#!/bin/bash

set -e

echo "============================================"
echo " WHM-safe installer for admin.arabianusa.com"
echo "============================================"

# ====== INPUTS ======
read -p "Enter cPanel username: " CPANEL_USER
read -p "Enter domain/subdomain [admin.arabianusa.com]: " DOMAIN
DOMAIN=${DOMAIN:-admin.arabianusa.com}

read -p "Enter full frontend path [/home/${CPANEL_USER}/public_html/admin.arabianusa.com/admin]: " FRONTEND_PATH
FRONTEND_PATH=${FRONTEND_PATH:-/home/${CPANEL_USER}/public_html/admin.arabianusa.com/admin}

read -p "Enter backend path [/home/${CPANEL_USER}/nodeapps/admin-backend]: " BACKEND_PATH
BACKEND_PATH=${BACKEND_PATH:-/home/${CPANEL_USER}/nodeapps/admin-backend}

read -p "Enter app name [backend]: " APP_NAME
APP_NAME=${APP_NAME:-backend}

read -p "Enter backend port [5000]: " APP_PORT
APP_PORT=${APP_PORT:-5000}

read -p "Enter MongoDB database name [${APP_NAME}]: " MONGO_DB
MONGO_DB=${MONGO_DB:-$APP_NAME}

read -p "Your resend email []: " RESEND_EMAIL

get_shared_secret_key="5TIvw5cpc0"
read -p "Shared Secret key [${get_shared_secret_key}]: " SHARED_SECRET_KEY
[[ -z "$SHARED_SECRET_KEY" ]] && SHARED_SECRET_KEY="$get_shared_secret_key"

get_shared_jwt_secret="2FhKmINItB"
read -p "Shared Jwt Secret [${get_shared_jwt_secret}]: " SHARED_JWT_SECRET
[[ -z "$SHARED_JWT_SECRET" ]] && SHARED_JWT_SECRET="$get_shared_jwt_secret"

PUBLIC_IP="127.0.0.1"

echo
echo "Using:"
echo "CPANEL_USER       = $CPANEL_USER"
echo "DOMAIN            = $DOMAIN"
echo "FRONTEND_PATH     = $FRONTEND_PATH"
echo "BACKEND_PATH      = $BACKEND_PATH"
echo "APP_NAME          = $APP_NAME"
echo "APP_PORT          = $APP_PORT"
echo "MONGO_DB          = $MONGO_DB"
echo "RESEND_EMAIL      = $RESEND_EMAIL"
echo "SHARED_SECRET_KEY = $SHARED_SECRET_KEY"
echo "SHARED_JWT_SECRET = $SHARED_JWT_SECRET"
echo

# ====== CHECK ROOT ======
if [ "$(id -u)" != "0" ]; then
  echo "Please run this script as root"
  exit 1
fi

# ====== BASIC CHECKS ======
for cmd in node npm pm2 mongosh httpd apachectl; do
  if ! command -v "$cmd" >/dev/null 2>&1; then
    echo "Missing required command: $cmd"
    exit 1
  fi
done

# ====== CREATE DIRECTORIES ======
mkdir -p "$BACKEND_PATH"
mkdir -p "$FRONTEND_PATH"
mkdir -p "/home/${CPANEL_USER}/nodeapps"

chown -R "${CPANEL_USER}:${CPANEL_USER}" "/home/${CPANEL_USER}/nodeapps" || true
chown -R "${CPANEL_USER}:${CPANEL_USER}" "$FRONTEND_PATH" || true
chown -R "${CPANEL_USER}:${CPANEL_USER}" "$BACKEND_PATH" || true

# ====== GENERATE MONGODB USERNAME/PASSWORD ======
RAND_SUFFIX=$(tr -dc 'a-z0-9' </dev/urandom | head -c 6)
MONGO_USER="$(echo "${APP_NAME}" | tr '[:upper:]' '[:lower:]' | tr -cd 'a-z0-9')_${RAND_SUFFIX}"
MONGO_PASS="$(tr -dc 'A-Za-z0-9@#%^+=_-!' </dev/urandom | head -c 24)"

echo "Generated MongoDB credentials..."
echo "MONGO_USER = $MONGO_USER"
echo "MONGO_DB   = $MONGO_DB"

# ====== CREATE MONGODB USER ======
echo "Creating MongoDB user..."

mongosh <<EOF
use ${MONGO_DB}
db.createUser({
  user: "${MONGO_USER}",
  pwd: "${MONGO_PASS}",
  roles: [
    { role: "readWrite", db: "${MONGO_DB}" }
  ]
})
EOF

# ====== WRITE BACKEND config.js (LIKE OLD SCRIPT) ======
echo "Writing backend config.js..."

cat > "${BACKEND_PATH}/config.js" <<EOF
module.exports = {
  //Port
  PORT: ${APP_PORT},

