#!/bin/bash
# ============================================
# 更新 Nginx 配置以启用 HTTPS
# ============================================
# 用途：为 api.muststudy.xin 配置 HTTPS（使用现有证书）
# 使用方法：在服务器上执行 bash deploy/update-nginx-ssl.sh
# ============================================

set -e

# 颜色
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
BLUE='\033[0;34m'
NC='\033[0m'

echo -e "${BLUE}🔒 更新 Nginx 配置以启用 HTTPS...${NC}"
echo ""

DOMAIN="api.muststudy.xin"
NGINX_CONF="/etc/nginx/conf.d/wildgrowth-api.conf"
CERT_PATH="/etc/letsencrypt/live/${DOMAIN}"

# 检查证书是否存在
if [ ! -d "$CERT_PATH" ]; then
    echo -e "${RED}❌ SSL 证书不存在: ${CERT_PATH}${NC}"
    echo -e "${YELLOW}请先运行: bash deploy/setup-ssl-api.sh${NC}"
    exit 1
fi

echo -e "${GREEN}✅ 找到 SSL 证书: ${CERT_PATH}${NC}"
echo ""

# 更新 Nginx 配置
echo -e "${BLUE}📝 更新 Nginx 配置...${NC}"

cat > $NGINX_CONF <<'EOF'
# HTTP 重定向到 HTTPS
server {
    listen 80;
    server_name api.muststudy.xin;
    
    # Let's Encrypt 验证
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    
    # 其他请求重定向到 HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}

# HTTPS 配置
server {
    listen 443 ssl http2;
    server_name api.muststudy.xin;

    # SSL 证书配置
    ssl_certificate /etc/letsencrypt/live/api.muststudy.xin/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.muststudy.xin/privkey.pem;
    
    # SSL 安全配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # 日志
    access_log /var/log/nginx/wildgrowth-api-access.log;
    error_log /var/log/nginx/wildgrowth-api-error.log;

    # 上传文件大小限制
    client_max_body_size 10M;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        
        # 超时设置（增加到5分钟，支持长时间运行的AI生成任务）
        proxy_connect_timeout 300s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;
    }
}
EOF

# 测试 Nginx 配置
echo -e "${BLUE}🔍 测试 Nginx 配置...${NC}"
if nginx -t; then
    echo -e "${GREEN}✅ Nginx 配置验证通过${NC}"
    
    # 重载 Nginx
    systemctl reload nginx
    echo -e "${GREEN}✅ Nginx 已重载${NC}"
else
    echo -e "${RED}❌ Nginx 配置验证失败${NC}"
    exit 1
fi

echo ""
echo "============================================"
echo -e "${GREEN}🎉 HTTPS 配置完成！${NC}"
echo "============================================"
echo ""
echo "📊 配置信息："
echo "  - HTTP (80): 自动重定向到 HTTPS"
echo "  - HTTPS (443): 已启用 SSL"
echo "  - 证书路径: ${CERT_PATH}"
echo ""
echo "🌐 测试命令："
echo "  curl https://${DOMAIN}/health"
echo ""