#!/bin/bash
set -eo pipefail
IFS=$'\n\t'

# Configuration
GIT_REMOTE_NAME="gogs"
GOGS_DOMAIN="netmon.thefoldwithin.earth"
GOGS_SSH="git@$GOGS_DOMAIN"
GOGS_API="https://$GOGS_DOMAIN/api/v1"
GOGS_SSH_PORT="22"
USERNAME="mrhavens"
REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) || { echo "[ERROR] Not inside a git repository." >&2; exit 1; }
REPO_NAME=$(basename "$REPO_ROOT") || { echo "[ERROR] Failed to get repository name" >&2; exit 1; }
MARKDOWN_FILE="$REPO_ROOT/.gitfield/gogs.sigil.md"
DEFAULT_NAME="Mark Randall Havens"
DEFAULT_EMAIL="mark.r.havens@gmail.com"
TOKEN_FILE="$HOME/.gitfield_token_gogs"
CLOUDFLARED_TOKEN_FILE="$HOME/.cloudflared/gogs_tunnel_token"
SSH_KEY="$HOME/.ssh/id_ed25519"
SSH_CONFIG_FILE="$HOME/.ssh/config"
SCRIPT_VERSION="1.5"

# Logging functions
info()  { echo -e "\e[1;34m[INFO]\e[0m ${*:-}"; }
warn()  { echo -e "\e[1;33m[WARN]\e[0m ${*:-}"; }
error() { echo -e "\e[1;31m[ERROR]\e[0m ${*:-}" >&2; exit 1; }

# Check for required tools
info "Checking for required tools..."
for cmd in git curl jq ssh timeout; do
  command -v "$cmd" >/dev/null || {
    sudo apt update -qq || warn "Failed to update package lists, continuing..."
    sudo apt install -y git curl jq openssh-client timeout || error "Failed to install $cmd"
  }
done

# Install cloudflared if not present
if ! command -v cloudflared >/dev/null; then
  info "Installing cloudflared..."
  sudo apt update -qq || warn "Failed to update package lists, continuing..."
  sudo apt install -y wget || error "Failed to install wget"
  ARCH=$(uname -m)
  case "$ARCH" in
    x86_64) CLOUDFLARED_URL="https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64" ;;
    arm*)   CLOUDFLARED_URL="https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm" ;;
    *)      error "Unsupported architecture: $ARCH" ;;
  esac
  wget -q "$CLOUDFLARED_URL" -O /tmp/cloudflared || error "Failed to download cloudflared"
  sudo mv /tmp/cloudflared /usr/local/bin/cloudflared || error "Failed to install cloudflared"
  sudo chmod +x /usr/local/bin/cloudflared || error "Failed to set cloudflared permissions"
  info "cloudflared installed successfully."
fi

# Handle GOGS token
RESET_AUTH=false
if [[ "${1:-}" == "--reset-auth" ]]; then
  RESET_AUTH=true
  rm -f "$TOKEN_FILE" "$CLOUDFLARED_TOKEN_FILE" 2>/dev/null || warn "Failed to remove auth files"
  info "Authentication reset requested."
fi

if [[ -f "$TOKEN_FILE" && "$RESET_AUTH" == false ]]; then
  TOKEN=$(cat "$TOKEN_FILE" 2>/dev/null) || error "Failed to read token from $TOKEN_FILE"
  info "Using cached GOGS token from $TOKEN_FILE"
else
  info "GOGS token required."
  echo "🔐 Generate a token at https://$GOGS_DOMAIN/user/settings/applications (scopes: write:repository, write:ssh_key)"
  echo "🔐 Paste your GOGS Personal Access Token (will not be echoed):"
  read -rsp "Token: " TOKEN
  echo
  [[ -z "$TOKEN" ]] && error "GOGS token cannot be empty"
  echo "$TOKEN" > "$TOKEN_FILE" || error "Failed to write token to $TOKEN_FILE"
  chmod 600 "$TOKEN_FILE" || error "Failed to set permissions on $TOKEN_FILE"
  info "GOGS token saved at $TOKEN_FILE"
fi

