#!/bin/bash
#
# CaStAD1 Nginx 설정 스크립트
# 도메인: castad1.ktenterprise.net
# 포트: 3001 (백엔드), 5003 (Instagram)
#

# 색상
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'

log() { echo -e "${GREEN}[Setup]${NC} $1"; }
error() { echo -e "${RED}[ERROR]${NC} $1"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

# root 권한 확인
if [ "$EUID" -ne 0 ]; then
    error "이 스크립트는 sudo로 실행해야 합니다"
    echo "사용법: sudo ./setup-nginx-castad1.sh"
    exit 1
fi

log "CaStAD1 Nginx 설정을 시작합니다..."

# nginx 설정 파일 생성
NGINX_CONF="/etc/nginx/sites-available/castad1"

log "nginx 설정 파일 생성 중: $NGINX_CONF"

cat > "$NGINX_CONF" << 'EOF'
# ============================================
# CaStAD1 Nginx Configuration
# Domain: castad1.ktenterprise.net
# Port: 3001 (backend), 5003 (instagram)
# ============================================

upstream castad1_backend {
    server 127.0.0.1:3001;
    keepalive 64;
}

upstream castad1_instagram {
    server 127.0.0.1:5003;
    keepalive 32;
}

# HTTP → HTTPS 리다이렉트
server {
    listen 80;
    listen [::]:80;
    server_name castad1.ktenterprise.net;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# HTTPS 서버
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name castad1.ktenterprise.net;

    # SSL 인증서
    ssl_certificate /etc/letsencrypt/live/castad1.ktenterprise.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/castad1.ktenterprise.net/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache shared:SSL:10m;

    # 보안 헤더
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # 로그
    access_log /var/log/nginx/castad1_access.log;
    error_log /var/log/nginx/castad1_error.log;

    # 파일 업로드 크기
    client_max_body_size 500M;
    client_body_timeout 300s;

    # 정적 파일 (프론트엔드) - castad1 디렉토리
    root /home/developer/castad1/dist;
    index index.html;

    # Gzip
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml;

    # 정적 자원 캐싱
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        try_files $uri =404;
    }

    # API 요청
    location /api/ {
        proxy_pass http://castad1_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300s;
    }

    # Instagram API
    location /instagram/ {
        proxy_pass http://castad1_instagram/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 120s;
    }

    # 렌더링 요청 (긴 타임아웃)
    location /render {
        proxy_pass http://castad1_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 600s;
        proxy_buffering off;
    }

    # 다운로드/업로드/임시 파일
    location ~ ^/(downloads|temp|uploads)/ {
        proxy_pass http://castad1_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # SPA 라우팅
    location / {
        try_files $uri $uri/ /index.html;
    }
}
EOF

log "nginx 설정 파일 생성 완료"

# 심볼릭 링크 생성
LINK_PATH="/etc/nginx/sites-enabled/castad1"
if [ -L "$LINK_PATH" ]; then
    warn "심볼릭 링크가 이미 존재합니다. 재생성합니다..."
    rm "$LINK_PATH"
fi

ln -s "$NGINX_CONF" "$LINK_PATH"
log "심볼릭 링크 생성 완료"

# nginx 설정 테스트
log "nginx 설정 테스트 중..."
if nginx -t; then
    log "nginx 설정 테스트 통과"
else
    error "nginx 설정 테스트 실패!"
    exit 1
fi

# nginx 재시작
log "nginx 재시작 중..."
systemctl reload nginx
log "nginx 재시작 완료"

echo ""
echo -e "${GREEN}╔════════════════════════════════════════════════════════════╗${NC}"
echo -e "${GREEN}║     CaStAD1 Nginx 설정 완료!                               ║${NC}"
echo -e "${GREEN}╠════════════════════════════════════════════════════════════╣${NC}"
echo -e "${GREEN}║  도메인: https://castad1.ktenterprise.net                  ║${NC}"
echo -e "${GREEN}║  백엔드: 127.0.0.1:3001                                    ║${NC}"
echo -e "${GREEN}║  Instagram: 127.0.0.1:5003                                 ║${NC}"
echo -e "${GREEN}║  정적파일: /home/developer/castad1/dist                    ║${NC}"
echo -e "${GREEN}╚════════════════════════════════════════════════════════════╝${NC}"
echo ""