#!/usr/bin/env bash

export CONTAINER_ROLE="httpd_only"

if [ -z "$environment" ]; then
  environment="PROD"
fi

# Generate self-signed SSL cert if not already present
if [ ! -f /etc/pki/tls/certs/localhost.crt ]; then
  openssl req -newkey rsa:2048 -nodes \
    -keyout /etc/pki/tls/private/localhost.key \
    -x509 -days 3650 -subj "/CN=localhost" \
    -out /etc/pki/tls/certs/localhost.crt
fi

# Create log directory
mkdir -p /var/log/httpd

# Remove default configs that conflict
rm -f /etc/httpd/conf.d/userdir.conf

# Configure RemoteIP for Docker network
docker_network=$(ip addr show | grep eth0 | grep inet | awk -F " " '{print $2}')
if [ -n "$docker_network" ]; then
  echo "RemoteIPInternalProxy $docker_network" >> /etc/httpd/conf.d/remoteip.conf
fi

# Detect memory and calculate Apache MPM tuning
source /scripts/detect-memory.sh
echo "Container memory: ${CONTAINER_MEMORY_MB}MB | Apache workers=${APACHE_MAX_REQUEST_WORKERS} | Role=${CONTAINER_ROLE}"

# Generate MPM tuning config
/scripts/create-apache-mpm-config.sh

# Write SSL global config (matches standalone CAC behavior)
cat <<'EOF' > /etc/httpd/conf.d/ssl-global.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLCryptoDevice builtin
EOF

# Disable the default ssl.conf if present (we use per-vhost SSL)
if [ -f /etc/httpd/conf.d/ssl.conf ]; then
  mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
fi

# Ensure vhosts directory exists and is included
mkdir -p /etc/httpd/conf.d/vhosts
if ! grep -q 'IncludeOptional conf.d/vhosts/' /etc/httpd/conf/httpd.conf; then
  echo 'IncludeOptional conf.d/vhosts/*.conf' >> /etc/httpd/conf/httpd.conf
fi

# Start Apache
/usr/sbin/httpd -k start

# Start cron for log rotation
/usr/sbin/crond

# Tail Apache logs (becomes PID 1 process)
touch /var/log/httpd/error_log
tail -f /var/log/httpd/*

exit 0