#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
NGINX_CONF_SOURCE="$PROJECT_ROOT/deploy/nginx/creditscope.conf"
NGINX_CONF_TARGET="/etc/nginx/sites-available/creditscope"
NGINX_ENABLED_TARGET="/etc/nginx/sites-enabled/creditscope"
SSL_CERT_TARGET="/etc/ssl/certs/creditscope-selfsigned.crt"
SSL_KEY_TARGET="/etc/ssl/private/creditscope-selfsigned.key"
HTPASSWD_TARGET="/etc/nginx/.htpasswd"

if ! command -v sudo >/dev/null 2>&1; then
    echo "sudo is required" >&2
    exit 1
fi

export DEBIAN_FRONTEND=noninteractive

if [ -f "$PROJECT_ROOT/.env" ]; then
    set -a
    # shellcheck disable=SC1091
    source "$PROJECT_ROOT/.env"
    set +a
fi

PUBLIC_IP=${PUBLIC_IP:-$(curl -4 -s https://ifconfig.me 2>/dev/null || hostname -I | awk '{print $1}')}
BASIC_AUTH_USERS=${BASIC_AUTH_USERS:-}
BASIC_AUTH_PASSWORD=${BASIC_AUTH_PASSWORD:-}

if [ -z "$PUBLIC_IP" ]; then
    echo "Unable to determine PUBLIC_IP" >&2
    exit 1
fi

if ! command -v nginx >/dev/null 2>&1; then
    sudo apt-get update
    sudo apt-get install -y nginx
fi

if [ -n "$BASIC_AUTH_USERS" ] && [ -n "$BASIC_AUTH_PASSWORD" ] && ! command -v htpasswd >/dev/null 2>&1; then
    sudo apt-get update
    sudo apt-get install -y apache2-utils
fi

sudo mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled
sudo cp "$NGINX_CONF_SOURCE" "$NGINX_CONF_TARGET"

if [ -n "$BASIC_AUTH_USERS" ] && [ -n "$BASIC_AUTH_PASSWORD" ]; then
    first_user=true
    old_ifs=$IFS
    IFS=,
    for raw_user in $BASIC_AUTH_USERS; do
        IFS=$old_ifs
        user=$(printf '%s' "$raw_user" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
        IFS=,
        if [ -z "$user" ]; then
            continue
        fi

        if [ "$first_user" = true ]; then
            sudo htpasswd -bc "$HTPASSWD_TARGET" "$user" "$BASIC_AUTH_PASSWORD" >/dev/null
            first_user=false
        else
            sudo htpasswd -b "$HTPASSWD_TARGET" "$user" "$BASIC_AUTH_PASSWORD" >/dev/null
        fi
    done
    IFS=$old_ifs

    if [ "$first_user" = true ]; then
        echo "No valid BASIC_AUTH_USERS entries were provided" >&2
        exit 1
    fi
else
    sudo rm -f "$HTPASSWD_TARGET"
fi

if [ ! -f "$SSL_CERT_TARGET" ] || [ ! -f "$SSL_KEY_TARGET" ]; then
    tmp_openssl_config=$(mktemp)
    cat > "$tmp_openssl_config" <<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = $PUBLIC_IP

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = $PUBLIC_IP
EOF

    sudo openssl req \
        -x509 \
        -nodes \
        -newkey rsa:2048 \
        -days 365 \
        -keyout "$SSL_KEY_TARGET" \
        -out "$SSL_CERT_TARGET" \
        -config "$tmp_openssl_config"
    rm -f "$tmp_openssl_config"
    sudo chmod 600 "$SSL_KEY_TARGET"
fi

if [ -L "$NGINX_ENABLED_TARGET" ] || [ -e "$NGINX_ENABLED_TARGET" ]; then
    sudo rm -f "$NGINX_ENABLED_TARGET"
fi
sudo ln -s "$NGINX_CONF_TARGET" "$NGINX_ENABLED_TARGET"

if [ -e /etc/nginx/sites-enabled/default ]; then
    sudo rm -f /etc/nginx/sites-enabled/default
fi

sudo nginx -t

if command -v systemctl >/dev/null 2>&1; then
    sudo systemctl enable nginx
    sudo systemctl reload nginx 2>/dev/null || sudo systemctl restart nginx
elif command -v service >/dev/null 2>&1; then
    sudo service nginx reload 2>/dev/null || sudo service nginx restart
else
    sudo nginx -s reload 2>/dev/null || sudo nginx
fi

echo "nginx is serving CreditScope on ports 80 and 443 for $PUBLIC_IP"