#!/usr/bin/env bash
#
# onx-webserver-install — Web server adapter kur (Apache/Nginx/OLS/LSE/Caddy).
#
# Input (stdin JSON):
#   {"driver":"apache|nginx|openlitespeed|litespeed|caddy", "package":"httpd|nginx|...", "service":"httpd|nginx|..."}
#
# Output: {"ok":true,"installed":true,"version":"X.Y.Z","message":"..."}
#
# NOT: Sistem aktif olan web server'i (httpd) bozmaz — yeni olanı paralel kurar,
# port çakışmaması için service start ETMEZ (admin manuel start veya switch).
# Sistem default'u aşağı yukarı sadece "switch" akışında değişir.

set -uo pipefail

input="$(cat 2>/dev/null || echo '{}')"
driver="$(echo "$input" | jq -r '.driver // empty')"
package="$(echo "$input" | jq -r '.package // empty')"
service="$(echo "$input" | jq -r '.service // empty')"
license_key="$(echo "$input" | jq -r '.license_key // empty')"

[[ -z "$driver" ]] && { jq -nc '{ok:false,error:"driver required"}' >&2; exit 1; }

# OS detection
OS_FAMILY="rhel"
PKG_MGR="dnf"
if [[ -f /etc/debian_version ]]; then
    OS_FAMILY="debian"
    PKG_MGR="apt-get"
fi

# Driver-specific install
install_apache() {
    if [[ "$OS_FAMILY" == "rhel" ]]; then
        dnf install -y httpd mod_ssl mod_http2 >/dev/null 2>&1
    else
        DEBIAN_FRONTEND=noninteractive apt-get install -y apache2 >/dev/null 2>&1
    fi
}

install_nginx() {
    if [[ "$OS_FAMILY" == "rhel" ]]; then
        # EPEL gerek değil; AlmaLinux 9 stock nginx var
        dnf install -y nginx >/dev/null 2>&1
    else
        DEBIAN_FRONTEND=noninteractive apt-get install -y nginx >/dev/null 2>&1
    fi
}

install_openlitespeed() {
    # v78: lsphp82 core + tüm panel/Laravel extension'ları (sodium dahil — License JWT)
    # ÖNEMLİ: lsphp82-sodium eksikse panel License middleware "Undefined constant
    # SODIUM_CRYPTO_SIGN_BYTES" ile 500 verir. mbstring/intl/gd Inertia/i18n için şart.
    # mysqlnd/pdo DB için, redis cache için, opcache perf, soap/xml/zip Laravel framework.
    # NOT: paket adı "lsphp82-pecl-redis" (versiyonsuz) — pecl-redis5 yanlış (v78.4 doğrulandı).
    local _LSPHP_EXTENSIONS=(
        lsphp82-bcmath
        lsphp82-common
        lsphp82-gd
        lsphp82-imap
        lsphp82-intl
        lsphp82-mbstring
        lsphp82-mysqlnd
        lsphp82-opcache
        lsphp82-pdo
        lsphp82-pecl-redis
        lsphp82-process
        lsphp82-soap
        lsphp82-sodium
        lsphp82-xml
        lsphp82-zip
    )

    if [[ "$OS_FAMILY" == "rhel" ]]; then
        # OLS repo — resmi EVRENSEL repo script'i EL sürümünü auto-detect eder (el8/el9/el10).
        # ESKİ: litespeed-repo-1.2-1.el8.noarch.rpm HARDCODED el8 → el10'da yanlış/eksik repo.
        # repo.litespeed.sh AlmaLinux/Rocky/RHEL 8/9/10 hepsini doğru kurar; script erişilemezse
        # eski el8 repo-RPM'ine düş (el9'da mevcut davranış korunur, repo-RPM versiyon-agnostiktir).
        if ! rpm -q litespeed-repo >/dev/null 2>&1; then
            curl -fsSL https://repo.litespeed.sh 2>/dev/null | bash >/dev/null 2>&1 \
                || rpm -ivh http://rpms.litespeedtech.com/centos/litespeed-repo-1.2-1.el8.noarch.rpm >/dev/null 2>&1
        fi
        # el10 (ve modern EL): lsphp/OLS, glibc'nin yeni crypt'iyle libxcrypt-compat ister —
        # yoksa auth/crypto runtime hataları olur (el9'da zaten kurulu/zararsız).
        dnf install -y libxcrypt-compat >/dev/null 2>&1 || true
        dnf install -y openlitespeed lsphp82 "${_LSPHP_EXTENSIONS[@]}" >/dev/null 2>&1
    else
        wget -qO - http://rpms.litespeedtech.com/debian/lst_repo.gpg | apt-key add - 2>/dev/null
        echo "deb http://rpms.litespeedtech.com/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/lst_debian_repo.list
        apt-get update >/dev/null 2>&1
        DEBIAN_FRONTEND=noninteractive apt-get install -y openlitespeed lsphp82 "${_LSPHP_EXTENSIONS[@]}" >/dev/null 2>&1
    fi

