kv "CADDY_HTTPS_PORT" "443"
  set_kv "CADDY_TLS" ""
  prompt "PUBLIC_HTTPS_PORT" "443" "Public HTTPS port (external proxy)"
  prompt "DEVPROD_HTTP_PORT" "8081" "Internal Nextcloud HTTP port (no-SSL stack)"
  prompt "DEVPROD_BROKER_PORT" "3001" "Internal broker HTTP port (no-SSL stack)"
fi

prompt "NEXTCLOUD_ADMIN_USER" "admin" "Nextcloud admin user"
prompt "NEXTCLOUD_ADMIN_PASSWORD" "admin123" "Nextcloud admin password"

read -r -p "Start bundled External Auth container? (y/N): " start_ext_auth
start_ext_auth="${start_ext_auth:-N}"
if [[ "${start_ext_auth}" =~ ^[Yy]$ ]]; then
  set_kv "QORTAL_EXTERNAL_AUTH_BASE_URL" "http://external_auth:3191"
  set_kv "EXTERNAL_AUTH_CONTEXT" "../Qortal-External-Auth"
  set_kv "EXTERNAL_AUTH_DOCKERFILE" "Dockerfile"
  set_kv "EXTERNAL_AUTH_PORT" "3191"
  read -r -p "Qortal node API key for External Auth (leave blank if not required): " qortal_auth_node_api_key
  set_kv "QORTAL_AUTH_NODE_API_KEY" "${qortal_auth_node_api_key}"
  set_kv "QORTAL_AUTH_NODE_API_KEY_MODE" "paths"
  set_kv "QORTAL_AUTH_NODE_API_KEY_PATHS" "/"
  set_kv "COMPOSE_PROFILES" "external-auth"
  mkdir -p "${repo_root}/external-auth/data"
else
  set_kv "COMPOSE_PROFILES" ""
  prompt "QORTAL_EXTERNAL_AUTH_BASE_URL" "http://gateway.docker.internal:3191" "External Auth base URL"
fi
read -r -p "External Auth app ID (leave blank to set later): " app_id
set_kv "QORTAL_EXTERNAL_AUTH_APP_ID" "${app_id}"
read -r -p "External Auth app secret (leave blank to set later): " app_secret
set_kv "QORTAL_EXTERNAL_AUTH_APP_SECRET" "${app_secret}"

nc_domain="$(grep -E "^NEXTCLOUD_DOMAIN=" "${env_file}" | cut -d= -f2-)"
broker_domain="$(grep -E "^BROKER_DOMAIN=" "${env_file}" | cut -d= -f2-)"
if [[ "${use_internal_tls}" =~ ^[Yy]$ ]]; then
  https_port="$(grep -E "^CADDY_HTTPS_PORT=" "${env_file}" | cut -d= -f2-)"
else
  https_port="$(grep -E "^PUBLIC_HTTPS_PORT=" "${env_file}" | cut -d= -f2-)"
fi

if [[ "${https_port}" == "443" ]]; then
  nc_url="https://${nc_domain}"
  broker_url="https://${broker_domain}"
else
  nc_url="https://${nc_domain}:${https_port}"
  broker_url="https://${broker_domain}:${https_port}"
fi

set_kv "NEXTCLOUD_TRUSTED_DOMAINS" "${nc_domain}"
set_kv "NEXTCLOUD_PUBLIC_URL" "${nc_url}"
set_kv "BROKER_CORS_ALLOWED_ORIGINS" "${nc_url}"
set_kv "OIDC_ISSUER" "${broker_url}"
set_kv "OIDC_REDIRECT_URI_ALLOWLIST" "${nc_url}/apps/user_oidc/code"

if [[ -x "${repo_root}/scripts/select-qortal-p2p-port.sh" ]]; then
  "${repo_root}/scripts/select-qortal-p2p-port.sh" "${env_file}"
fi
if [[ -f "${repo_root}/scripts/ensure-broker-internal-token.sh" ]]; then
  bash "${repo_root}/scripts/ensure-broker-internal-token.sh" "${env_file}"
fi

