#!/usr/bin/env bash
set -euo pipefail

#############################
# CONFIG
#############################

BASE_DIR="${HOME}/Docker/Vaultwarden"
DOMAIN_DEFAULT="https://vaultwarden.rozic-dev.com"
TZ_DEFAULT="Europe/Ljubljana"

#############################
# FUNCTIONS
#############################

choose_docker_compose_cmd() {
  if command -v docker &>/dev/null && docker compose version &>/dev/null; then
    echo "docker compose"
  elif command -v docker-compose &>/dev/null; then
    echo "docker-compose"
  else
    echo "Error: docker compose or docker-compose not found in PATH." >&2
    exit 1
  fi
}

generate_admin_token() {
  if command -v openssl &>/dev/null; then
    openssl rand -hex 32
  else
    # Fallback if openssl isn’t available
    tr -dc 'A-Za-z0-9' </dev/urandom | head -c 64
  fi
}

#############################
# MAIN
#############################

echo ">>> Creating Vaultwarden directory at: ${BASE_DIR}"
mkdir -p "${BASE_DIR}"
cd "${BASE_DIR}"

#############################
# .env FILE
#############################

if [[ -f .env ]]; then
  echo ">>> .env already exists, reusing existing values."
  # shellcheck disable=SC1091
  source .env
  : "${ADMIN_TOKEN:?ADMIN_TOKEN must be set in .env}"
  : "${DOMAIN:?DOMAIN must be set in .env}"
  : "${TZ:?TZ must be set in .env}"
else
  echo ">>> Creating .env file..."

  ADMIN_TOKEN=$(generate_admin_token)
  DOMAIN="${DOMAIN_DEFAULT}"
  TZ="${TZ_DEFAULT}"

  cat > .env <<EOF
ADMIN_TOKEN=${ADMIN_TOKEN}
DOMAIN=${DOMAIN}
TZ=${TZ}
EOF

  echo ">>> .env created."
  echo "    ADMIN_TOKEN (keep this secret!): ${ADMIN_TOKEN}"
  echo "    DOMAIN: ${DOMAIN}"
  echo "    TZ: ${TZ}"
fi

#############################
# docker-compose.yml
#############################

echo ">>> Writing docker-compose.yml..."

cat > docker-compose.yml <<'EOF'
version: "3.9"

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      # Base configuration
      - DOMAIN=${DOMAIN}
      - TZ=${TZ}
      - WEBSOCKET_ENABLED=true

      # Security
      - SIGNUPS_ALLOWED=false
      - ADMIN_TOKEN=${ADMIN_TOKEN}

      # Logging (optional)
      - LOG_FILE=/data/vaultwarden.log
      - LOG_LEVEL=info

    volumes:
      - ./vw-data:/data

    networks:
      - traefik_default

    labels:
      - "traefik.enable=true"

      # MAIN HTTP(S) APP
      - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.rozic-dev.com`)"
      - "traefik.http.routers.vaultwarden.entrypoints=web,websecure"
      - "traefik.http.routers.vaultwarden.middlewares=redirect-to-https"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"

      # WEBSOCKET FOR LIVE UPDATES
      - "traefik.http.routers.vaultwarden-ws.rule=Host(`vaultwarden.rozic-dev.com`) && Path(`/notifications/hub`)"
      - "traefik.http.routers.vaultwarden-ws.entrypoints=web,websecure"
      - "traefik.http.routers.vaultwarden-ws.middlewares=redirect-to-https"
      - "traefik.http.routers.vaultwarden-ws.tls=true"
      - "traefik.http.routers.vaultwarden-ws.tls.certresolver=letsencrypt"
      - "traefik.http.services.vaultwarden-ws.loadbalancer.server.port=3012"

networks:
  traefik_default:
    external: true
EOF

echo ">>> docker-compose.yml created."

#############################
# START CONTAINER
#############################

DC_CMD=$(choose_docker_compose_cmd)
echo ">>> Using Docker command: ${DC_CMD}"

echo ">>> Pulling images..."
${DC_CMD} pull

echo ">>> Starting Vaultwarden..."
${DC_CMD} up -d

echo ">>> Done!"
echo "Vaultwarden should be available at: ${DOMAIN}"
echo "Admin interface: ${DOMAIN}/admin"
echo "Admin token (from .env): ${ADMIN_TOKEN}"
echo "Don't forget to backup ${BASE_DIR}/vw-data and ${BASE_DIR}/.env regularly."