#!/bin/bash
# Xenia POS — first-time install script
# Run this on the server machine before starting the stack.
# Usage: bash install.sh

set -e

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

echo "=== Xenia POS Install ==="
echo ""

# ── 1. Create required directories ───────────────────────────────────────────
echo "[ 1/4 ] Creating directories..."
mkdir -p "$SCRIPT_DIR/data"
mkdir -p "$SCRIPT_DIR/certs"
mkdir -p "$SCRIPT_DIR/nginx-proxy"

# ── 2. Write nginx-proxy/nginx.conf ──────────────────────────────────────────
echo "[ 2/4 ] Writing nginx proxy config..."
cat > "$SCRIPT_DIR/nginx-proxy/nginx.conf" << 'EOF'
server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name _;

    ssl_certificate     /etc/nginx/certs/cert.pem;
    ssl_certificate_key /etc/nginx/certs/key.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://waiter_pwa:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 4443 ssl;
    server_name _;

    ssl_certificate     /etc/nginx/certs/cert.pem;
    ssl_certificate_key /etc/nginx/certs/key.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://manager_dashboard:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
EOF

# ── 3. SSL certificates ───────────────────────────────────────────────────────
echo "[ 3/4 ] Setting up SSL certificates..."

if [ -f "$SCRIPT_DIR/certs/cert.pem" ] && [ -f "$SCRIPT_DIR/certs/key.pem" ]; then
    echo "        Certificates already exist — skipping."
else
    echo ""
    echo "        No certificates found in certs/"
    echo "        You need a cert for your domain (e.g. xeniapos.yourdomain.com)."
    echo ""
    echo "        Option A — Let's Encrypt (recommended for production):"
    echo "          sudo apt install certbot"
    echo "          sudo certbot certonly --manual --preferred-challenges dns -d YOUR_DOMAIN"
    echo "          sudo cp /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem certs/cert.pem"
    echo "          sudo cp /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem  certs/key.pem"
    echo ""
    echo "        Option B — Self-signed (local testing only, requires CA install on each device):"
    echo "          sudo apt install mkcert libnss3-tools"
    echo "          mkcert -install"
    echo "          mkcert -cert-file certs/cert.pem -key-file certs/key.pem YOUR_IP localhost"
    echo ""
    echo "        Add certs then re-run this script, or run: docker compose up -d"
    echo ""
fi

# ── 4. Create placeholder logo if missing ────────────────────────────────────
echo "[ 4/4 ] Checking logo..."
if [ ! -f "$SCRIPT_DIR/logo.png" ]; then
    echo "        WARNING: logo.png not found."
    echo "        Place your logo at: $SCRIPT_DIR/logo.png"
    echo "        Creating placeholder so the stack can start..."
    touch "$SCRIPT_DIR/logo.png"
fi

# ── Done ─────────────────────────────────────────────────────────────────────
echo ""
echo "=== Setup complete ==="
echo ""

if [ -f "$SCRIPT_DIR/certs/cert.pem" ] && [ -f "$SCRIPT_DIR/certs/key.pem" ]; then
    echo "Starting stack..."
    docker compose -f "$SCRIPT_DIR/docker-compose.yml" up -d
    echo ""
    echo "Done! Services are running."
else
    echo "Add SSL certificates to certs/ then run:"
    echo "  docker compose up -d"
fi