#!/usr/bin/env bash
# onx-vhost-add — Create a web server vhost from template (dispatcher).
#
# Driver-aware: 'server' parametresine göre Apache/Nginx/Caddy/OLS sub-script'ine
# delege eder. Server parametresi belirtilmezse veya 'apache' ise mevcut Apache
# işleme akışı devam eder. System subdomain modu (webmail_proxy, panel_redirect,
# webdisk, mail_autoconfig) yalnız Apache'de desteklenir.
#
# Input (stdin JSON):
#   server               string   apache | nginx | caddy | openlitespeed | litespeed  (default: apache)
#   username             string   Linux username (onx_xxx)
#   domain               string   Primary ServerName
#   server_aliases       array    Additional ServerAlias entries (optional)
#   doc_root             string   DocumentRoot path
#   php_version          string   "8.1", "8.2", "8.3", etc.
#   ssl_enabled          bool     Include SSL VirtualHost block?
#   cert_path            string   Fullchain PEM (required if ssl_enabled)
#   key_path             string   Private key PEM (required if ssl_enabled)
#   reverse_proxy        bool     Nginx önde + Apache arkada modu (Nginx-only)
#
#   --- System subdomain mode (cPanel-style, Apache-only) ---
#   is_system_subdomain  bool     If true, use a system subdomain template instead of normal vhost.
#   subdomain_type       string   webmail_proxy | panel_redirect | webdisk | mail_autoconfig
#   parent_domain        string   The owning domain (used for cert path and ServerAdmin).
#   proxy_pass           string   (optional) Upstream URL for reverse proxy templates.
#   redirect_to          string   (optional) Target URL for panel_redirect template.
#
# Output (stdout JSON):
#   {"vhost_path":..., "reloaded":true, "ssl_enabled":..., "server":..., "is_system_subdomain":..., "subdomain_type":...}
#
# Exit codes: 0=ok 1=invalid-input 2=preflight-fail 3=exec-fail 4=rolled-back
#
# Deployed to: /usr/local/onoxsoft/bin/onx-vhost-add

set -euo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
# shellcheck source=_lib/common.sh
source "${SCRIPT_DIR}/_lib/common.sh"

# ── Constants ────────────────────────────────────────────────────────────────
TEMPLATE_PATH="/usr/local/onoxsoft/templates/vhost.conf.stub"
VHOST_DIR="/etc/httpd/conf.d/sites"
ACME_WEBROOT="/var/lib/letsencrypt/.well-known/acme-challenge"
ROUNDCUBE_PATH="/usr/share/roundcubemail"
AUTODISCOVER_PATH="/usr/local/onoxsoft/autodiscover"

# ── Read & parse stdin ───────────────────────────────────────────────────────
INPUT=$(cat)

onx_require_json "${INPUT}"

# ── Dispatcher: driver != apache ise sub-script'e delege et ─────────────────
SERVER=$(onx_json_get "${INPUT}" "server" "apache")
IS_SYSTEM_SUBDOMAIN_PRECHECK=$(onx_json_get_bool "${INPUT}" "is_system_subdomain" "false")