# Verify GOGS token
info "Verifying GOGS token..."
TOKEN_TEST=$(curl -k -s -H "Authorization: token $TOKEN" "$GOGS_API/user" | jq -r .login 2>/dev/null || echo "")
if [[ "$TOKEN_TEST" != "$USERNAME" ]]; then
  warn "GOGS token verification failed. Please generate a new token at https://$GOGS_DOMAIN/user/settings/applications"
  rm -f "$TOKEN_FILE"
  echo "🔐 Paste your GOGS Personal Access Token (will not be echoed):"
  read -rsp "Token: " TOKEN
  echo
  [[ -z "$TOKEN" ]] && error "GOGS token cannot be empty"
  echo "$TOKEN" > "$TOKEN_FILE" || error "Failed to write token to $TOKEN_FILE"
  chmod 600 "$TOKEN_FILE" || error "Failed to set permissions on $TOKEN_FILE"
  info "GOGS token saved at $TOKEN_FILE"
fi

# Handle Cloudflare Tunnel token
if [[ -f "$CLOUDFLARED_TOKEN_FILE" && "$RESET_AUTH" == false ]]; then
  CLOUDFLARED_TOKEN=$(cat "$CLOUDFLARED_TOKEN_FILE" 2>/dev/null) || error "Failed to read Cloudflare Tunnel token from $CLOUDFLARED_TOKEN_FILE"
  info "Using cached Cloudflare Tunnel token from $CLOUDFLARED_TOKEN_FILE"
else
  info "Cloudflare Tunnel token required."
  echo "🔐 Follow these steps to generate a Cloudflare Tunnel token:"
  echo "   1. Log into Cloudflare Zero Trust: https://dash.teams.cloudflare.com"
  echo "   2. Navigate to Access > Tunnels."
  echo "   3. Click 'Create a tunnel', select 'Cloudflared' connector, and name it (e.g., 'gogs-ssh-tunnel')."
  echo "   4. Copy the token (starts with 'eyJ') from the 'Connect an application' step."
  echo "   5. In Public Hostnames, add 'netmon.thefoldwithin.earth' (or a subdomain), set Service to 'SSH', and URL to 'localhost:22'."
  echo "   6. Ensure the tunnel is running on your Raspberry Pi (see: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/)"
  echo "🔐 Paste your Cloudflare Tunnel token (will not be echoed):"
  read -rsp "Token: " CLOUDFLARED_TOKEN
  echo
  [[ -z "$CLOUDFLARED_TOKEN" ]] && error "Cloudflare Tunnel token cannot be empty"
  [[ ! "$CLOUDFLARED_TOKEN" =~ ^eyJ ]] && warn "Cloudflare Tunnel token does not start with 'eyJ'. It may be invalid."
  mkdir -p "$(dirname "$CLOUDFLARED_TOKEN_FILE")" || error "Failed to create .cloudflared directory"
  echo "$CLOUDFLARED_TOKEN" > "$CLOUDFLARED_TOKEN_FILE" || error "Failed to write token to $CLOUDFLARED_TOKEN_FILE"
  chmod 600 "$CLOUDFLARED_TOKEN_FILE" || error "Failed to set permissions on $CLOUDFLARED_TOKEN_FILE"
  info "Cloudflare Tunnel token saved at $CLOUDFLARED_TOKEN_FILE"
fi

# Validate Cloudflare Tunnel token
info "Validating Cloudflare Tunnel token..."
CLOUDFLARED_TEST=$(timeout 10s cloudflared tunnel --no-autoupdate info --token "$CLOUDFLARED_TOKEN" 2>&1 || echo "Timeout or error")
if echo "$CLOUDFLARED_TEST" | grep -qi "error"; then
  warn "Cloudflare Tunnel token validation failed: $CLOUDFLARED_TEST"
  rm -f "$CLOUDFLARED_TOKEN_FILE"
  echo "🔐 Follow the steps above or visit https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/"
  echo "🔐 Paste your Cloudflare Tunnel token (will not be echoed):"
  read -rsp "Token: " CLOUDFLARED_TOKEN
  echo
  [[ -z "$CLOUDFLARED_TOKEN" ]] && error "Cloudflare Tunnel token cannot be empty"
  [[ ! "$CLOUDFLARED_TOKEN" =~ ^eyJ ]] && warn "Cloudflare Tunnel token does not start with 'eyJ'. It may be invalid."
  echo "$CLOUDFLARED_TOKEN" > "$CLOUDFLARED_TOKEN_FILE" || error "Failed to write token to $CLOUDFLARED_TOKEN_FILE"
  chmod 600 "$CLOUDFLARED_TOKEN_FILE" || error "Failed to set permissions on $CLOUDFLARED_TOKEN_FILE"
  info "Cloudflare Tunnel token saved at $CLOUDFLARED_TOKEN_FILE"
fi

