#!/bin/bash
# Production Setup Script
# Wraps existing scripts to work in the production environment context

set -euo pipefail

# Colors
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'

# Ensure we are in the project root
cd "$(dirname "$0")/.."

# 1. Generate Secrets if needed
# We point generate-secrets to the production env file
if [ ! -f "infra/environments/production/.env" ] || grep -q "CHANGE_ME" "infra/environments/production/.env"; then
    echo -e "${BLUE}🔐 Generating production secrets...${NC}"

    # Temporarily symlink production env to where generate-secrets expects it (if needed)
    # But generate-secrets.sh writes to infra/environments/local/.env by default.
    # We will modify generate-secrets.sh to accept an output file argument or just move it after.

    # Actually, let's just run it and move the result if it doesn't support args,
    # OR better, let's just use sed to update the existing production .env in place using the logic from generate-secrets
    # But re-using the script is better.

    # Let's try to run generate-secrets.sh and see if we can redirect output.
    # Looking at generate-secrets.sh, it writes to infra/environments/local/.env

    # Workaround: Backup local .env, run script, move result to prod, restore local
    if [ -f "infra/environments/local/.env" ]; then
        cp "infra/environments/local/.env" "infra/environments/local/.env.bak"
    fi

    ./scripts/generate-secrets.sh

    mv "infra/environments/local/.env" "infra/environments/production/.env"

    if [ -f "infra/environments/local/.env.bak" ]; then
        mv "infra/environments/local/.env.bak" "infra/environments/local/.env"
    fi

    # Update DOMAIN in production .env
    sed -i 's/DOMAIN=local.lan/DOMAIN=app.harkon.co.uk/g' "infra/environments/production/.env"
    sed -i 's/EMAIL=admin@local.lan/EMAIL=admin@harkon.co.uk/g' "infra/environments/production/.env"

    echo -e "${GREEN}✅ Production secrets generated in infra/environments/production/.env${NC}"
else
    echo -e "${GREEN}✅ Production secrets already exist${NC}"
fi

# 2. Setup Authentik
# We need to export the production env vars so the scripts pick them up
set -a
source "infra/environments/production/.env"
set +a

# Override specific variables for the scripts
export ENV_FILE="infra/environments/production/.env"
export DOMAIN="app.harkon.co.uk"
export BOOTSTRAP_FILE="infra/base/authentik/bootstrap-prod.yaml"

echo -e "${BLUE}🔧 Running Authentik Setup for Production...${NC}"
echo -e "${BLUE}🌍 Domain: ${DOMAIN}${NC}"

# Run complete-authentik-setup (gets token)
./scripts/complete-authentik-setup.sh

# Run setup-authentik (imports blueprint)
./scripts/setup-authentik.sh

echo -e "${GREEN}🎉 Production setup complete!${NC}"
echo -e "${BLUE}🔗 Access URLs:${NC}"
echo -e "  • Authentik Admin: ${BLUE}https://auth.${DOMAIN}${NC}"
echo -e "  • API Gateway: ${BLUE}https://api.${DOMAIN}${NC}"
echo -e "  • Grafana: ${BLUE}https://grafana.${DOMAIN}${NC}"
echo -e "  • Review Portal: ${BLUE}https://review.${DOMAIN}${NC}"