#!/bin/bash
# Set up HTTPS on Oracle with Caddy + nip.io (free, no domain needed)
# Run from Mac: ssh -i ~/AXIOM/oracle_key opc@150.136.122.123 "bash /home/opc/AXIOM/setup-https.sh"

ORACLE_IP="150.136.122.123"

echo ""
echo "Setting up HTTPS for AXIOM..."
echo ""

# Install Caddy (Oracle Linux / RHEL)
if ! command -v caddy &> /dev/null; then
    echo "[1] Installing Caddy..."
    sudo yum install -y yum-utils 2>/dev/null
    sudo dnf install -y 'dnf-command(copr)' 2>/dev/null
    sudo dnf copr enable -y @caddy/caddy 2>/dev/null
    sudo dnf install -y caddy 2>/dev/null
    if ! command -v caddy &> /dev/null; then
        # Fallback: direct binary install
        curl -sL "https://caddyserver.com/api/download?os=linux&arch=amd64" -o /tmp/caddy
        chmod +x /tmp/caddy
        sudo mv /tmp/caddy /usr/bin/caddy
        sudo groupadd --system caddy 2>/dev/null
        sudo useradd --system --gid caddy --create-home --home-dir /var/lib/caddy --shell /usr/sbin/nologin caddy 2>/dev/null
        sudo mkdir -p /etc/caddy
        # Create systemd service for caddy
        sudo tee /etc/systemd/system/caddy.service > /dev/null << 'CADDYSVC'
[Unit]
Description=Caddy
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target
CADDYSVC
        sudo systemctl daemon-reload
    fi
    echo "    Caddy installed."
else
    echo "[1] Caddy already installed."
fi

# Configure Caddy as HTTPS reverse proxy
echo "[2] Configuring Caddy..."
sudo tee /etc/caddy/Caddyfile > /dev/null << CADDYEOF
${ORACLE_IP}.nip.io {
    reverse_proxy localhost:8080
}
CADDYEOF

# Open port 443 in OS firewall
echo "[3] Opening port 443..."
sudo iptables -C INPUT -p tcp --dport 443 -j ACCEPT 2>/dev/null
if [ $? -ne 0 ]; then
    sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
    sudo sh -c "iptables-save > /etc/iptables/rules.v4" 2>/dev/null || sudo netfilter-persistent save 2>/dev/null
fi
# Also open port 80 (needed for Let's Encrypt ACME challenge)
sudo iptables -C INPUT -p tcp --dport 80 -j ACCEPT 2>/dev/null
if [ $? -ne 0 ]; then
    sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
    sudo sh -c "iptables-save > /etc/iptables/rules.v4" 2>/dev/null || sudo netfilter-persistent save 2>/dev/null
fi

# Start Caddy
echo "[4] Starting Caddy..."
sudo systemctl enable caddy 2>/dev/null
sudo systemctl restart caddy

sleep 3

if systemctl is-active --quiet caddy; then
    echo ""
    echo "═══════════════════════════════════════════"
    echo "  HTTPS is LIVE!"
    echo ""
    echo "  https://${ORACLE_IP}.nip.io/axiom-alpaca.html"
    echo ""
    echo "  Open that URL on your phone!"
    echo "═══════════════════════════════════════════"
    echo ""
else
    echo ""
    echo "Caddy may need a moment. Check: sudo systemctl status caddy"
    echo "URL will be: https://${ORACLE_IP}.nip.io/axiom-alpaca.html"
    echo ""
fi