#!/bin/bash
# ============================================
# NPM Proxy Host Deployer
# Nginx Proxy Manager - neuen Host anlegen
# Nutzt die NPM API (v2)
# ============================================
# Aufruf:  bash npm-ssl-deployer.sh <domain> <target-ip> <target-port>
# Beispiel: bash npm-ssl-deployer.sh app.example.com 192.168.1.100 8080
# Quelle:  sgit.space/downloads
# ============================================

set -euo pipefail

# --- Konfiguration (anpassen!) ---
NPM_URL="http://192.168.1.131:81"   # NPM Admin URL
NPM_EMAIL="admin@example.com"        # NPM Login
NPM_PASSWORD="changeme"              # NPM Passwort
LE_EMAIL="admin@example.com"          # Let's Encrypt E-Mail

# --- Farben ---
GREEN='\033[0;32m'
RED='\033[0;31m'
NC='\033[0m'

DOMAIN="${1:-}"
TARGET_IP="${2:-}"
TARGET_PORT="${3:-}"

if [ -z "$DOMAIN" ] || [ -z "$TARGET_IP" ] || [ -z "$TARGET_PORT" ]; then
    echo "Verwendung: $0 <domain> <target-ip> <target-port>"
    echo "Beispiel:   $0 app.example.com 192.168.1.100 8080"
    echo ""
    echo "Erstellt einen NPM Proxy Host mit:"
    echo "  - SSL (Let's Encrypt)"
    echo "  - Force HTTPS"
    echo "  - HTTP/2"
    echo "  - HSTS"
    echo "  - Security Headers"
    exit 1
fi

echo -e "${GREEN}===== NPM Proxy Host Deployer =====${NC}"
echo "Domain:  $DOMAIN"
echo "Target:  $TARGET_IP:$TARGET_PORT"
echo ""

# === 1. Login ===
echo "[1/3] Login bei NPM..."
TOKEN=$(curl -s -X POST "${NPM_URL}/api/tokens" \
    -H "Content-Type: application/json" \
    -d "{\"identity\":\"${NPM_EMAIL}\",\"secret\":\"${NPM_PASSWORD}\"}" \
    | python3 -c "import sys,json; print(json.load(sys.stdin).get('token',''))" 2>/dev/null)

if [ -z "$TOKEN" ]; then
    echo -e "${RED}Fehler: Login fehlgeschlagen. NPM_URL/EMAIL/PASSWORD pruefen!${NC}"
    exit 1
fi
echo "Login OK."

# === 2. Proxy Host erstellen ===
echo "[2/3] Erstelle Proxy Host..."
RESULT=$(curl -s -X POST "${NPM_URL}/api/nginx/proxy-hosts" \
    -H "Authorization: Bearer ${TOKEN}" \
    -H "Content-Type: application/json" \
    -d "{
        \"domain_names\": [\"${DOMAIN}\"],
        \"forward_scheme\": \"http\",
        \"forward_host\": \"${TARGET_IP}\",
        \"forward_port\": ${TARGET_PORT},
        \"block_exploits\": true,
        \"allow_websocket_upgrade\": true,
        \"http2_support\": true,
        \"hsts_enabled\": true,
        \"hsts_subdomains\": false,
        \"ssl_forced\": true,
        \"advanced_config\": \"# Security Headers\\nmore_set_header \\\"X-Frame-Options: DENY\\\";\\nmore_set_header \\\"X-Content-Type-Options: nosniff\\\";\\nmore_set_header \\\"Referrer-Policy: strict-origin-when-cross-origin\\\";\\nmore_set_header \\\"X-XSS-Protection: 1; mode=block\\\";\\nmore_set_header \\\"Permissions-Policy: camera=(), microphone=(), geolocation=()\\\";\",
        \"meta\": {
            \"letsencrypt_agree\": true,
            \"dns_challenge\": false
        }
    }")

HOST_ID=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || echo "")

if [ -z "$HOST_ID" ]; then
    echo -e "${RED}Fehler beim Erstellen:${NC}"
    echo "$RESULT" | python3 -m json.tool 2>/dev/null || echo "$RESULT"
    exit 1
fi
echo "Proxy Host #${HOST_ID} erstellt."

# === 3. SSL Zertifikat ===
echo "[3/3] Beantrage SSL-Zertifikat (Let's Encrypt)..."
SSL_RESULT=$(curl -s -X POST "${NPM_URL}/api/nginx/proxy-hosts/${HOST_ID}/certificate" \
    -H "Authorization: Bearer ${TOKEN}" \
    -H "Content-Type: application/json" \
    -d "{
        \"provider\": \"letsencrypt\",
        \"domain_names\": [\"${DOMAIN}\"],
        \"meta\": {
            \"letsencrypt_email\": \"${LE_EMAIL}\",
            \"letsencrypt_agree\": true,
            \"dns_challenge\": false
        }
    }" 2>/dev/null || echo "{}")

echo ""
echo -e "${GREEN}===== Fertig! =====${NC}"
echo ""
echo "  Domain:     https://${DOMAIN}"
echo "  Target:     ${TARGET_IP}:${TARGET_PORT}"
echo "  Host-ID:    ${HOST_ID}"
echo "  SSL:        Let's Encrypt (Auto-Renewal)"
echo "  Headers:    X-Frame-Options, X-Content-Type, Referrer-Policy, XSS-Protection, Permissions-Policy"
echo "  HSTS:       Aktiviert"
echo "  HTTP/2:     Aktiviert"
echo ""
echo "  HINWEIS: DNS muss auf die NPM-IP zeigen!"
echo "  Falls internes DNS: Unbound Host Override anlegen."
echo ""