# v82.1: System subdomain artık Nginx/Caddy/OLS'de DE destekleniyor — her
# driver'ın sub-script'i kendi format'ında (Caddyfile/nginx.conf/OLS vhconf)
# webmail_proxy/panel_redirect/webdisk/mail_autoconfig template'i üretir.
# Önceden bu kısım skip ediliyordu → system subdomain Apache vhost olarak
# yazılıyordu (Apache pasifken siteler 502 verirdi).
case "${SERVER}" in
  apache)
    : # bu script Apache işleme akışı ile devam eder
    ;;
  nginx)
    SUB_SCRIPT="${SCRIPT_DIR}/onx-vhost-add-nginx"
    [[ -x "${SUB_SCRIPT}" ]] || onx_die 2 "nginx sub-script not found or not executable: ${SUB_SCRIPT}"
    # v3.37 BUG FIX: `exec` pipeline subshell'de çalışır, parent process replace
    # ETMEZ — pipeline tamamlanınca parent fallthrough Apache koduna düşer
    # (line 86+) → "systemctl reload httpd fail" üretirdi. `exec` kaldırıldı,
    # `exit $?` ile pipeline exit code'unu propagate ediyoruz.
    printf '%s' "${INPUT}" | "${SUB_SCRIPT}"
    exit $?
    ;;
  caddy)
    SUB_SCRIPT="${SCRIPT_DIR}/onx-vhost-add-caddy"
    [[ -x "${SUB_SCRIPT}" ]] || onx_die 2 "caddy sub-script not found or not executable: ${SUB_SCRIPT}"
    printf '%s' "${INPUT}" | "${SUB_SCRIPT}"
    exit $?
    ;;
  openlitespeed|litespeed)
    SUB_SCRIPT="${SCRIPT_DIR}/onx-vhost-add-ols"
    [[ -x "${SUB_SCRIPT}" ]] || onx_die 2 "ols sub-script not found or not executable: ${SUB_SCRIPT}"
    printf '%s' "${INPUT}" | "${SUB_SCRIPT}"
    exit $?
    ;;
  *)
    onx_die 1 "unknown server: ${SERVER} (expected: apache|nginx|caddy|openlitespeed|litespeed)"
    ;;
esac

USERNAME=$(onx_json_get "${INPUT}" "username")
DOMAIN=$(onx_json_get "${INPUT}" "domain")
DOC_ROOT=$(onx_json_get "${INPUT}" "doc_root")
PHP_VERSION=$(onx_json_get "${INPUT}" "php_version" "8.2")
SSL_ENABLED=$(onx_json_get_bool "${INPUT}" "ssl_enabled" "false")
CERT_PATH=$(onx_json_get "${INPUT}" "cert_path" "")
KEY_PATH=$(onx_json_get "${INPUT}" "key_path" "")

# System subdomain mode
IS_SYSTEM_SUBDOMAIN=$(onx_json_get_bool "${INPUT}" "is_system_subdomain" "false")
SUBDOMAIN_TYPE=$(onx_json_get "${INPUT}" "subdomain_type" "default")
PARENT_DOMAIN=$(onx_json_get "${INPUT}" "parent_domain" "")
PROXY_PASS=$(onx_json_get "${INPUT}" "proxy_pass" "")
REDIRECT_TO=$(onx_json_get "${INPUT}" "redirect_to" "")

# ── Input validation ─────────────────────────────────────────────────────────
onx_validate_username "${USERNAME}"
onx_validate_domain "${DOMAIN}"

[[ -z "${DOC_ROOT}" ]] && onx_die 1 "doc_root is required"

# php_version "8.2" → "82" (used in paths like php82-php-fpm)
PHP_VERSION_NODOT="${PHP_VERSION//./}"

# ── v88: PHP version preflight ──────────────────────────────────────────────
# Production'da panel default'u '8.4' gönderiyordu ama 8.4 sunucuda kurulu
# değildi → vhost-add /var/opt/remi/php84/run/php-fpm/<user>.sock arıyor,
# socket yok → Apache 502 (upstream not found). Şimdi vhost-add yazılmadan
# Remi modular layout'ta versiyonun gerçekten kurulu olduğunu doğruluyoruz.
REMI_PHP_DIR="/etc/opt/remi/php${PHP_VERSION_NODOT}"
if [[ ! -d "${REMI_PHP_DIR}" ]]; then
  # Kurulu versiyonları listele — kullanıcıya net mesaj
  INSTALLED_PHP=""
  if compgen -G "/etc/opt/remi/php*" > /dev/null 2>&1; then
    INSTALLED_PHP=$(for d in /etc/opt/remi/php*; do
      [[ -d "$d" ]] || continue
      base=$(basename "$d")
      # php82 → 8.2
      nums="${base#php}"
      if [[ ${#nums} -ge 2 ]]; then
        printf '%s.%s ' "${nums:0:1}" "${nums:1}"
      fi
    done | sed 's/ $//')
  fi
  onx_die 2 "PHP ${PHP_VERSION} sunucuda kurulu değil (beklenen: ${REMI_PHP_DIR}). Kurulu versiyonlar: ${INSTALLED_PHP:-(yok)}"
fi

