#!/usr/bin/env bash
set -euo pipefail

NAS_ROOT="${NAS_ROOT:-/Volumes/docker/nodedc-platform}"
NAS_PLATFORM_DIR="${NAS_PLATFORM_DIR:-/volume1/docker/nodedc-platform/platform}"
NAS_TASKER_DIR="${NAS_TASKER_DIR:-/volume1/docker/nodedc-platform/tasker/plane-app}"
NAS_GATEWAY_DIR="${NAS_GATEWAY_DIR:-/volume1/docker/nodedc-platform/ops-agents}"
BACKUP_ROOT="${BACKUP_ROOT:-${NAS_ROOT}/backups}"
TIMESTAMP="${TIMESTAMP:-$(date +%Y%m%d-%H%M%S)}"
BACKUP_DIR="${BACKUP_DIR:-${BACKUP_ROOT}/platform-current-${TIMESTAMP}}"
DOCKER_BIN="${DOCKER_BIN:-/usr/local/bin/docker}"
COMPOSE_FILE="${COMPOSE_FILE:-${NAS_PLATFORM_DIR}/docker-compose.platform-http.yml}"
ENV_FILE="${ENV_FILE:-${NAS_PLATFORM_DIR}/.env.synology}"

mkdir -p "${BACKUP_DIR}/files/platform" \
  "${BACKUP_DIR}/files/launcher" \
  "${BACKUP_DIR}/files/authentik" \
  "${BACKUP_DIR}/files/tasker" \
  "${BACKUP_DIR}/files/ops-agents"

rsync_dir() {
  local source="$1"
  local destination="$2"

  if [[ -e "${source}" ]]; then
    rsync -a --delete "${source}" "${destination}"
  else
    echo "skip missing: ${source}" | tee -a "${BACKUP_DIR}/warnings.log" >&2
  fi
}

rsync_file() {
  local source="$1"
  local destination="$2"

  if [[ -f "${source}" ]]; then
    rsync -a "${source}" "${destination}"
  else
    echo "skip missing: ${source}" | tee -a "${BACKUP_DIR}/warnings.log" >&2
  fi
}

rsync_dir "${NAS_ROOT}/launcher/server-storage/" "${BACKUP_DIR}/files/launcher/server-storage/"
rsync_dir "${NAS_ROOT}/launcher/uploads/" "${BACKUP_DIR}/files/launcher/uploads/"
rsync_dir "${NAS_ROOT}/authentik/custom-templates/" "${BACKUP_DIR}/files/authentik/custom-templates/"
rsync_dir "${NAS_ROOT}/platform/authentik/" "${BACKUP_DIR}/files/platform/authentik/"

rsync_file "${NAS_ROOT}/platform/.env.synology" "${BACKUP_DIR}/files/platform/"
rsync_file "${NAS_ROOT}/platform/.env.synology.example" "${BACKUP_DIR}/files/platform/"
rsync_file "${NAS_ROOT}/platform/docker-compose.platform-http.yml" "${BACKUP_DIR}/files/platform/"
rsync_file "${NAS_ROOT}/platform/Caddyfile.http" "${BACKUP_DIR}/files/platform/"

rsync_file "${NAS_ROOT}/tasker/plane-app/.env.synology" "${BACKUP_DIR}/files/tasker/"
rsync_file "${NAS_ROOT}/tasker/plane-app/docker-compose.yaml" "${BACKUP_DIR}/files/tasker/"
rsync_file "${NAS_ROOT}/tasker/plane-app/docker-compose.synology.override.yml" "${BACKUP_DIR}/files/tasker/"

rsync_file "${NAS_ROOT}/ops-agents/.env" "${BACKUP_DIR}/files/ops-agents/"
rsync_file "${NAS_ROOT}/ops-agents/.env.synology.example" "${BACKUP_DIR}/files/ops-agents/"
rsync_file "${NAS_ROOT}/ops-agents/docker-compose.synology.yml" "${BACKUP_DIR}/files/ops-agents/"

cat > "${BACKUP_DIR}/manifest.txt" <<EOF
NODE.DC platform current backup
timestamp=${TIMESTAMP}
nas_root=${NAS_ROOT}
backup_dir=${BACKUP_DIR}

Contains:
- Launcher runtime snapshot: launcher/server-storage
- Launcher uploads: launcher/uploads
- Authentik custom templates: authentik/custom-templates
- Platform runtime config: platform/.env.synology, compose, Caddyfile
- Tasker runtime config: tasker/plane-app/.env.synology, compose, Synology override
- Ops Agents Gateway runtime config: ops-agents/.env, compose

Secrets:
- files/platform/.env.synology contains live secrets.
- files/tasker/.env.synology contains live secrets.
- files/ops-agents/.env contains live secrets.
- Keep this backup private.
EOF

cat > "${BACKUP_DIR}/run-authentik-db-dump-on-synology.sh" <<EOF
#!/usr/bin/env bash
set -euo pipefail

