#!/bin/bash
# ============================================================
# Bookworm Portable - HTTPS 配置脚本 (P1-1)
# 为 Gitea 配置 Nginx HTTPS 反代
# ============================================================
# 前提: deploy-gitea.sh 已执行, Nginx + certbot 已安装
# 用法: ssh root@8.138.11.105 'bash -s' < setup-https.sh
# ============================================================

set -euo pipefail

DOMAIN="code.letcareme.com"
GITEA_PORT=3300
CERT_DIR="/etc/letsencrypt/live/$DOMAIN"

echo "========================================="
echo "  Bookworm HTTPS 配置 v1.0"
echo "========================================="

# 1. 检查证书
if [ ! -d "$CERT_DIR" ]; then
  echo "[1/4] 证书不存在，申请新证书..."
  certbot certonly --nginx -d "$DOMAIN" --non-interactive --agree-tos --email leesu@letcareme.com
else
  echo "[1/4] 证书已存在: $CERT_DIR"
fi

# 2. 创建 Nginx 配置
echo "[2/4] 配置 Nginx 反代..."
cat > /etc/nginx/sites-available/gitea.conf << EOF
# Bookworm Gitea - HTTPS 反向代理
server {
    listen 80;
    server_name $DOMAIN;
    return 301 https://\$host\$request_uri;
}

server {
    listen 443 ssl http2;
    server_name $DOMAIN;

    ssl_certificate     $CERT_DIR/fullchain.pem;
    ssl_certificate_key $CERT_DIR/privkey.pem;

    # 安全头
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;

    # Git LFS 和大文件上传
    client_max_body_size 512M;

    location / {
        proxy_pass http://127.0.0.1:$GITEA_PORT;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        # WebSocket 支持 (Gitea 通知)
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
EOF

# 启用站点
ln -sf /etc/nginx/sites-available/gitea.conf /etc/nginx/sites-enabled/gitea.conf

# 3. 测试并重载 Nginx
echo "[3/4] 测试 Nginx 配置..."
nginx -t
systemctl reload nginx
echo "  [OK] Nginx 已重载"

# 4. 更新 Gitea ROOT_URL
GITEA_INI="/var/lib/gitea/custom/conf/app.ini"
if [ -f "$GITEA_INI" ]; then
  echo "[4/4] 更新 Gitea ROOT_URL..."
  # 更新端口
  sed -i "s/^HTTP_PORT\s*=.*/HTTP_PORT         = $GITEA_PORT/" "$GITEA_INI"
  # 更新 ROOT_URL 为 HTTPS
  sed -i "s|^ROOT_URL\s*=.*|ROOT_URL          = https://$DOMAIN/|" "$GITEA_INI"

  # 确保 Gitea 只监听本地
  if ! grep -q "HTTP_ADDR" "$GITEA_INI"; then
    sed -i "/^\[server\]/a HTTP_ADDR         = 127.0.0.1" "$GITEA_INI"
  else
    sed -i "s/^HTTP_ADDR\s*=.*/HTTP_ADDR         = 127.0.0.1/" "$GITEA_INI"
  fi

  systemctl restart gitea
  sleep 2

  if systemctl is-active --quiet gitea; then
    echo "  [OK] Gitea 已重启 (端口 $GITEA_PORT, 仅本地监听)"
  else
    echo "  [ERROR] Gitea 重启失败"
    journalctl -u gitea -n 10
    exit 1
  fi
else
  echo "[4/4] [!] Gitea 配置不存在，请先运行 deploy-gitea.sh"
fi

echo ""
echo "========================================="
echo "  HTTPS 配置完成!"
echo "========================================="
echo ""
echo "  访问: https://$DOMAIN"
echo "  HTTP → HTTPS 自动跳转: 已启用"
echo "  HSTS: 已启用 (1年)"
echo "  Gitea 端口: $GITEA_PORT (仅 127.0.0.1)"
echo ""
echo "  证书续期: certbot 已自动配置 cron"
echo "  验证: curl -I https://$DOMAIN"
echo "========================================="