# Configure Cloudflare Tunnel
info "Configuring Cloudflare Tunnel for SSH..."
killall cloudflared 2>/dev/null || true
timeout 10s cloudflared tunnel --no-autoupdate run --token "$CLOUDFLARED_TOKEN" --loglevel error >/dev/null 2>&1 & sleep 2
if ! pgrep -f "cloudflared.*$CLOUDFLARED_TOKEN" >/dev/null; then
  warn "Failed to start Cloudflare Tunnel. Falling back to HTTPS..."
  USE_HTTPS=true
else
  info "Cloudflare Tunnel running."
fi

# Configure SSH with Cloudflare Tunnel
if ! grep -q "Host $GOGS_DOMAIN" "$SSH_CONFIG_FILE" 2>/dev/null; then
  info "Configuring SSH with Cloudflare Tunnel..."
  mkdir -p "$(dirname "$SSH_CONFIG_FILE")" && chmod 700 "$(dirname "$SSH_CONFIG_FILE")"
  cat >> "$SSH_CONFIG_FILE" <<EOF
Host $GOGS_DOMAIN
  HostName $GOGS_DOMAIN
  User git
  Port $GOGS_SSH_PORT
  IdentityFile $SSH_KEY
  ProxyCommand cloudflared access ssh --hostname %h
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
EOF
  chmod 600 "$SSH_CONFIG_FILE" || warn "Failed to set permissions on SSH config file"
  info "Added SSH config for $GOGS_DOMAIN with Cloudflare Tunnel"
fi

# Set git user info
git config --global user.name "$DEFAULT_NAME" || warn "Failed to set git user name"
git config --global user.email "$DEFAULT_EMAIL" || warn "Failed to set git user email"
info "Git identity set to: $DEFAULT_NAME <$DEFAULT_EMAIL>"

# Ensure at least one commit exists
if ! git rev-parse HEAD &>/dev/null; then
  error "No commits found. Please add and commit files first."
fi

# SSH setup
if [[ ! -f "$SSH_KEY" ]]; then
  info "Generating SSH key..."
  ssh-keygen -t ed25519 -C "$DEFAULT_EMAIL" -f "$SSH_KEY" -N "" || error "Failed to generate SSH key"
fi

eval "$(ssh-agent -s)" >/dev/null 2>&1 || error "Failed to start ssh-agent"
ssh-add "$SSH_KEY" >/dev/null 2>&1 || warn "SSH key already added or could not be added"

# Upload SSH key to GOGS
if [[ "$USE_HTTPS" != true ]]; then
  info "Testing SSH connection..."
  SSH_TEST_OUTPUT=$(timeout 10s ssh -T -p "$GOGS_SSH_PORT" "$GOGS_SSH" 2>&1 || echo "Timeout or error")
  if ! echo "$SSH_TEST_OUTPUT" | grep -q "success"; then
    warn "SSH test failed: $SSH_TEST_OUTPUT"
    info "Uploading SSH key to GOGS..."
    PUBKEY=$(cat "${SSH_KEY}.pub" 2>/dev/null) || error "Failed to read SSH public key"
    TITLE="AutoKey-$(hostname)-$(date +%s)"
    CURL_OUTPUT=$(curl -k -s --fail -X POST "$GOGS_API/user/keys" \
      -H "Authorization: token $TOKEN" \
      -H "Content-Type: application/json" \
      -d "{\"title\": \"$TITLE\", \"key\": \"$PUBKEY\"}" 2>&1)
    if [[ $? -ne 0 ]]; then
      warn "SSH key upload failed: $CURL_OUTPUT"
      USE_HTTPS=true
    else
      info "SSH key uploaded successfully."
      sleep 2
      SSH_TEST_OUTPUT=$(timeout 10s ssh -T -p "$GOGS_SSH_PORT" "$GOGS_SSH" 2>&1 || echo "Timeout or error")
      if ! echo "$SSH_TEST_OUTPUT" | grep -q "success"; then
        warn "SSH test still failing: $SSH_TEST_OUTPUT"
        USE_HTTPS=true
      else
        info "SSH test passed: $SSH_TEST_OUTPUT"
      fi
    fi
  else
    info "SSH test passed: $SSH_TEST_OUTPUT"
  fi
else
  warn "Skipping SSH test due to HTTPS fallback."
fi

