#!/bin/bash
set -e

# Ensure we're in the project root directory
PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"

# Define directories relative to project root
CREDENTIALS_DIR="${PROJECT_ROOT}/config/credentials"
DOCKER_DIR="${PROJECT_ROOT}/docker"
KEYCLOAK_SETUP_DIR="${PROJECT_ROOT}/scripts/setup/keycloak"
ANSIBLE_PLAYBOOK="${PROJECT_ROOT}/ansible/site.yml"
ANSIBLE_INVENTORY="${PROJECT_ROOT}/ansible/inventory/staging/hosts"
NEXTCLOUD_DATA_DIR="${PROJECT_ROOT}/data/nextcloud/data"
TEMP_FILE=$(mktemp)
KEYCLOAK_DB_DIR="${PROJECT_ROOT}/data/keycloak-db"

# Create necessary directories
sudo mkdir -p "${CREDENTIALS_DIR}"
sudo mkdir -p "${DOCKER_DIR}"
sudo mkdir -p "${KEYCLOAK_SETUP_DIR}"

# Initialize password variables
KEYCLOAK_ADMIN_PASSWORD=""
KC_DB_PASSWORD=""
TESTADMIN_PASSWORD=""
TESTUSER_PASSWORD=""
TESTSERVICEUSER_PASSWORD=""
KEYCLOAK_NEXTCLOUD_CLIENT_SECRET=""

# Function to read a password from a .env file
read_password_from_env() {
    local env_file="$1"
    local variable_name="$2"
    if [ -f "$env_file" ]; then
        grep "^${variable_name}=" "$env_file" | cut -d '=' -f2
    fi
}

# Function to generate secure passwords
generate_password() {
    openssl rand -base64 32
}

# Function to generate password if empty
generate_password_if_empty() {
    local variable_name="$1"
    eval "local value=\$$variable_name"
    if [ -z "$value" ]; then
        eval "$variable_name=\"$(generate_password)\""
        echo ">>> Generiertes Passwort für: $variable_name"
    fi
}

# Function to create .env file
create_env_file() {
    local env_file="$1"
    local content="$2"
    if [ ! -f "$env_file" ]; then
        echo "$content" > "$env_file"
        echo ">>> .env file created: $env_file"
    else
        echo ">>> .env file already exists: $env_file"
    fi
}

echo ">>> Überprüfe bestehende .env Dateien und lese Passwörter..."

# Try reading passwords from existing .env files
if [ -f "$DOCKER_DIR/.env" ]; then
    KC_DB_PASSWORD=$(read_password_from_env "$DOCKER_DIR/.env" "KC_DB_PASSWORD")
    KEYCLOAK_ADMIN_PASSWORD=$(read_password_from_env "$DOCKER_DIR/.env" "KEYCLOAK_ADMIN_PASSWORD")
fi

if [ -f "$KEYCLOAK_SETUP_DIR/.env" ]; then
    KEYCLOAK_ADMIN_PASSWORD=$(read_password_from_env "$KEYCLOAK_SETUP_DIR/.env" "KEYCLOAK_ADMIN_PASSWORD") # Überschreibt ggf. den Wert aus docker/.env
    TESTADMIN_PASSWORD=$(read_password_from_env "$KEYCLOAK_SETUP_DIR/.env" "TESTADMIN_PASSWORD")
    TESTUSER_PASSWORD=$(read_password_from_env "$KEYCLOAK_SETUP_DIR/.env" "TESTUSER_PASSWORD")
    TESTSERVICEUSER_PASSWORD=$(read_password_from_env "$KEYCLOAK_SETUP_DIR/.env" "TESTSERVICEUSER_PASSWORD")
    KEYCLOAK_NEXTCLOUD_CLIENT_SECRET=$(read_password_from_env "$KEYCLOAK_SETUP_DIR/.env" "KEYCLOAK_NEXTCLOUD_CLIENT_SECRET")
fi

echo ">>> Generiere neue Passwörter für fehlende Werte..."

