#!/usr/bin/env bash
set -euo pipefail

# === METADATA ===
SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"

# === CONFIGURATION ===
: "${DOMAIN:?DOMAIN required}"
: "${CF_ACCOUNT_ID:?CF_ACCOUNT_ID required}"
: "${NODE_NAME:=node-a}"
: "${TUNNEL_NAME:=$NODE_NAME-tunnel}"
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"

# === FUNCTIONS ===
log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }

main() {
    log_info "Starting $SCRIPT_NAME (PLAN ONLY - no changes made)..."

    echo ""
    echo "============================================"
    echo "  CLOUDFLARE TUNNEL PLAN"
    echo "  Node: $NODE_NAME"
    echo "============================================"
    echo ""

    echo "=== Tunnel Configuration ==="
    echo "  Tunnel Name:    $TUNNEL_NAME"
    echo "  Account ID:     $CF_ACCOUNT_ID"
    echo "  Credentials:    ~/.cloudflared/$TUNNEL_NAME.json"
    echo "  Config:         ~/.cloudflared/config-$TUNNEL_NAME.yml"
    echo ""

    echo "=== Proposed Ingress Rules ==="
    echo "  1. ssh.$DOMAIN   -> ssh://localhost:22"
    echo "  2. *.$DOMAIN     -> http://localhost:8080 (catch-all)"
    echo "  3. (fallback)    -> http_status:404"
    echo ""

    echo "=== DNS Records to Create ==="
    echo "  ssh.$DOMAIN    CNAME -> $TUNNEL_NAME.cfargotunnel.com"
    echo ""

    echo "=== systemd Service ==="
    echo "  Unit:    cloudflared@$TUNNEL_NAME.service (or user service)"
    echo "  Status:  Will be enabled and started"
    echo ""

    echo "=== Security Notes ==="
    echo "  - Tunnel credentials will be stored locally"
    echo "  - Tunnel ID will be stored in pass (if available)"
    echo "  - No API token stored in config files"
    echo ""

    # Check for existing tunnel
    if [[ -f "$HOME/.cloudflared/$TUNNEL_NAME.json" ]]; then
        log_warn "Tunnel credentials already exist at ~/.cloudflared/$TUNNEL_NAME.json"
        log_warn "Apply will reuse existing tunnel (idempotent)"
    fi

    # Check cloudflared login status
    if [[ -f "$HOME/.cloudflared/cert.pem" ]]; then
        log_info "Cloudflared certificate found - already authenticated"
    else
        log_warn "No cloudflared certificate found"
        log_warn "You may need to run: cloudflared tunnel login"
    fi

    echo "============================================"
    echo "  To apply: ./scripts/21_tunnel_apply.sh"
    echo "  To abort: Do nothing"
    echo "  To rollback: ./scripts/rollback/undo_tunnel.sh"
    echo "============================================"

    log_info "Completed $SCRIPT_NAME"
}

[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"