# Fallback to HTTPS if SSH fails
if [[ "$USE_HTTPS" == true ]]; then
  warn "Using HTTPS due to SSH failure."
  git config --global credential.helper store
  echo "https://$USERNAME:$TOKEN@$GOGS_DOMAIN" > "$HOME/.git-credentials" || error "Failed to write git credentials"
  chmod 600 "$HOME/.git-credentials" || error "Failed to set permissions on git credentials"
fi

# Check and create GOGS repository
info "Checking if repository exists..."
EXISTS=$(curl -k -s -H "Authorization: token $TOKEN" "$GOGS_API/repos/$USERNAME/$REPO_NAME" | jq -r .name 2>/dev/null || echo "")
if [[ "$EXISTS" != "$REPO_NAME" ]]; then
  info "Creating repository $REPO_NAME on GOGS..."
  CURL_OUTPUT=$(curl -k -s --fail -X POST "$GOGS_API/user/repos" \
    -H "Authorization: token $TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"name\": \"$REPO_NAME\", \"description\": \"Created via gitfield-gogs\", \"private\": false, \"auto_init\": false}" 2>&1) || {
    warn "Failed to create repository: $CURL_OUTPUT"
    error "Repository creation failed. Check token permissions or network."
  }
  info "Repository created successfully."
fi

# Set up git remote
if [[ "$USE_HTTPS" == true ]]; then
  REMOTE_URL="https://$GOGS_DOMAIN/$USERNAME/$REPO_NAME.git"
else
  REMOTE_URL="$GOGS_SSH:$USERNAME/$REPO_NAME.git"
fi
if ! git remote get-url "$GIT_REMOTE_NAME" &>/dev/null; then
  info "Adding remote $GIT_REMOTE_NAME..."
  git remote add "$GIT_REMOTE_NAME" "$REMOTE_URL" || error "Failed to add remote $GIT_REMOTE_NAME"
else
  info "Updating remote $GIT_REMOTE_NAME..."
  git remote set-url "$GIT_REMOTE_NAME" "$REMOTE_URL" || error "Failed to set remote URL for $GIT_REMOTE_NAME"
fi

# Generate metadata file
mkdir -p "$(dirname "$MARKDOWN_FILE")" || error "Failed to create directory for $MARKDOWN_FILE"
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S') || error "Failed to get timestamp"
DEFAULT_BRANCH=$(git symbolic-ref --short HEAD) || error "Failed to get default branch"
REPO_PATH="$REPO_ROOT"
LATEST_SHA=$(git rev-parse HEAD) || error "Failed to get latest commit SHA"
LAST_COMMIT_MSG=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "Unknown")
LAST_COMMIT_DATE=$(git log -1 --pretty=format:"%ad" 2>/dev/null || echo "Unknown")
LAST_COMMIT_AUTHOR=$(git log -1 --pretty=format:"%an <%ae>" 2>/dev/null || echo "Unknown")
TOTAL_COMMITS=$(git rev-list --count HEAD 2>/dev/null || echo "Unknown")
TRACKED_FILES=$(git ls-files 2>/dev/null | wc -l 2>/dev/null || echo "Unknown")
UNCOMMITTED=$(if ! git diff --quiet 2>/dev/null || ! git diff --cached --quiet 2>/dev/null; then echo "Yes"; else echo "No"; fi)
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "None")
HOSTNAME=$(hostname 2>/dev/null || echo "Unknown")
CURRENT_USER=$(whoami 2>/dev/null || echo "Unknown")
TIMEZONE=$(date +%Z 2>/dev/null || echo "Unknown")
OS_NAME=$(uname -s 2>/dev/null || echo "Unknown")
KERNEL_VERSION=$(uname -r 2>/dev/null || echo "Unknown")
ARCHITECTURE=$(uname -m 2>/dev/null || echo "Unknown")
OS_PRETTY_NAME=$(grep PRETTY_NAME /etc/os-release 2>/dev/null | cut -d= -f2 | tr -d '"' || echo "Unknown")
WEB_LINK="https://$GOGS_DOMAIN/$USERNAME/$REPO_NAME"

cat > "$MARKDOWN_FILE" <<EOF
# 🔗 GOGS Repository Link

- **Repo Name**: \`$REPO_NAME\`
- **GOGS User**: \`$USERNAME\`
- **Remote URL**: [$WEB_LINK]($WEB_LINK)
- **Local Repo Path**: \`$REPO_PATH\`
- **Remote Label**: \`$GIT_REMOTE_NAME\`
- **Default Branch**: \`$DEFAULT_BRANCH\`
- **Repo Created**: \`$TIMESTAMP\`