# Generate passwords if they are still empty
generate_password_if_empty KEYCLOAK_ADMIN_PASSWORD
generate_password_if_empty KC_DB_PASSWORD
generate_password_if_empty TESTADMIN_PASSWORD
generate_password_if_empty TESTUSER_PASSWORD
generate_password_if_empty TESTSERVICEUSER_PASSWORD
generate_password_if_empty KEYCLOAK_NEXTCLOUD_CLIENT_SECRET

# Date for documentation
SETUP_DATE=$(date '+%Y-%m-%d_%H-%M-%S')

# Create credentials content
CREDENTIALS_CONTENT=$(cat <<EOL
Setup Date: ${SETUP_DATE}

Keycloak Admin Credentials:
Username: admin
Password: ${KEYCLOAK_ADMIN_PASSWORD}

Keycloak Database Credentials:
Username: keycloak
Password: ${KC_DB_PASSWORD}

Test User Credentials:
Admin Password: ${TESTADMIN_PASSWORD}
User Password: ${TESTUSER_PASSWORD}
Service User Password: ${TESTSERVICEUSER_PASSWORD}
Nextcloud Client Secret: ${KEYCLOAK_NEXTCLOUD_CLIENT_SECRET}

EOL
)

# Store credentials hash
CREDENTIALS_HASH=$(echo "$CREDENTIALS_CONTENT" | sha256sum | awk '{print $1}')
echo "$CREDENTIALS_HASH" > "${CREDENTIALS_DIR}/credentials_hash.txt"
echo ">>> Credentials hash stored in: ${CREDENTIALS_DIR}/credentials_hash.txt"

# Set GPG PASSPHRASE
export GPG_PASSPHRASE=$(generate_password)
# Set GPG agent environment variable
export GPG_TTY=$(tty)

echo ">>> Trying openssl encryption first"
# Alternative Verschlüsselung mit Openssl
echo "$CREDENTIALS_CONTENT" > "$TEMP_FILE"
          if openssl enc -aes-256-cbc -pbkdf2 -salt -in "$TEMP_FILE" -out "${CREDENTIALS_DIR}/credentials_${SETUP_DATE}.txt.enc" -k "$GPG_PASSPHRASE" ; then
             echo ">>> Credentials encrypted successfully using openssl"
             mv  "${CREDENTIALS_DIR}/credentials_${SETUP_DATE}.txt.enc" "${CREDENTIALS_DIR}/credentials_${SETUP_DATE}.txt.gpg"
        else
           echo ">>> Openssl encryption failed, trying gpg"

          # Attempt to kill existing gpg agent
          gpgconf --kill gpg-agent 2>/dev/null
          echo ">>> Attempting to manually start gpg-agent with pinentry-curses"
          gpg-agent --daemon --pinentry-program /usr/bin/pinentry-curses
          gpg-connect-agent /bye 2>/dev/null
          eval $(gpg-agent --daemon)
          gpg-connect-agent updatestartuptty /bye 2>/dev/null

          # Attempt to encrypt credentials using GPG with error handling
          if echo "$CREDENTIALS_CONTENT" | gpg --symmetric --cipher-algo AES256 -vvv -o "${CREDENTIALS_DIR}/credentials_${SETUP_DATE}.txt.gpg" ; then
                echo ">>> Credentials encrypted successfully using gpg."
          else
             echo ">>> GPG encryption failed. Attempting GPG encryption with password workaround."
                # Attempt encryption with passphrase workaround
                if echo "$CREDENTIALS_CONTENT" | gpg --batch --passphrase "$GPG_PASSPHRASE" --symmetric --cipher-algo AES256 -vvv -o "${CREDENTIALS_DIR}/credentials_${SETUP_DATE}.txt.gpg"; then
                      echo ">>> Credentials encrypted successfully using gpg with passphrase workaround."
                else
                   echo ">>> GPG encryption with passphrase workaround failed"
                   exit 1
                fi
          fi
       fi
rm "$TEMP_FILE"