BACKUP_DIR="/volume1/docker/nodedc-platform/backups/$(basename "${BACKUP_DIR}")"
cd "${NAS_PLATFORM_DIR}"

sudo "${DOCKER_BIN}" compose \\
  --env-file "${ENV_FILE}" \\
  -f "${COMPOSE_FILE}" \\
  exec -T postgresql-authentik \\
  sh -lc 'pg_dump -U "\${POSTGRES_USER:-authentik}" -d "\${POSTGRES_DB:-authentik}" --format=custom --no-owner --no-acl' \\
  > "\${BACKUP_DIR}/authentik-postgres.dump"

sudo "${DOCKER_BIN}" compose \\
  --env-file "${ENV_FILE}" \\
  -f "${COMPOSE_FILE}" \\
  exec -T postgresql-authentik \\
  sh -lc 'pg_restore --list /dev/stdin >/dev/null' \\
  < "\${BACKUP_DIR}/authentik-postgres.dump"

if command -v sha256sum >/dev/null 2>&1; then
  (cd "\${BACKUP_DIR}" && sha256sum authentik-postgres.dump > SHA256SUMS)
else
  (cd "\${BACKUP_DIR}" && shasum -a 256 authentik-postgres.dump > SHA256SUMS)
fi

echo "authentik-db-dump-ok: \${BACKUP_DIR}/authentik-postgres.dump"
EOF
chmod +x "${BACKUP_DIR}/run-authentik-db-dump-on-synology.sh"

cat > "${BACKUP_DIR}/run-tasker-db-dump-on-synology.sh" <<EOF
#!/usr/bin/env bash
set -euo pipefail

BACKUP_DIR="/volume1/docker/nodedc-platform/backups/$(basename "${BACKUP_DIR}")"
cd "${NAS_TASKER_DIR}"

compose_args=(compose -p nodedc-tasker --env-file .env.synology -f docker-compose.yaml)
if [[ -f docker-compose.synology.override.yml ]]; then
  compose_args+=(-f docker-compose.synology.override.yml)
fi

sudo "${DOCKER_BIN}" "\${compose_args[@]}" \\
  exec -T plane-db \\
  sh -lc 'pg_dump -U "\${POSTGRES_USER:-plane}" -d "\${POSTGRES_DB:-plane}" --format=custom --no-owner --no-acl' \\
  > "\${BACKUP_DIR}/tasker-postgres.dump"

sudo "${DOCKER_BIN}" "\${compose_args[@]}" \\
  exec -T plane-db \\
  sh -lc 'pg_restore --list /dev/stdin >/dev/null' \\
  < "\${BACKUP_DIR}/tasker-postgres.dump"

echo "tasker-db-dump-ok: \${BACKUP_DIR}/tasker-postgres.dump"
EOF
chmod +x "${BACKUP_DIR}/run-tasker-db-dump-on-synology.sh"

cat > "${BACKUP_DIR}/run-ops-agents-db-dump-on-synology.sh" <<EOF
#!/usr/bin/env bash
set -euo pipefail

BACKUP_DIR="/volume1/docker/nodedc-platform/backups/$(basename "${BACKUP_DIR}")"
cd "${NAS_GATEWAY_DIR}"

sudo "${DOCKER_BIN}" compose \\
  --env-file .env \\
  -f docker-compose.synology.yml \\
  exec -T postgres \\
  sh -lc 'pg_dump -U "\${POSTGRES_USER:-nodedc_agent_gateway}" -d "\${POSTGRES_DB:-nodedc_agent_gateway}" --format=custom --no-owner --no-acl' \\
  > "\${BACKUP_DIR}/ops-agents-postgres.dump"

sudo "${DOCKER_BIN}" compose \\
  --env-file .env \\
  -f docker-compose.synology.yml \\
  exec -T postgres \\
  sh -lc 'pg_restore --list /dev/stdin >/dev/null' \\
  < "\${BACKUP_DIR}/ops-agents-postgres.dump"

echo "ops-agents-db-dump-ok: \${BACKUP_DIR}/ops-agents-postgres.dump"
EOF
chmod +x "${BACKUP_DIR}/run-ops-agents-db-dump-on-synology.sh"

find "${BACKUP_DIR}" -name @eaDir -prune -o -type d -exec chmod 700 {} \;
find "${BACKUP_DIR}" -name @eaDir -prune -o -type f -exec chmod 600 {} \;
chmod 700 "${BACKUP_DIR}/run-authentik-db-dump-on-synology.sh"
chmod 700 "${BACKUP_DIR}/run-tasker-db-dump-on-synology.sh"
chmod 700 "${BACKUP_DIR}/run-ops-agents-db-dump-on-synology.sh"

if [[ -x "${DOCKER_BIN}" && "${NAS_ROOT}" == /volume1/* ]]; then
  "${BACKUP_DIR}/run-authentik-db-dump-on-synology.sh"
else
  cat <<EOF
file-backup-ok: ${BACKUP_DIR}

DB dump was not run from this host.
Run on Synology:

bash /volume1/docker/nodedc-platform/backups/$(basename "${BACKUP_DIR}")/run-authentik-db-dump-on-synology.sh

# If Tasker database exists and backend/schema changes are planned:
bash /volume1/docker/nodedc-platform/backups/$(basename "${BACKUP_DIR}")/run-tasker-db-dump-on-synology.sh

# If Ops Agents Gateway was already deployed:
bash /volume1/docker/nodedc-platform/backups/$(basename "${BACKUP_DIR}")/run-ops-agents-db-dump-on-synology.sh
EOF
fi