# ── Preflight ────────────────────────────────────────────────────────────────
[[ -d "${VHOST_DIR}" ]]      || onx_die 2 "vhost directory not found: ${VHOST_DIR}"
command -v apachectl >/dev/null 2>&1 || onx_die 2 "apachectl not found"

# Normal (non-system) vhost requires user home dir
# /home/users/ veya /home/ tutarsızlığı için getent ile gerçek home'u oku.
USER_HOME=$(onx_resolve_home "${USERNAME}" 2>/dev/null || echo "")
if [[ "${IS_SYSTEM_SUBDOMAIN}" != "true" ]]; then
  [[ -f "${TEMPLATE_PATH}" ]]  || onx_die 2 "vhost template not found: ${TEMPLATE_PATH}"
  [[ -n "${USER_HOME}" && -d "${USER_HOME}" ]] \
    || onx_die 2 "home directory not found for ${USERNAME} (getent home: ${USER_HOME:-EMPTY})"
fi

# Fallback için sistem subdomain durumunda
[[ -z "${USER_HOME}" ]] && USER_HOME="/home/users/${USERNAME}"

if [[ "${SSL_ENABLED}" == "true" ]]; then
  [[ -n "${CERT_PATH}" ]] || onx_die 1 "cert_path required when ssl_enabled"
  [[ -n "${KEY_PATH}" ]]  || onx_die 1 "key_path required when ssl_enabled"
  [[ -f "${CERT_PATH}" ]] || onx_die 2 "cert_path does not exist: ${CERT_PATH}"
  [[ -f "${KEY_PATH}" ]]  || onx_die 2 "key_path does not exist: ${KEY_PATH}"
fi

# Fallback self-signed cert — SSL_ENABLED=false durumda HTTPS isteklerinin
# Apache default catchall'a ("Index of /") düşmesini engeller. Aynı içeriği
# "güvenli değil" uyarısıyla serve eder. Cert yoksa otomatik oluştur.
FALLBACK_CERT="/etc/pki/tls/certs/onoxsoft-fallback.crt"
FALLBACK_KEY="/etc/pki/tls/private/onoxsoft-fallback.key"
if [[ ! -f "${FALLBACK_CERT}" || ! -f "${FALLBACK_KEY}" ]]; then
  openssl req -x509 -newkey rsa:2048 -nodes -days 3650 \
    -subj "/CN=onoxsoft-fallback-selfsigned/O=ONOXSOFT/C=TR" \
    -addext "subjectAltName=DNS:*.onoxsoft.invalid" \
    -keyout "${FALLBACK_KEY}" -out "${FALLBACK_CERT}" 2>/dev/null || true
  chmod 0600 "${FALLBACK_KEY}" 2>/dev/null || true
  chmod 0644 "${FALLBACK_CERT}" 2>/dev/null || true
fi

# Ensure log directory exists (system subdomains share user logs)
mkdir -p "${USER_HOME}/logs"

# Ensure document root directory exists — Apache vhost ServerName'i resolve etse
# bile doc_root yoksa 404/403 verir. Subdomain/addon için panel default path
# /home/users/<user>/public_html/<subdomain-slug>. cPanel davranışı: yoksa
# yarat + ownership user:primary_group, mode 0755.
if [[ -n "${DOC_ROOT}" && ! -d "${DOC_ROOT}" ]]; then
  # Güvenlik: doc_root home directory altında olmalı (path traversal koruması)
  case "${DOC_ROOT}" in
    "${USER_HOME}"/*|/var/www/*|/srv/*)
      mkdir -p "${DOC_ROOT}"
      # Primary group runtime-detect — onx-user-add shared `onoxsoft-users`
      # kullanıyor, per-user group YOK
      PRIMARY_GROUP=$(id -gn "${USERNAME}" 2>/dev/null || echo "${USERNAME}")
      chown "${USERNAME}:${PRIMARY_GROUP}" "${DOC_ROOT}"
      chmod 0755 "${DOC_ROOT}"
      # Placeholder index.html — siteye ilk girince boş klasör görmemek için
      if [[ ! -f "${DOC_ROOT}/index.html" ]]; then
        cat > "${DOC_ROOT}/index.html" <<INDEX
<!DOCTYPE html>
<html lang="tr">
<head><meta charset="utf-8"><title>${DOMAIN}</title></head>
<body style="font-family:sans-serif;max-width:600px;margin:60px auto;padding:20px;text-align:center;">
<h1>${DOMAIN}</h1>
<p>Bu site henüz yapılandırılmadı. Dosyalarınızı <code>${DOC_ROOT}</code> klasörüne yükleyin.</p>
<p style="color:#888;font-size:13px;">ONOXSOFT Panel</p>
</body>
</html>
INDEX
        chown "${USERNAME}:${PRIMARY_GROUP}" "${DOC_ROOT}/index.html"
        chmod 0644 "${DOC_ROOT}/index.html"
      fi
      onx_log "created DOC_ROOT=${DOC_ROOT} owner=${USERNAME}:${PRIMARY_GROUP}"
      ;;
    *)
      onx_die 1 "doc_root must be under user home or /var/www or /srv: ${DOC_ROOT}"
      ;;
  esac
fi