# Create .env file in docker directory
DOCKER_ENV_CONTENT=$(cat <<EOL
# Generated on ${SETUP_DATE}
# Keycloak Admin
KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}

# Keycloak Database
KC_DB_USERNAME=keycloak
KC_DB_PASSWORD=${KC_DB_PASSWORD}
EOL
)
create_env_file "$DOCKER_DIR/.env" "$DOCKER_ENV_CONTENT"

# Create .env file in scripts/setup/keycloak directory
KEYCLOAK_ENV_CONTENT=$(cat <<EOL
KEYCLOAK_URL=https://auth.mrx8086.com
KEYCLOAK_ADMIN_USER=admin
KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}
NEXTCLOUD_CLIENT_ID=nextcloud
PAPERLESS_CLIENT_ID=paperless
NODERED_CLIENT_ID=nodered
TESTADMIN_PASSWORD=${TESTADMIN_PASSWORD}
TESTUSER_PASSWORD=${TESTUSER_PASSWORD}
TESTSERVICEUSER_PASSWORD=${TESTSERVICEUSER_PASSWORD}
KEYCLOAK_NEXTCLOUD_CLIENT_SECRET=${KEYCLOAK_NEXTCLOUD_CLIENT_SECRET}
EOL
)
create_env_file "$KEYCLOAK_SETUP_DIR/.env" "$KEYCLOAK_ENV_CONTENT"

echo ">>> Environment setup completed!"

# --------------- KEYCLOAK KONFIGURATION ---------------
echo ">>> Keycloak Konfiguration..."
cd "$KEYCLOAK_SETUP_DIR"

echo ">>> Starte setup_realm.js"
node setup_realm.js

cd "$PROJECT_ROOT"

# --------------- NEXTCLOUD KONFIGURATION ---------------
echo ">>> Nextcloud Konfiguration..."

# Verify if variable is set from earlier in the script
echo ">>> Debug: Checking original variable..."
echo ">>> Debug: KEYCLOAK_NEXTCLOUD_CLIENT_SECRET = ${KEYCLOAK_NEXTCLOUD_CLIENT_SECRET}"

# Try reading from .env file if variable is empty
if [ -z "${KEYCLOAK_NEXTCLOUD_CLIENT_SECRET}" ]; then
    echo ">>> Debug: Variable is empty, trying to read from .env file..."
    KEYCLOAK_NEXTCLOUD_CLIENT_SECRET=$(grep KEYCLOAK_NEXTCLOUD_CLIENT_SECRET "${KEYCLOAK_SETUP_DIR}/.env" | cut -d '=' -f2)
    echo ">>> Debug: Value from .env file = ${KEYCLOAK_NEXTCLOUD_CLIENT_SECRET}"
fi

# Ensure we have a value
if [ -z "${KEYCLOAK_NEXTCLOUD_CLIENT_SECRET}" ]; then
    echo ">>> Error: Could not get client secret value"
    exit 1
fi

# Escape special characters in the secret for JSON
ESCAPED_SECRET=$(echo "$KEYCLOAK_NEXTCLOUD_CLIENT_SECRET" | sed 's/["\]/\\&/g')
echo ">>> Debug: Escaped secret = $ESCAPED_SECRET"

# Create the extra vars
EXTRA_VARS="{\"client_secret\": \"$ESCAPED_SECRET\"}"
echo ">>> Debug: Extra vars = $EXTRA_VARS"

# Run Ansible with the extra vars
sudo ansible-playbook \
    -i "$ANSIBLE_INVENTORY" \
    "$ANSIBLE_PLAYBOOK" \
    --extra-vars "$EXTRA_VARS" \
    -v

echo ">>> Fertig"