#!/usr/bin/env bash
# onx-reseller-vhost-add — Per-reseller white-label Apache vhost writer.
#
# Bayinin (reseller) panel.acmehosting.com gibi kendi domain'inden Onoxsoft
# panel uygulamasına erişebilmesi için ayrı bir vhost yazar. PHP-FPM unit'i
# yine Onoxsoft panel kullanıcısının havuzudur, sadece ServerName ve SetEnv
# ONOX_RESELLER_ID branding tespiti için değişir.
#
# Input (stdin JSON):
#   reseller_id    int       Reseller user id (panel users.id)
#   domain         string    Bayinin panel hostname'i (panel.acme.com)
#   panel_root     string    Onoxsoft panel public/ klasörü (base_path('public'))
#   ssl_enabled    bool      Cert hazırsa true (cert path'lerle birlikte)
#   cert_path      string    fullchain PEM (ssl_enabled=true ise zorunlu)
#   key_path       string    private key PEM (ssl_enabled=true ise zorunlu)
#
# Output (stdout JSON):
#   {"vhost_path":..., "domain":..., "reseller_id":..., "reloaded":true,
#    "ssl_enabled":...}
#
# Exit codes: 0=ok 1=invalid-input 2=preflight-fail 3=exec-fail 4=rolled-back

set -euo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
# shellcheck source=_lib/common.sh
source "${SCRIPT_DIR}/_lib/common.sh"

VHOST_DIR="/etc/httpd/conf.d"
PANEL_FPM_SOCK="/run/php-fpm/onoxsoft-panel.sock"

# ── Read & parse stdin ───────────────────────────────────────────────────────
INPUT=$(cat)
onx_require_json "${INPUT}"

RESELLER_ID=$(onx_json_get "${INPUT}" "reseller_id")
DOMAIN=$(onx_json_get "${INPUT}" "domain")
PANEL_ROOT=$(onx_json_get "${INPUT}" "panel_root")
SSL_ENABLED=$(onx_json_get_bool "${INPUT}" "ssl_enabled" "false")
CERT_PATH=$(onx_json_get "${INPUT}" "cert_path" "")
KEY_PATH=$(onx_json_get "${INPUT}" "key_path" "")

# ── Validation ───────────────────────────────────────────────────────────────
[[ -z "${RESELLER_ID}" ]] && onx_die 1 "reseller_id is required"
[[ "${RESELLER_ID}" =~ ^[0-9]+$ ]] || onx_die 1 "reseller_id must be a positive integer"
onx_validate_domain "${DOMAIN}"
[[ -z "${PANEL_ROOT}" ]] && onx_die 1 "panel_root is required"

if [[ "${SSL_ENABLED}" == "true" ]]; then
  [[ -z "${CERT_PATH}" ]] && onx_die 1 "cert_path required when ssl_enabled"
  [[ -z "${KEY_PATH}" ]]  && onx_die 1 "key_path required when ssl_enabled"
fi

# ── Preflight ────────────────────────────────────────────────────────────────
[[ -d "${VHOST_DIR}" ]]    || onx_die 2 "vhost directory not found: ${VHOST_DIR}"
[[ -d "${PANEL_ROOT}" ]]   || onx_die 2 "panel_root does not exist: ${PANEL_ROOT}"
command -v apachectl >/dev/null 2>&1 || onx_die 2 "apachectl not found"

if [[ "${SSL_ENABLED}" == "true" ]]; then
  [[ -f "${CERT_PATH}" ]] || onx_die 2 "cert_path does not exist: ${CERT_PATH}"
  [[ -f "${KEY_PATH}" ]]  || onx_die 2 "key_path does not exist: ${KEY_PATH}"
fi

# ── Render vhost ─────────────────────────────────────────────────────────────
VHOST_PATH="${VHOST_DIR}/reseller-${RESELLER_ID}-${DOMAIN}.conf"
BACKUP_PATH="${VHOST_PATH}.bak.$$"
[[ -f "${VHOST_PATH}" ]] && cp "${VHOST_PATH}" "${BACKUP_PATH}"

TMP_CONF=$(mktemp /tmp/onx-reseller-vhost-XXXXXX.conf)
trap 'rm -f "${TMP_CONF}"' EXIT

if [[ "${SSL_ENABLED}" == "true" ]]; then
  HTTPS_BLOCK=$(cat <<SSLBLOCK
<VirtualHost *:443>
  ServerName ${DOMAIN}
  DocumentRoot ${PANEL_ROOT}

  SetEnv ONOX_RESELLER_ID ${RESELLER_ID}
  SetEnv ONOX_BRANDED_PANEL 1

  SSLEngine on
  SSLCertificateFile    ${CERT_PATH}
  SSLCertificateKeyFile ${KEY_PATH}

  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

  <Directory ${PANEL_ROOT}>
    AllowOverride All
    Require all granted
  </Directory>

  <FilesMatch \\.php\$>
    SetHandler "proxy:unix:${PANEL_FPM_SOCK}|fcgi://localhost"
  </FilesMatch>

  ErrorLog  /var/log/httpd/reseller-${RESELLER_ID}-ssl-error.log
  CustomLog /var/log/httpd/reseller-${RESELLER_ID}-ssl-access.log combined
</VirtualHost>
SSLBLOCK
)
  HTTPS_REDIRECT=$(cat <<'REDIR'
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
REDIR
)
else
  HTTPS_BLOCK=""
  HTTPS_REDIRECT=""
fi

cat > "${TMP_CONF}" <<VHOST
# Auto-generated by onx-reseller-vhost-add — do not edit by hand.
# Reseller ID: ${RESELLER_ID}
# Domain:      ${DOMAIN}
<VirtualHost *:80>
  ServerName ${DOMAIN}
  DocumentRoot ${PANEL_ROOT}

  SetEnv ONOX_RESELLER_ID ${RESELLER_ID}
  SetEnv ONOX_BRANDED_PANEL 1

  <Directory ${PANEL_ROOT}>
    AllowOverride All
    Require all granted
  </Directory>

${HTTPS_REDIRECT}

  <FilesMatch \\.php\$>
    SetHandler "proxy:unix:${PANEL_FPM_SOCK}|fcgi://localhost"
  </FilesMatch>

  ErrorLog  /var/log/httpd/reseller-${RESELLER_ID}-error.log
  CustomLog /var/log/httpd/reseller-${RESELLER_ID}-access.log combined
</VirtualHost>

${HTTPS_BLOCK}
VHOST

install -m 0644 "${TMP_CONF}" "${VHOST_PATH}"

# ── configtest → rollback on failure ─────────────────────────────────────────
if ! apachectl configtest 2>/dev/null; then
  onx_log "apachectl configtest failed — rolling back"
  if [[ -f "${BACKUP_PATH}" ]]; then
    mv "${BACKUP_PATH}" "${VHOST_PATH}"
  else
    rm -f "${VHOST_PATH}"
  fi
  onx_die 4 "apachectl configtest failed; reseller vhost rolled back"
fi

rm -f "${BACKUP_PATH}"

if ! systemctl reload httpd; then
  onx_die 3 "systemctl reload httpd failed"
fi

onx_json_out \
  "vhost_path"  "${VHOST_PATH}" \
  "domain"      "${DOMAIN}" \
  "reseller_id" "${RESELLER_ID}" \
  "reloaded"    "true" \
  "ssl_enabled" "${SSL_ENABLED}"
