#!/bin/bash

# Update nginx configuration to properly route management portal API calls

DOMAIN="${DOMAIN:-dev.uggla.uamils.com}"
NGINX_CONFIG="/etc/nginx/sites-enabled/dev.uggla.uamils.com"

log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
}

# Check if management server block exists
if ! grep -q "server_name management.$DOMAIN" "$NGINX_CONFIG" 2>/dev/null; then
    log "Adding management subdomain configuration to nginx..."
    
    # Backup current config
    cp "$NGINX_CONFIG" "${NGINX_CONFIG}.backup"
    
    # Add management server block before the wildcard block
    # Find the line with wildcard subdomain and insert before it
    sed -i '/# Wildcard subdomains/i\
# Management Portal (specific subdomain - MUST come before wildcard)\
server {\
    listen 443 ssl http2;\
    server_name management.'$DOMAIN';\
\
    ssl_certificate /etc/letsencrypt/live/'$DOMAIN'/fullchain.pem;\
    ssl_certificate_key /etc/letsencrypt/live/'$DOMAIN'/privkey.pem;\
\
    ssl_protocols TLSv1.2 TLSv1.3;\
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;\
    ssl_prefer_server_ciphers off;\
    ssl_session_cache shared:SSL:10m;\
    ssl_session_timeout 10m;\
    ssl_stapling on;\
    ssl_stapling_verify on;\
\
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;\
    add_header X-Frame-Options DENY always;\
    add_header X-Content-Type-Options nosniff always;\
    add_header X-XSS-Protection "1; mode=block" always;\
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;\
\
    # Management frontend - port 3003\
    location / {\
        proxy_pass http://127.0.0.1:3003;\
        proxy_http_version 1.1;\
        proxy_set_header Upgrade $http_upgrade;\
        proxy_set_header Connection '\''upgrade'\'';\
        proxy_set_header Host $host;\
        proxy_set_header X-Real-IP $remote_addr;\
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\
        proxy_set_header X-Forwarded-Proto $scheme;\
        proxy_cache_bypass $http_upgrade;\
        proxy_connect_timeout 30s;\
        proxy_send_timeout 30s;\
        proxy_read_timeout 30s;\
    }\
\
    # Management API - port 3002 with management header\
    location /api/ {\
        proxy_pass http://127.0.0.1:3002;\
        proxy_http_version 1.1;\
        proxy_set_header Upgrade $http_upgrade;\
        proxy_set_header Connection '\''upgrade'\'';\
        proxy_set_header Host $host;\
        proxy_set_header X-Real-IP $remote_addr;\
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\
        proxy_set_header X-Forwarded-Proto $scheme;\
        proxy_set_header X-Management-Portal "true";\
        proxy_cache_bypass $http_upgrade;\
        proxy_connect_timeout 30s;\
        proxy_send_timeout 30s;\
        proxy_read_timeout 30s;\
    }\
}\
\
' "$NGINX_CONFIG"

    log "Management subdomain configuration added"
else
    log "Management subdomain configuration already exists"
fi

# Test and reload nginx
if nginx -t; then
    log "✅ Nginx configuration is valid"
    systemctl reload nginx
    log "✅ Nginx reloaded"
    log "🌐 Management portal API should now work at: https://management.$DOMAIN/api/"
else
    log "❌ Nginx configuration error - restoring backup"
    cp "${NGINX_CONFIG}.backup" "$NGINX_CONFIG"
    exit 1
fi