#!/usr/bin/env bash
set -euo pipefail

DIR="/opt/hx-ki/com2-stack"
ENVF="$DIR/.env"
NET="hxki-internal"
BK="/opt/hx-ki/backups/com2-db-align-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BK"

echo "=== COM2 · DB ALIGN TO ENV (ONE-SHOT, NO DATA LOSS) ==="
echo "Env:    $ENVF"
echo "Backup: $BK"
echo

[ -f "$ENVF" ] || { echo "FAIL: FEHLT $ENVF"; exit 1; }
if grep -qE 'CHANGE_ME|CHANGEME|changeme' "$ENVF"; then
  echo "FAIL: In $ENVF sind noch Platzhalter (CHANGE_ME...)."; exit 1
fi

# .env laden (nur simple KEY=VALUE Zeilen)
set -a
. "$ENVF"
set +a

# Pflicht-Keys Postgres
: "${PG_USER:?fehlend in .env}"
: "${PG_PASSWORD:?fehlend in .env}"
: "${PG_DB:?fehlend in .env}"

# Pflicht-Keys MariaDB/Mautic (passen zu deinem Compose – ggf. in .env ergänzen)
: "${MYSQL_ROOT_PASSWORD:?fehlend in .env}"
: "${MAUTIC_DB_NAME:?fehlend in .env}"
: "${MAUTIC_DB_USER:?fehlend in .env}"
: "${MAUTIC_DB_PASSWORD:?fehlend in .env}"

docker network inspect "$NET" >/dev/null 2>&1 || docker network create "$NET" >/dev/null

cd "$DIR"

echo "[1] DB-Container sauber runter (nur DBs)"
docker compose rm -sf hxki-postgres hxki-mariadb >/dev/null 2>&1 || true

echo "[2] Postgres hoch (nur DB)"
docker compose up -d hxki-postgres

echo "[3] Wait: Postgres ready (pg_isready)"
for i in $(seq 1 60); do
  if docker exec -u postgres hxki-postgres pg_isready -q >/dev/null 2>&1; then
    echo "OK: Postgres ready."
    break
  fi
  sleep 1
  if [ "$i" = "60" ]; then
    echo "FAIL: Postgres wird nicht ready."; exit 1
  fi
done

echo "[4] Postgres: Role/DB auf .env angleichen (ohne pg_hba-Hacks)"
# WICHTIG: als OS-User 'postgres' im Container -> lokaler Socket -> kein Passwort nötig
docker exec -u postgres hxki-postgres psql -v ON_ERROR_STOP=1 -d postgres <<SQL
DO \$\$
BEGIN
  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${PG_USER}') THEN
    CREATE ROLE "${PG_USER}" LOGIN;
  END IF;
END \$\$;

ALTER ROLE "${PG_USER}" WITH PASSWORD '${PG_PASSWORD}';

DO \$\$
BEGIN
  IF NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = '${PG_DB}') THEN
    CREATE DATABASE "${PG_DB}" OWNER "${PG_USER}";
  END IF;
END \$\$;

ALTER DATABASE "${PG_DB}" OWNER TO "${PG_USER}";
SQL
echo "OK: Postgres aligned."

echo "[5] MariaDB: Reset-Container im 'skip-grant-tables' Modus (NO DATA LOSS)"
# Image von vorhandener Definition nehmen (falls schon bekannt), sonst mariadb:10.11
IMG="$(docker inspect hxki-mariadb --format '{{.Config.Image}}' 2>/dev/null || true)"
[ -n "$IMG" ] || IMG="mariadb:10.11"

# Sicherheit: falls noch ein Reset-Container existiert
docker rm -f hxki-mariadb-reset >/dev/null 2>&1 || true

# Reset-Container starten (gleicher Bind-Mount wie dein echtes Setup!)
docker run -d --name hxki-mariadb-reset \
  --network "$NET" \
  -v /opt/hx-ki/mautic/db:/var/lib/mysql \
  "$IMG" \
  --skip-networking --skip-grant-tables >/dev/null

echo "[6] Wait: MariaDB Reset ready"
for i in $(seq 1 60); do
  if docker exec hxki-mariadb-reset sh -lc "mariadb -uroot -e 'SELECT 1' >/dev/null 2>&1"; then
    echo "OK: MariaDB reset ready."
    break
  fi
  sleep 1
  if [ "$i" = "60" ]; then
    echo "FAIL: MariaDB reset wird nicht ready."; docker logs --tail=80 hxki-mariadb-reset || true; exit 1
  fi
done

echo "[7] MariaDB: root-PW setzen + Mautic DB/User sicherstellen"
docker exec hxki-mariadb-reset sh -lc "mariadb -uroot <<'SQL'
FLUSH PRIVILEGES;

-- Root Passwort (für localhost und %)
ALTER USER 'root'@'localhost' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}';
CREATE USER IF NOT EXISTS 'root'@'%' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;

-- Mautic DB + User
CREATE DATABASE IF NOT EXISTS \`${MAUTIC_DB_NAME}\` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER IF NOT EXISTS '${MAUTIC_DB_USER}'@'%' IDENTIFIED BY '${MAUTIC_DB_PASSWORD}';
GRANT ALL PRIVILEGES ON \`${MAUTIC_DB_NAME}\`.* TO '${MAUTIC_DB_USER}'@'%';

FLUSH PRIVILEGES;
SQL"
echo "OK: MariaDB aligned."

echo "[8] Reset-Container stoppen"
docker rm -f hxki-mariadb-reset >/dev/null

echo "[9] Echtes Orchester hoch (DBs + Apps)"
docker compose up -d --remove-orphans

echo
echo "[A] Quick checks"
echo "- Postgres Auth (mit .env User/PW):"
docker exec -e PGPASSWORD="${PG_PASSWORD}" hxki-postgres sh -lc "psql -U '${PG_USER}' -d '${PG_DB}' -c 'select 1' >/dev/null" \
  && echo "OK_PG_AUTH" || echo "FAIL_PG_AUTH"

echo "- MariaDB Auth (Mautic User):"
docker exec hxki-mariadb sh -lc "mariadb -u'${MAUTIC_DB_USER}' -p'${MAUTIC_DB_PASSWORD}' -e 'SELECT 1' '${MAUTIC_DB_NAME}' >/dev/null" \
  && echo "OK_MY_AUTH" || echo "FAIL_MY_AUTH"

echo "- n8n -> localhost:5678 im Container:"
docker exec hxki-n8n sh -lc "wget -qO- http://127.0.0.1:5678/ >/dev/null && echo OK_N8N_LISTEN || echo FAIL_N8N_LISTEN" || true

echo "- Caddy -> n8n/mautic/web intern:"
docker exec hx-caddy sh -lc "wget -qO- http://hxki-n8n:5678/ >/dev/null && echo OK_CADDY_TO_N8N || echo FAIL_CADDY_TO_N8N" || true
docker exec hx-caddy sh -lc "wget -qO- http://hxki-mautic/ >/dev/null && echo OK_CADDY_TO_MAUTIC || echo FAIL_CADDY_TO_MAUTIC" || true
docker exec hx-caddy sh -lc "wget -qO- http://hxki-web/ >/dev/null && echo OK_CADDY_TO_WEB || echo FAIL_CADDY_TO_WEB" || true

echo
echo "=== DONE ==="
echo "Backup dir: $BK"