#!/bin/sh
set -e

echo "Warning: secrets will be visible when typing. Press Enter after each input."

# --- User input ---
printf "Base domain (e.g., example.com): "
read DOMAIN
printf "Subdomain for this instance (e.g., matrix1): "
read SUBDOMAIN
CN="$SUBDOMAIN.$DOMAIN"

printf "Postgres secret: "
read POSTGRES_SECRET
printf "REG Secret (registration_shared_secret): "
read REG_SECRET

# --- Directories ---
BASE_DIR="/opt/matrix/$CN"
mkdir -p "$BASE_DIR/data"
mkdir -p "$BASE_DIR/db"

# --- Automatic port assignment ---
BASE_PORT=8008
FEDERATION_PORT=8448

for dir in /opt/matrix/*; do
    if [ -f "$dir/docker-compose.yml" ]; then
        used_ports=$(grep 'ports:' -A1 "$dir/docker-compose.yml" | awk -F: '{print $2}' | tr -d '"')
        for port in $used_ports; do
            if [ "$port" ] && [ "$port" -ge "$BASE_PORT" ]; then
                BASE_PORT=$((port + 1))
            fi
            if [ "$port" ] && [ "$port" -ge "$FEDERATION_PORT" ]; then
                FEDERATION_PORT=$((port + 1))
            fi
        done
    fi
done

echo "Assigning ports: client-server=$BASE_PORT, federation=$FEDERATION_PORT"

# --- Docker Compose ---
cat > "$BASE_DIR/docker-compose.yml" <<EOF
services:
  dendrite:
    image: ghcr.io/element-hq/dendrite-monolith:latest
    restart: unless-stopped
    environment:
      POSTGRES_URI: postgres://dendrite:$POSTGRES_SECRET@db/dendrite
      SERVER_NAME: $CN
      REGISTRATION_SHARED_SECRET: $REG_SECRET
      DISABLE_TLS: "true"
    ports:
      - "$BASE_PORT:8008"
      - "$FEDERATION_PORT:8448"
    volumes:
      - ./data:/data

  db:
    image: postgres:15
    restart: unless-stopped
    environment:
      POSTGRES_USER: dendrite
      POSTGRES_PASSWORD: $POSTGRES_SECRET
    volumes:
      - ./db:/var/lib/postgresql/data
EOF

# --- Nginx config ---
NGINX_CONF="/etc/nginx/sites-available/$CN"
sudo tee "$NGINX_CONF" > /dev/null <<EOF
server {
    listen 80;
    listen [::]:80;
    server_name $CN;

    location /.well-known/matrix/ {
        try_files \$uri =404;
    }

    location / {
        proxy_pass http://127.0.0.1:$BASE_PORT;
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        client_max_body_size 50M;
        proxy_read_timeout 600s;
    }
}
EOF

sudo ln -sf "$NGINX_CONF" /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

# --- Start Docker Compose ---
cd "$BASE_DIR"
docker compose up -d

# --- DNS propagation check ---
if ! command -v dig >/dev/null 2>&1; then
    echo "Installing dnsutils (needed for DNS checks)..."
    sudo apt-get update && sudo apt-get install -y dnsutils
fi

# Collect all VPS IPs (IPv4 + IPv6)
VPS_IPS=$(hostname -I | tr ' ' '\n')
echo "VPS addresses: $VPS_IPS"

echo "Checking DNS propagation for $CN ..."
MAX_RETRIES=30
SLEEP_SEC=10
count=0

while true; do
    DNS_IPS=$( (dig +short "$CN" A; dig +short "$CN" AAAA) | sort -u )
    MATCH="false"

    for dns_ip in $DNS_IPS; do
        for vps_ip in $VPS_IPS; do
            if [ "$dns_ip" = "$vps_ip" ]; then
                MATCH="true"
                break
            fi
        done
    done

    if [ "$MATCH" = "true" ]; then
        echo "$CN resolves correctly to one of the VPS IPs: $DNS_IPS"
        break
    else
        count=$((count + 1))
        if [ "$count" -ge "$MAX_RETRIES" ]; then
            echo "DNS propagation not detected after $((MAX_RETRIES*SLEEP_SEC)) seconds."
            echo "Please make sure $CN points to this VPS and rerun the script."
            exit 1
        fi
        echo "DNS not ready yet ($count/$MAX_RETRIES). Found: $DNS_IPS Expected one of: $VPS_IPS"
        echo "Retrying in $SLEEP_SEC seconds..."
        sleep $SLEEP_SEC
    fi
done

# --- Obtain HTTPS certificate ---
sudo certbot certonly --nginx -d "$CN" --non-interactive --agree-tos -m "admin@$DOMAIN"

sudo tee "$NGINX_CONF" > /dev/null <<EOF
server {
    listen 80;
    listen [::]:80;
    server_name $CN;
    return 301 https://\$host\$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name $CN;

    ssl_certificate     /etc/letsencrypt/live/$CN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/$CN/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "no-referrer-when-downgrade";

    location /.well-known/matrix/ {
        try_files \$uri =404;
    }

    location / {
        proxy_pass http://127.0.0.1:$BASE_PORT;
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        client_max_body_size 50M;
        proxy_read_timeout 600s;
    }
}
EOF
sudo nginx -t
sudo systemctl reload nginx
echo "HTTPS active for $CN with federation support!"