#!/usr/bin/env bash
set -Eeuo pipefail

# --- config you can tweak ---
CONF="/etc/nginx/sites-available/lan-proxy.conf"
PROXY_IP="192.168.1.202"          # Nginx box LAN IP
ID_BACKEND="192.168.1.202:21118"  # id.generalinfinity.cloud target
RELAY_BACKEND="192.168.1.202:21119" # relay.generalinfinity.cloud target
# ----------------------------

STAMP="$(date +%F-%H%M%S)"

sudo install -d /etc/nginx/sites-available /etc/nginx/sites-enabled
sudo touch "$CONF"

# backup
sudo cp -a "$CONF" "${CONF}.bak-${STAMP}"

# append id.generalinfinity.cloud if missing
if ! sudo grep -q 'server_name id.generalinfinity.cloud' "$CONF"; then
  sudo tee -a "$CONF" >/dev/null <<EOF
server {
  listen 443 ssl;
  server_name id.generalinfinity.cloud;
  ssl_certificate /etc/nginx/local.crt;
  ssl_certificate_key /etc/nginx/local.key;

  location / {
    proxy_pass http://$ID_BACKEND;
    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}
EOF
fi

# append relay.generalinfinity.cloud if missing
if ! sudo grep -q 'server_name relay.generalinfinity.cloud' "$CONF"; then
  sudo tee -a "$CONF" >/dev/null <<EOF
server {
  listen 443 ssl;
  server_name relay.generalinfinity.cloud;
  ssl_certificate /etc/nginx/local.crt;
  ssl_certificate_key /etc/nginx/local.key;

  location / {
    proxy_pass http://$RELAY_BACKEND;
    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}
EOF
fi

# refresh self-signed cert to include ALL hostnames (SAN)
sudo openssl req -x509 -nodes -newkey rsa:2048 \
  -keyout /etc/nginx/local.key -out /etc/nginx/local.crt -days 365 \
  -subj "/CN=github.generalinfinity.cloud" \
  -addext "subjectAltName=DNS:github.generalinfinity.cloud,DNS:call.generalinfinity.cloud,DNS:id.generalinfinity.cloud,DNS:relay.generalinfinity.cloud" \
  >/dev/null 2>&1

# validate and hot-reload (zero downtime)
if sudo nginx -t; then
  sudo systemctl reload nginx
else
  echo "❌ nginx test failed; restoring backup"
  sudo mv "${CONF}.bak-${STAMP}" "$CONF"
  exit 1
fi

# ensure local name resolution to the proxy
grep -q 'id.generalinfinity.cloud' /etc/hosts    || echo "$PROXY_IP id.generalinfinity.cloud"    | sudo tee -a /etc/hosts
grep -q 'relay.generalinfinity.cloud' /etc/hosts || echo "$PROXY_IP relay.generalinfinity.cloud" | sudo tee -a /etc/hosts

# quick tests (ignore trust; use -k)
curl -kI https://id.generalinfinity.cloud    || true
curl -kI https://relay.generalinfinity.cloud || true

echo "✅ Done. Nginx reloaded without interruption."