VHOST_PATH="${VHOST_DIR}/${USERNAME}-${DOMAIN}.conf"
BACKUP_PATH="${VHOST_PATH}.bak.$$"

# Back up existing vhost file (if any) before writing new one
[[ -f "${VHOST_PATH}" ]] && cp "${VHOST_PATH}" "${BACKUP_PATH}"

# ── SSL cert resolution for system subdomains ──────────────────────────────
# If cert_path not explicitly given but parent_domain is, fall back to parent cert.
if [[ "${IS_SYSTEM_SUBDOMAIN}" == "true" && "${SSL_ENABLED}" == "true" ]]; then
  if [[ -z "${CERT_PATH}" && -n "${PARENT_DOMAIN}" ]]; then
    CERT_PATH="/etc/letsencrypt/live/${PARENT_DOMAIN}/fullchain.pem"
    KEY_PATH="/etc/letsencrypt/live/${PARENT_DOMAIN}/privkey.pem"
  fi
fi

# ── System subdomain template branch ────────────────────────────────────────
if [[ "${IS_SYSTEM_SUBDOMAIN}" == "true" ]]; then
  # Build SSL block (shared by all SSL-enabled templates)
  SSL_BLOCK=""
  if [[ "${SSL_ENABLED}" == "true" ]]; then
    SSL_BLOCK=$(cat <<SSLBLOCK
    SSLEngine on
    SSLCertificateFile ${CERT_PATH}
    SSLCertificateKeyFile ${KEY_PATH}
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLBLOCK
)
  fi

  case "${SUBDOMAIN_TYPE}" in
    webmail_proxy)
      # mail.<domain>, webmail.<domain> → Roundcube under /usr/share/roundcubemail
      cat > "${VHOST_PATH}" <<EOF
# Auto-generated by onx-vhost-add (subdomain_type=webmail_proxy)
# Parent: ${PARENT_DOMAIN}
<VirtualHost *:80>
    ServerName ${DOMAIN}
    DocumentRoot ${ROUNDCUBE_PATH}

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
    RewriteRule ^(.*)\$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    ErrorLog ${USER_HOME}/logs/${DOMAIN}-error.log
    CustomLog ${USER_HOME}/logs/${DOMAIN}-access.log combined
</VirtualHost>

EOF
      if [[ "${SSL_ENABLED}" == "true" ]]; then
        cat >> "${VHOST_PATH}" <<EOF
<VirtualHost *:443>
    ServerName ${DOMAIN}
    DocumentRoot ${ROUNDCUBE_PATH}

${SSL_BLOCK}

    <Directory "${ROUNDCUBE_PATH}">
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    <FilesMatch \\.php\$>
        SetHandler "proxy:unix:/var/opt/remi/php${PHP_VERSION_NODOT}/run/php-fpm/onoxsoft-panel.sock|fcgi://localhost"
    </FilesMatch>