    # ── v78.4: LSAPI worker pool COLD RESTART ───────────────────────────────
    # LSAPI worker'lar `persistConn=1` ile uzun süre cache'lenir. Yeni kurulan
    # extension'ları (özellikle sodium) görmezler — `systemctl restart lsws`
    # bile yetmez çünkü worker process'leri (lsphp82) bağımsız yaşar.
    # `pkill -9 lsphp` + socket cleanup + lsws restart → yeni worker spawn.
    # Bu olmadan panel kurulum sonrası 500 verebilir (Undefined constant
    # SODIUM_CRYPTO_SIGN_BYTES — JwtVerifier middleware patlar).
    if systemctl is-active --quiet lsws 2>/dev/null; then
        pkill -9 lsphp 2>/dev/null || true
        rm -f /tmp/lshttpd/lsphp*.sock 2>/dev/null || true
        systemctl restart lsws >/dev/null 2>&1
        sleep 2
    fi
}

install_litespeed() {
    # v67: LiteSpeed Enterprise — ticari, lisans key zorunlu (Free 1-domain veya commercial)
    if [[ -z "$license_key" ]]; then
        jq -nc '{ok:false,error:"LiteSpeed Enterprise için lisans key zorunlu."}' >&2
        exit 2
    fi
    # Lisans format kontrol (basit regex: XXXX-XXXX-XXXX-XXXX veya 32 alphanumeric)
    if ! [[ "$license_key" =~ ^[A-Za-z0-9-]{16,64}$ ]]; then
        jq -nc '{ok:false,error:"Geçersiz lisans key formatı."}' >&2
        exit 2
    fi
    # LSE installer: lsws.sh ile interactive olmayan install
    # NOT: Bu placeholder — gerçek LSE installer custom flow gerektirir.
    # Production'da: wget https://www.litespeedtech.com/packages/lsws/lsws-X.Y.Z.tar.gz
    # extract → install.sh ile non-interactive (LICENSE_KEY env ile)
    tmpdir=$(mktemp -d)
    trap 'rm -rf "$tmpdir"' EXIT
    cd "$tmpdir" || exit 3
    # Free starter pack — production'da en yeni release URL'i dinamik çek
    if ! curl -sSL --max-time 60 -o lsws.tar.gz \
        'https://www.litespeedtech.com/packages/6.0/lsws-6.3.3-ent-x86_64-linux.tar.gz' 2>/dev/null; then
        jq -nc '{ok:false,error:"LSE installer indirilemedi (network/firewall)."}' >&2
        exit 3
    fi
    tar -xzf lsws.tar.gz 2>/dev/null
    cd lsws-* 2>/dev/null || { jq -nc '{ok:false,error:"LSE archive extract fail"}' >&2; exit 3; }
    # Lisans key environment
    echo "$license_key" > /etc/litespeed/license.key 2>/dev/null || true
    mkdir -p /usr/local/lsws/conf 2>/dev/null
    echo "$license_key" > /usr/local/lsws/conf/serial.no 2>/dev/null
    # Silent install (LICENSE_KEY env okur)
    LICENSE_KEY="$license_key" ./install.sh -auto >/dev/null 2>&1 || true
    # Service file gen edilmediyse
    systemctl daemon-reload 2>/dev/null || true
}

install_caddy() {
    if [[ "$OS_FAMILY" == "rhel" ]]; then
        # COPR repo
        dnf install -y 'dnf-command(copr)' >/dev/null 2>&1
        dnf copr enable -y @caddy/caddy >/dev/null 2>&1
        dnf install -y caddy >/dev/null 2>&1
    else
        apt-get install -y debian-keyring debian-archive-keyring apt-transport-https >/dev/null 2>&1
        curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
        curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list >/dev/null
        apt-get update >/dev/null 2>&1
        DEBIAN_FRONTEND=noninteractive apt-get install -y caddy >/dev/null 2>&1
    fi
}

# Run install
case "$driver" in
    apache)         install_apache ;;
    nginx)          install_nginx ;;
    openlitespeed)  install_openlitespeed ;;
    litespeed)      install_litespeed ;;
    caddy)          install_caddy ;;
    *)              jq -nc --arg d "$driver" '{ok:false,error:"unknown driver",driver:$d}' >&2; exit 1 ;;
esac

install_rc=$?
if [[ $install_rc -ne 0 ]]; then
    jq -nc --arg d "$driver" --arg pkg "$package" '{ok:false,error:"install failed (package manager rc!=0)",driver:$d,package:$pkg}' >&2
    exit $install_rc
fi

# Version detect
version=""
case "$driver" in
    apache)         version="$(httpd -v 2>/dev/null | head -1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)" ;;
    nginx)          version="$(nginx -v 2>&1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)" ;;
    openlitespeed)  version="$(/usr/local/lsws/bin/lshttpd -v 2>/dev/null | head -1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)" ;;
    caddy)          version="$(caddy version 2>/dev/null | head -1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)" ;;
esac
[[ -z "$version" ]] && version="unknown"

# Enable systemd (but DON'T start — sistemde Apache port 80 kullanıyor olabilir)
[[ -n "$service" ]] && systemctl enable "$service" >/dev/null 2>&1 || true

jq -nc \
    --arg driver "$driver" --arg version "$version" --arg service "$service" \
    '{ok:true, installed:true, driver:$driver, version:$version, service:$service,
      message:"Driver kuruldu (henüz aktif değil). Aktif etmek için Switch kullanın."}'
