#!/usr/bin/env bash
# =============================================================================
# Cut nginx over to serve the PYRE app at / (and the dev tracker at /status).
# =============================================================================
# Prereqs: the app is built + running under pm2 (pyre-web:3000, pyre-api:4000),
# and Phase 0 provisioning already obtained a TLS cert for feedthepyre.com.
#
# Run as root:  sudo bash scripts/deploy-web.sh
# Idempotent + re-runnable.
# =============================================================================
set -euo pipefail

DOMAIN="feedthepyre.com"
WWW_DOMAIN="www.feedthepyre.com"
REPO_DIR="/home/pyre/pyre"
CERTBOT_EMAIL="${CERTBOT_EMAIL:-a31s15.roguewave@gmail.com}"
VHOST_SRC="${REPO_DIR}/infra/nginx/${DOMAIN}.conf"
VHOST_AVAIL="/etc/nginx/sites-available/${DOMAIN}"
VHOST_ENABLED="/etc/nginx/sites-enabled/${DOMAIN}"

if [[ "${EUID}" -ne 0 ]]; then
  echo "Must run as root:  sudo bash ${0}" >&2
  exit 1
fi

echo "==> Installing nginx vhost (app at / , tracker at /status , api at /api)"
install -m 0644 "${VHOST_SRC}" "${VHOST_AVAIL}"
ln -sfn "${VHOST_AVAIL}" "${VHOST_ENABLED}"

echo "==> nginx -t"
nginx -t
systemctl reload nginx

echo "==> Re-applying TLS (certbot mirrors the server to a 443 block; idempotent)"
certbot --nginx -d "${DOMAIN}" -d "${WWW_DOMAIN}" \
  --non-interactive --agree-tos -m "${CERTBOT_EMAIL}" \
  --redirect --keep-until-expiring || {
    echo "[WARN] certbot did not complete; HTTP is live, re-run once DNS/cert is ready." >&2
  }
systemctl reload nginx

echo "Done."
echo "  https://${DOMAIN}/         -> PYRE app (pm2 pyre-web:3000)"
echo "  https://${DOMAIN}/api/scan -> API (pm2 pyre-api:4000)"
echo "  https://${DOMAIN}/status/  -> dev status tracker (static)"