    ErrorLog ${USER_HOME}/logs/${DOMAIN}-ssl-error.log
    CustomLog ${USER_HOME}/logs/${DOMAIN}-ssl-access.log combined
</VirtualHost>
EOF
      fi
      ;;

    panel_redirect)
      # panel.<domain> → ONOXSOFT panel admin URL (302)
      [[ -z "${REDIRECT_TO}" ]] && onx_die 1 "redirect_to required for panel_redirect template"
      cat > "${VHOST_PATH}" <<EOF
# Auto-generated by onx-vhost-add (subdomain_type=panel_redirect)
# Parent: ${PARENT_DOMAIN}
<VirtualHost *:80>
    ServerName ${DOMAIN}
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
    RewriteRule ^(.*)\$ ${REDIRECT_TO}\$1 [L,R=302]
    ErrorLog ${USER_HOME}/logs/${DOMAIN}-error.log
</VirtualHost>

EOF
      if [[ "${SSL_ENABLED}" == "true" ]]; then
        cat >> "${VHOST_PATH}" <<EOF
<VirtualHost *:443>
    ServerName ${DOMAIN}

${SSL_BLOCK}

    RewriteEngine On
    RewriteRule ^(.*)\$ ${REDIRECT_TO}\$1 [L,R=302]
    ErrorLog ${USER_HOME}/logs/${DOMAIN}-ssl-error.log
</VirtualHost>
EOF
      fi
      ;;

    webdisk)
      # webdisk.<domain> → WebDAV mount under /home/<user>/public_html
      cat > "${VHOST_PATH}" <<EOF
# Auto-generated by onx-vhost-add (subdomain_type=webdisk)
# Parent: ${PARENT_DOMAIN}
EOF
      if [[ "${SSL_ENABLED}" == "true" ]]; then
        cat >> "${VHOST_PATH}" <<EOF
<VirtualHost *:443>
    ServerName ${DOMAIN}
    DocumentRoot ${DOC_ROOT}

${SSL_BLOCK}

    # WebDAV — DAV ${DOC_ROOT}'a, auth tüm methodlara zorunlu
    <Directory "${DOC_ROOT}">
        DAV On
        Options +Indexes
        AllowOverride None
        AuthType Basic
        AuthName "WebDisk: ${USERNAME}"
        AuthBasicProvider file
        AuthUserFile ${USER_HOME}/.htpasswds/webdisk
        Require valid-user
    </Directory>

    ErrorLog ${USER_HOME}/logs/${DOMAIN}-error.log
    CustomLog ${USER_HOME}/logs/${DOMAIN}-access.log combined
</VirtualHost>
EOF
      else
        # WebDisk without SSL is plaintext basic auth — emit warning vhost on :80 only.
        cat >> "${VHOST_PATH}" <<EOF
<VirtualHost *:80>
    ServerName ${DOMAIN}
    DocumentRoot ${DOC_ROOT}

    # WebDAV — DAV ${DOC_ROOT}'a, auth tüm methodlara zorunlu
    <Directory "${DOC_ROOT}">
        DAV On
        Options +Indexes
        AllowOverride None
        AuthType Basic
        AuthName "WebDisk: ${USERNAME}"
        AuthBasicProvider file
        AuthUserFile ${USER_HOME}/.htpasswds/webdisk
        Require valid-user
    </Directory>

    ErrorLog ${USER_HOME}/logs/${DOMAIN}-error.log
    CustomLog ${USER_HOME}/logs/${DOMAIN}-access.log combined
</VirtualHost>
EOF
      fi
      ;;

    mail_autoconfig)
      # autodiscover.<domain> (Outlook) + autoconfig.<domain> (Thunderbird)
      cat > "${VHOST_PATH}" <<EOF
# Auto-generated by onx-vhost-add (subdomain_type=mail_autoconfig)
# Parent: ${PARENT_DOMAIN}
<VirtualHost *:80>
    ServerName ${DOMAIN}
    DocumentRoot ${AUTODISCOVER_PATH}

    RewriteEngine On
    RewriteRule ^/[Aa]utodiscover/[Aa]utodiscover.xml\$ /autodiscover.xml.php [L]
    RewriteRule ^/mail/config-v1.1.xml\$ /thunderbird.xml.php [L]
    RewriteRule ^/.well-known/autoconfig/mail/config-v1.1.xml\$ /thunderbird.xml.php [L]

    <Directory "${AUTODISCOVER_PATH}">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    <FilesMatch \\.php\$>
        SetHandler "proxy:unix:/var/opt/remi/php${PHP_VERSION_NODOT}/run/php-fpm/onoxsoft-panel.sock|fcgi://localhost"
    </FilesMatch>

