#!/usr/bin/env bash
# Controlled rollout helper to enable blocking mode by swapping in a blocking config.
# Usage: sudo ./scripts/rollout_enable_blocking.sh [--dry-run] [--confirm]

set -euo pipefail
ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
ACTIVE_CFG="$ROOT_DIR/uploadshield.json"
PROD_CFG="$ROOT_DIR/config/uploadshield.prod.json"
BLOCK_CFG="$ROOT_DIR/config/uploadshield.blocking.json"
BACKUP_DIR="$ROOT_DIR/config/backups"
DRY_RUN=0
CONFIRM=0

for arg in "$@"; do
  case "$arg" in
    --dry-run) DRY_RUN=1 ;;
    --confirm) CONFIRM=1 ;;
    -h|--help)
      echo "Usage: $0 [--dry-run] [--confirm]"
      exit 0 ;;
  esac
done

if [[ ! -f "$BLOCK_CFG" ]]; then
  echo "Blocking config not found: $BLOCK_CFG" >&2
  exit 2
fi

if [[ ! -f "$PROD_CFG" ]]; then
  echo "Prod config not found: $PROD_CFG" >&2
  exit 2
fi

if [[ $DRY_RUN -eq 1 ]]; then
  echo "DRY RUN: Would replace $ACTIVE_CFG with $BLOCK_CFG"
  echo "DRY RUN: Would reload PHP-FPM (if present)"
  exit 0
fi

if [[ $CONFIRM -ne 1 ]]; then
  echo "This will replace $ACTIVE_CFG with the blocking config and reload PHP-FPM."
  echo "Run with --confirm to proceed, or --dry-run to preview."
  exit 1
fi

mkdir -p "$BACKUP_DIR"
TS=$(date +%Y%m%dT%H%M%S)
if [[ -f "$ACTIVE_CFG" ]]; then
  cp -a "$ACTIVE_CFG" "$BACKUP_DIR/uploadshield.json.bak.$TS"
  echo "Backed up current config to $BACKUP_DIR/uploadshield.json.bak.$TS"
fi

cp -a "$BLOCK_CFG" "$ACTIVE_CFG"
echo "Copied blocking config to $ACTIVE_CFG"

# Try to reload PHP-FPM gracefully using common service names
RELOADED=0
if command -v systemctl >/dev/null 2>&1; then
  for svc in php-fpm php7.4-fpm php8.0-fpm php8.1-fpm php8.2-fpm; do
    if systemctl list-units --full -all | grep -q "^${svc}\.service"; then
      echo "Reloading $svc"
      systemctl reload "$svc" || systemctl restart "$svc"
      RELOADED=1
      break
    fi
  done
fi

if [[ $RELOADED -eq 0 ]]; then
  if command -v service >/dev/null 2>&1; then
    for svc in php7.4-fpm php8.0-fpm php8.1-fpm php8.2-fpm php-fpm; do
      if service --status-all 2>&1 | grep -q "$svc"; then
        echo "Reloading $svc via service"
        service "$svc" reload || service "$svc" restart
        RELOADED=1
        break
      fi
    done
  fi
fi

if [[ $RELOADED -eq 0 ]]; then
  echo "Warning: could not detect PHP-FPM service to reload. Please reload PHP-FPM manually."
else
  echo "PHP-FPM reloaded; blocking config is active."
fi

echo "Rollout complete. Monitor logs and be ready to rollback if necessary."