  //Gmail credentials for send email
  EMAIL: "${RESEND_EMAIL}",

  //Secret key for jwt
  JWT_SECRET: "${SHARED_JWT_SECRET}",

  //Project Name
  projectName : "${APP_NAME}",

  //baseURL
  baseURL: "https://${DOMAIN}/admin/",

  //Secret key for API
  secretKey: "${SHARED_SECRET_KEY}",

  //Mongodb string
  MONGODB_CONNECTION_STRING: "mongodb://${MONGO_USER}:${MONGO_PASS}@${PUBLIC_IP}:27017/${MONGO_DB}?authSource=${MONGO_DB}"
};
EOF

chown "${CPANEL_USER}:${CPANEL_USER}" "${BACKEND_PATH}/config.js" || true

# ====== APACHE MODULES CHECK ======
echo "Checking Apache proxy modules..."
httpd -M 2>/dev/null | grep -q proxy_module || echo "WARNING: proxy_module not loaded"
httpd -M 2>/dev/null | grep -q proxy_http_module || echo "WARNING: proxy_http_module not loaded"
httpd -M 2>/dev/null | grep -q proxy_wstunnel_module || echo "WARNING: proxy_wstunnel_module not loaded"
httpd -M 2>/dev/null | grep -q headers_module || echo "WARNING: headers_module not loaded"
httpd -M 2>/dev/null | grep -q rewrite_module || echo "WARNING: rewrite_module not loaded"

# ====== APACHE INCLUDE FILES ======
SSL_INCLUDE_DIR="/etc/apache2/conf.d/userdata/ssl/2_4/${CPANEL_USER}/${DOMAIN}"
STD_INCLUDE_DIR="/etc/apache2/conf.d/userdata/std/2_4/${CPANEL_USER}/${DOMAIN}"

mkdir -p "$SSL_INCLUDE_DIR"
mkdir -p "$STD_INCLUDE_DIR"

cat > "${SSL_INCLUDE_DIR}/admin-proxy.conf" <<EOF
ProxyPreserveHost On
ProxyRequests Off

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule ^/admin/socket.io/(.*) ws://127.0.0.1:${APP_PORT}/socket.io/\$1 [P,L]

ProxyPass        /admin/api/        http://127.0.0.1:${APP_PORT}/
ProxyPassReverse /admin/api/        http://127.0.0.1:${APP_PORT}/

ProxyPass        /admin/socket.io/  http://127.0.0.1:${APP_PORT}/socket.io/
ProxyPassReverse /admin/socket.io/  http://127.0.0.1:${APP_PORT}/socket.io/

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
EOF

cat > "${STD_INCLUDE_DIR}/admin-proxy.conf" <<EOF
ProxyPreserveHost On
ProxyRequests Off

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule ^/admin/socket.io/(.*) ws://127.0.0.1:${APP_PORT}/socket.io/\$1 [P,L]

ProxyPass        /admin/api/        http://127.0.0.1:${APP_PORT}/
ProxyPassReverse /admin/api/        http://127.0.0.1:${APP_PORT}/

ProxyPass        /admin/socket.io/  http://127.0.0.1:${APP_PORT}/socket.io/
ProxyPassReverse /admin/socket.io/  http://127.0.0.1:${APP_PORT}/socket.io/
EOF

# ====== REBUILD APACHE CONFIG SAFELY ======
if [ -x /usr/local/cpanel/scripts/ensure_vhost_includes ]; then
  /usr/local/cpanel/scripts/ensure_vhost_includes --all-users || true
fi

if [ -x /usr/local/cpanel/scripts/rebuildhttpdconf ]; then
  /usr/local/cpanel/scripts/rebuildhttpdconf
fi

apachectl -t
systemctl restart httpd

# ====== FIREWALL ======
firewall-cmd --permanent --add-service=http || true
firewall-cmd --permanent --add-service=https || true
firewall-cmd --reload || true

# ====== PM2 STARTUP ======
pm2 startup systemd -u "${CPANEL_USER}" --hp "/home/${CPANEL_USER}" || true

echo
echo "============================================"
echo " Done."
echo "============================================"
echo "Frontend path : $FRONTEND_PATH"
echo "Backend path  : $BACKEND_PATH"
echo "config.js     : ${BACKEND_PATH}/config.js"
echo "API proxy     : https://${DOMAIN}/admin/api/"
echo "Socket.IO     : https://${DOMAIN}/admin/socket.io/"
echo
echo "Generated MongoDB credentials:"
echo "MONGO_DB      : $MONGO_DB"
echo "MONGO_USER    : $MONGO_USER"
echo "MONGO_PASS    : $MONGO_PASS"
echo
echo "Mongo URI:"
echo "mongodb://${MONGO_USER}:${MONGO_PASS}@127.0.0.1:27017/${MONGO_DB}?authSource=${MONGO_DB}"
echo
echo "Next steps:"
echo "1) Put your backend app inside:"
echo "   $BACKEND_PATH"
echo
echo "2) Start backend on 127.0.0.1:${APP_PORT}, example:"
echo "   cd $BACKEND_PATH"
echo "   pm2 start index.js --name ${APP_NAME}"
echo "   pm2 save"
echo
echo "3) Put frontend build files inside:"
echo "   $FRONTEND_PATH"
echo
echo "4) Make sure your frontend calls API using:"
echo "   /admin/api/"
echo