    ErrorLog ${USER_HOME}/logs/${DOMAIN}-error.log
    CustomLog ${USER_HOME}/logs/${DOMAIN}-access.log combined
</VirtualHost>

EOF
      if [[ "${SSL_ENABLED}" == "true" ]]; then
        cat >> "${VHOST_PATH}" <<EOF
<VirtualHost *:443>
    ServerName ${DOMAIN}
    DocumentRoot ${AUTODISCOVER_PATH}

${SSL_BLOCK}

    RewriteEngine On
    RewriteRule ^/[Aa]utodiscover/[Aa]utodiscover.xml\$ /autodiscover.xml.php [L]
    RewriteRule ^/mail/config-v1.1.xml\$ /thunderbird.xml.php [L]
    RewriteRule ^/.well-known/autoconfig/mail/config-v1.1.xml\$ /thunderbird.xml.php [L]

    <Directory "${AUTODISCOVER_PATH}">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    <FilesMatch \\.php\$>
        SetHandler "proxy:unix:/var/opt/remi/php${PHP_VERSION_NODOT}/run/php-fpm/onoxsoft-panel.sock|fcgi://localhost"
    </FilesMatch>

    ErrorLog ${USER_HOME}/logs/${DOMAIN}-ssl-error.log
    CustomLog ${USER_HOME}/logs/${DOMAIN}-ssl-access.log combined
</VirtualHost>
EOF
      fi
      ;;

    *)
      onx_die 1 "unknown subdomain_type: ${SUBDOMAIN_TYPE} (expected: webmail_proxy|panel_redirect|webdisk|mail_autoconfig)"
      ;;
  esac

  chmod 0644 "${VHOST_PATH}"

  # ── apachectl configtest → rollback on failure ─────────────────────────
  if ! apachectl configtest 2>/dev/null; then
    onx_log "apachectl configtest failed (system subdomain) — rolling back"
    if [[ -f "${BACKUP_PATH}" ]]; then
      mv "${BACKUP_PATH}" "${VHOST_PATH}"
    else
      rm -f "${VHOST_PATH}"
    fi
    onx_die 4 "apachectl configtest failed; vhost rolled back"
  fi

  rm -f "${BACKUP_PATH}"

  # ── Reload httpd ───────────────────────────────────────────────────────
  if ! systemctl reload httpd; then
    onx_die 3 "systemctl reload httpd failed"
  fi

  onx_json_out \
    "vhost_path"          "${VHOST_PATH}" \
    "reloaded"            "true" \
    "ssl_enabled"         "${SSL_ENABLED}" \
    "is_system_subdomain" "true" \
    "subdomain_type"      "${SUBDOMAIN_TYPE}" \
    "parent_domain"       "${PARENT_DOMAIN}"

  exit 0
fi

# ── Build alias directives ───────────────────────────────────────────────────
# server_aliases is a JSON array e.g. ["www.example.com","mail.example.com"]
ALIASES_DIRECTIVES=""
while IFS= read -r alias; do
  [[ -n "${alias}" ]] && ALIASES_DIRECTIVES+="  ServerAlias ${alias}"$'\n'
done < <(onx_json_array_items "${INPUT}" "server_aliases")

# ── Build HTTPS-redirect block (only when SSL enabled) ───────────────────────
if [[ "${SSL_ENABLED}" == "true" ]]; then
  HTTPS_REDIRECT_BLOCK=$(cat <<'BLOCK'
  # Redirect all HTTP traffic to HTTPS
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
BLOCK
)
else
  HTTPS_REDIRECT_BLOCK=""
fi

# ── Build HTTPS VirtualHost block ────────────────────────────────────────────
# HER ZAMAN :443 vhost yarat — SSL_ENABLED=false ise fallback self-signed cert
# kullan. Bu sayede browser https://domain açtığında "güvenli değil" uyarısıyla
# site yine açılır; Apache default catchall'a düşüp "Index of /" göstermez.
if [[ "${SSL_ENABLED}" == "true" ]]; then
  USED_CERT="${CERT_PATH}"
  USED_KEY="${KEY_PATH}"
  HSTS_HEADER='  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"'
else
  USED_CERT="${FALLBACK_CERT}"
  USED_KEY="${FALLBACK_KEY}"
  HSTS_HEADER='  # HSTS disabled — SSL fallback (self-signed)'
fi

