#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
cd "$SCRIPT_DIR"

# ── Load .env ──────────────────────────────────────────────────────────────────
if [ -f .env ]; then
    set -a; source .env; set +a
fi

DOMAIN_SUFFIX="${DOMAIN_SUFFIX:-}"
ACME_EMAIL="${ACME_EMAIL:-}"

# ── Validate ───────────────────────────────────────────────────────────────────
if [ -z "$DOMAIN_SUFFIX" ] || [ "$DOMAIN_SUFFIX" = "localhost" ]; then
    echo "ERROR: Set DOMAIN_SUFFIX to your real domain in infra/.env"
    exit 1
fi

if [ -z "$ACME_EMAIL" ]; then
    echo "ERROR: Set ACME_EMAIL in infra/.env (required for Let's Encrypt)"
    exit 1
fi

# ── Generate production caddy.json ─────────────────────────────────────────────
# Writes TLS-enabled config using Let's Encrypt (no Cloudflare required).
# Caddy will use the HTTP-01 challenge (port 80) or TLS-ALPN-01 (port 443).
cat > "$SCRIPT_DIR/../proxy/caddy.json" <<EOF
{
  "admin": { "listen": "0.0.0.0:2019" },
  "apps": {
    "tls": {
      "automation": {
        "policies": [{
          "subjects": ["${DOMAIN_SUFFIX}"],
          "issuers": [{"module": "acme", "email": "${ACME_EMAIL}"}]
        }]
      }
    },
    "http": {
      "servers": {
        "hiy": {
          "listen": [":80", ":443"],
          "automatic_https": {},
          "routes": [
            {
              "match": [{"host": ["${DOMAIN_SUFFIX}"]}],
              "handle": [{"handler": "reverse_proxy", "upstreams": [{"dial": "server:3000"}]}]
            }
          ]
        }
      }
    }
  }
}
EOF

echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"

# ── Build images ───────────────────────────────────────────────────────────────
make build

# ── Start services (detached) ──────────────────────────────────────────────────
docker compose up -d