---

## 📦 Commit Info

- **This Commit Timestamp**: \`$TIMESTAMP\`
- **Last Commit SHA**: \`$LATEST_SHA\`
- **Last Commit Message**: \`$LAST_COMMIT_MSG\`
- **Last Commit Author**: \`$LAST_COMMIT_AUTHOR\`
- **Last Commit Date**: \`$LAST_COMMIT_DATE\`
- **This Commit URL**: [$WEB_LINK/commit/$LATEST_SHA]($WEB_LINK/commit/$LATEST_SHA)

---

## 📊 Repo Status

- **Total Commits**: \`$TOTAL_COMMITS\`
- **Tracked Files**: \`$TRACKED_FILES\`
- **Uncommitted Changes**: \`$UNCOMMITTED\`
- **Latest Tag**: \`$LATEST_TAG\`

---

## 🧭 Environment

- **Host Machine**: \`$HOSTNAME\`
- **Current User**: \`$CURRENT_USER\`
- **Time Zone**: \`$TIMEZONE\`
- **Script Version**: \`$SCRIPT_VERSION\`

---

## 🧬 Hardware & OS Fingerprint

- **OS Name**: \`$OS_NAME\`
- **OS Version**: \`$OS_PRETTY_NAME\`
- **Kernel Version**: \`$KERNEL_VERSION\`
- **Architecture**: \`$ARCHITECTURE\`
- **System Uptime**: \$(uptime -p 2>/dev/null || echo "Unknown")\`
- **Local IP**: \$(hostname -I 2>/dev/null | awk '{print $1}' 2>/dev/null || echo "Unknown")\`
- **CPU Model**: \$(grep -m1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 | sed 's/^ //' 2>/dev/null || echo "Unknown")\`
- **Total RAM (GB)**: \$(awk '/MemTotal/ {printf "%.2f", $2/1024/1024}' /proc/meminfo 2>/dev/null || echo "Unknown")\`

---

_Auto-generated by \`gitfield-gogs\` push script._
EOF
[[ $? -eq 0 ]] || error "Failed to write metadata to $MARKDOWN_FILE"

# Commit and push
set +e
info "Committing markdown file..."
git add "$MARKDOWN_FILE" || warn "Failed to add markdown file"
git commit -m "GOGS metadata link commit at $TIMESTAMP — $WEB_LINK/commit/$LATEST_SHA" || warn "No changes to commit"

info "Pushing to GOGS..."
if ! git config --get branch."$DEFAULT_BRANCH".remote &>/dev/null; then
  git push -u "$GIT_REMOTE_NAME" "$DEFAULT_BRANCH" || {
    warn "Push to GOGS failed."
    if [[ "$USE_HTTPS" == false ]]; then
      warn "Retrying with HTTPS..."
      git remote set-url "$GIT_REMOTE_NAME" "https://$GOGS_DOMAIN/$USERNAME/$REPO_NAME.git"
      git push -u "$GIT_REMOTE_NAME" "$DEFAULT_BRANCH" || error "Push failed with both SSH and HTTPS."
    fi
  }
else
  git push "$GIT_REMOTE_NAME" "$DEFAULT_BRANCH" || {
    warn "Push to GOGS failed."
    if [[ "$USE_HTTPS" == false ]]; then
      warn "Retrying with HTTPS..."
      git remote set-url "$GIT_REMOTE_NAME" "https://$GOGS_DOMAIN/$USERNAME/$REPO_NAME.git"
      git push "$GIT_REMOTE_NAME" "$DEFAULT_BRANCH" || error "Push failed with both SSH and HTTPS."
    fi
  }
fi
set -e

info "✅ GOGS push complete."
echo -e "\n🔗 View in browser: $WEB_LINK\n"