HTTPS_VHOST_BLOCK=$(cat <<SSLBLOCK
<VirtualHost *:443>
  ServerName ${DOMAIN}
${ALIASES_DIRECTIVES}
  DocumentRoot ${DOC_ROOT}

  CustomLog ${USER_HOME}/logs/${DOMAIN}-ssl-access.log combined
  ErrorLog  ${USER_HOME}/logs/${DOMAIN}-ssl-error.log

  SSLEngine on
  SSLCertificateFile    ${USED_CERT}
  SSLCertificateKeyFile ${USED_KEY}
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder on

${HSTS_HEADER}

  <FilesMatch \\.php\$>
    SetHandler "proxy:unix:/var/opt/remi/php${PHP_VERSION_NODOT}/run/php-fpm/${USERNAME}.sock|fcgi://localhost"
  </FilesMatch>

  <Directory ${DOC_ROOT}>
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>
SSLBLOCK
)

# ── Render template via sed substitution ────────────────────────────────────

# Export vars for sed inline replacement; use a temporary file
TMP_CONF=$(mktemp /tmp/onx-vhost-XXXXXX.conf)
trap 'rm -f "${TMP_CONF}"' EXIT

cp "${TEMPLATE_PATH}" "${TMP_CONF}"

# Replace each ${VAR} placeholder using awk (sed multiline + special chars
# fragile). awk handles literal substitution without escape gymnastics.
# Önceki sed-based versiyon `|` karakterini (örn SetHandler proxy:unix:|fcgi)
# escape edemeyince "unknown option to 's'" hatası alıyordu.
sed_replace() {
  local var="$1" val="$2"
  local placeholder="\${${var}}"
  # awk ile literal substitution — index() ile placeholder bul, substr ile kes,
  # val'ı arada bırak. Hiçbir karakteri yorumlamadan textual replace.
  awk -v ph="${placeholder}" -v rep="${val}" '
    { line = $0
      while ((idx = index(line, ph)) > 0) {
        printf "%s%s", substr(line, 1, idx-1), rep
        line = substr(line, idx + length(ph))
      }
      print line
    }
  ' "${TMP_CONF}" > "${TMP_CONF}.new" && mv "${TMP_CONF}.new" "${TMP_CONF}"
}

sed_replace "USERNAME"               "${USERNAME}"
sed_replace "USER_HOME"              "${USER_HOME}"
sed_replace "DOMAIN"                 "${DOMAIN}"
sed_replace "DOC_ROOT"               "${DOC_ROOT}"
sed_replace "PHP_VERSION_NODOT"      "${PHP_VERSION_NODOT}"
sed_replace "ALIASES_DIRECTIVES"     "${ALIASES_DIRECTIVES}"
sed_replace "HTTPS_REDIRECT_BLOCK"   "${HTTPS_REDIRECT_BLOCK}"
sed_replace "HTTPS_VHOST_BLOCK"      "${HTTPS_VHOST_BLOCK}"

# Install the rendered config
install -m 0644 "${TMP_CONF}" "${VHOST_PATH}"

# ── apachectl configtest → rollback on failure ───────────────────────────────
if ! apachectl configtest 2>/dev/null; then
  onx_log "apachectl configtest failed — rolling back"
  if [[ -f "${BACKUP_PATH}" ]]; then
    mv "${BACKUP_PATH}" "${VHOST_PATH}"
  else
    rm -f "${VHOST_PATH}"
  fi
  onx_die 4 "apachectl configtest failed; vhost rolled back"
fi

rm -f "${BACKUP_PATH}"

# ── Reload httpd ─────────────────────────────────────────────────────────────
if ! systemctl reload httpd; then
  onx_die 3 "systemctl reload httpd failed"
fi

# ── Success ──────────────────────────────────────────────────────────────────
onx_json_out \
  "vhost_path"  "${VHOST_PATH}" \
  "reloaded"    "true" \
  "ssl_enabled" "${SSL_ENABLED}" \
  "server"      "apache"