broker_internal_api_token="$(read_kv "BROKER_INTERNAL_API_TOKEN" || true)"
if [[ -z "${broker_internal_api_token}" ]]; then
  echo "BROKER_INTERNAL_API_TOKEN is missing in ${env_file}"
  echo "Run: bash scripts/ensure-broker-internal-token.sh ${env_file}"
  exit 1
fi
export BROKER_INTERNAL_API_TOKEN="${broker_internal_api_token}"

broker_cors_allowed_origins="$(read_kv "BROKER_CORS_ALLOWED_ORIGINS" || true)"
if [[ -n "${broker_cors_allowed_origins}" ]]; then
  export BROKER_CORS_ALLOWED_ORIGINS="${broker_cors_allowed_origins}"
fi
echo "Broker auth env loaded from ${env_file}: token_set=yes cors_origins=${broker_cors_allowed_origins:-<empty>}"

echo
if [[ "${use_internal_tls}" =~ ^[Yy]$ ]]; then
  stack_label="devprod"
  mkdir -p "${repo_root}/nextcloud/html" "${repo_root}/nextcloud/data" "${repo_root}/qortal/data"
  if [[ -x "${repo_root}/scripts/ensure-qortal-settings.sh" ]]; then
    "${repo_root}/scripts/ensure-qortal-settings.sh"
  fi
  if [[ -x "${repo_root}/scripts/ensure-qortal-start-args.sh" ]]; then
    "${repo_root}/scripts/ensure-qortal-start-args.sh" "${env_file}"
  fi
  echo "Starting dev-prod stack (internal Caddy)..."
  if [[ "${start_ext_auth}" =~ ^[Yy]$ ]]; then
    (cd "${repo_root}" && COMPOSE_PROFILES=external-auth make up-devprod)
  else
    (cd "${repo_root}" && make up-devprod)
  fi
else
  stack_label="devprod-nossl"
  mkdir -p "${repo_root}/nextcloud/html" "${repo_root}/nextcloud/data" "${repo_root}/qortal/data"
  if [[ -x "${repo_root}/scripts/ensure-qortal-settings.sh" ]]; then
    "${repo_root}/scripts/ensure-qortal-settings.sh"
  fi
  if [[ -x "${repo_root}/scripts/ensure-qortal-start-args.sh" ]]; then
    "${repo_root}/scripts/ensure-qortal-start-args.sh" "${env_file}"
  fi
  echo "Starting dev-prod stack (no SSL; use external proxy)..."
  if [[ "${start_ext_auth}" =~ ^[Yy]$ ]]; then
    (cd "${repo_root}" && COMPOSE_PROFILES=external-auth make up-devprod-nossl)
  else
    (cd "${repo_root}" && make up-devprod-nossl)
  fi
fi

echo
read -r -p "Install/enable user_oidc app now? (y/N): " install_oidc
if [[ "${install_oidc}" =~ ^[Yy]$ ]]; then
  if [[ "${use_internal_tls}" =~ ^[Yy]$ ]]; then
    (cd "${repo_root}" && make install-oidc-devprod)
  else
    (cd "${repo_root}" && make install-oidc-devprod-nossl)
  fi
fi

echo
read -r -p "Set Nextcloud trusted domain to ${nc_domain}? (y/N): " trust_domain
if [[ "${trust_domain}" =~ ^[Yy]$ ]]; then
  if [[ "${use_internal_tls}" =~ ^[Yy]$ ]]; then
    (cd "${repo_root}" && make trust-domain-devprod domain="${nc_domain}") || true
  else
    (cd "${repo_root}" && make trust-domain-devprod-nossl domain="${nc_domain}") || true
  fi
  echo "If this failed (e.g. Nextcloud still installing), rerun later:"
  echo "  make trust-domain-${stack_label} domain=${nc_domain}"
fi

cat <<EOF

Next steps:
1) Wait for Nextcloud to finish installing (watch logs):
   make logs-${stack_label}
2) Configure OIDC provider (if not already):
   make occ-${stack_label} cmd="user_oidc:provider qortal -c nextcloud-local -s dev-secret -d ${broker_url}/.well-known/openid-configuration --scope='openid profile email' --mapping-uid=sub --mapping-display-name=name --mapping-email=email"

If using tls internal, trust the Caddy CA before testing in a browser.
EOF