#!/bin/bash
# HTTPS-Setup für nexus.noveria.net
# Auf dem VPS-HOST ausführen!

set -e

echo "=== HTTPS Setup für nexus.noveria.net ==="

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"

# 1. Zuerst nur HTTP-Config ausrollen (keine SSL-Referenz!)
echo "[1/5] Installiere HTTP-only Nginx-Config..."
sudo tee /etc/nginx/sites-available/nexus.noveria.net > /dev/null << 'NGINXEOF'
server {
    listen 80;
    server_name nexus.noveria.net;

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
        proxy_pass http://127.0.0.1:18880;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
NGINXEOF

sudo ln -sf /etc/nginx/sites-available/nexus.noveria.net /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
echo "  ✅ HTTP-Config aktiv"

# 2. Firewall
echo "[2/5] Firewall..."
if command -v ufw &>/dev/null; then
    sudo ufw allow 80/tcp 2>/dev/null || true
    sudo ufw allow 443/tcp 2>/dev/null || true
    echo "  ✅ ufw: 80+443 offen"
else
    echo "  ⏭ ufw nicht installiert"
fi

# 3. HTTP-Test
echo "[3/5] Teste HTTP..."
sleep 1
STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://nexus.noveria.net)
echo "  HTTP-Status: $STATUS"

# 4. Zertifikat holen
echo "[4/5] Fordere Let's-Encrypt-Zertifikat an..."
sudo certbot certonly --webroot -w /var/www/html -d nexus.noveria.net --non-interactive --agree-tos --email vmbao62@hotmail.de 2>&1 || {
    echo "  ⚠️  certbot fehlgeschlagen – manuell nachholen:"
    echo "     sudo certbot --nginx -d nexus.noveria.net"
    exit 1
}
echo "  ✅ Zertifikat erhalten"

# 5. HTTPS-Config ausrollen
echo "[5/5] Aktiviere HTTPS-Config..."
sudo tee /etc/nginx/sites-available/nexus.noveria.net > /dev/null << 'NGINXSSL'
server {
    listen 80;
    server_name nexus.noveria.net;
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name nexus.noveria.net;

    ssl_certificate     /etc/letsencrypt/live/nexus.noveria.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nexus.noveria.net/privkey.pem;

    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;

    client_max_body_size 16m;

    location / {
        proxy_pass http://127.0.0.1:18880;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
NGINXSSL

sudo nginx -t && sudo systemctl reload nginx
echo "  ✅ HTTPS aktiv"

# Test
echo ""
sleep 2
curl -s -o /dev/null -w "HTTPS-Status: %{http_code}\n" https://nexus.noveria.net
echo ""
echo "=== Fertig ==="
echo "Nexus: https://nexus.noveria.net"