#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
# shellcheck source=/dev/null
source "$SCRIPT_DIR/libenv.sh"

load_env() {
  limristem_mail_load_env_file "$LIMRISTEM_MAIL_CONFIG_DIR/limristem-mail.env"
}

load_env

DOMAIN=${1:-${LIMRISTEM_MAIL_PRIMARY_DOMAIN:-}}
MAIL_HOST=${2:-${LIMRISTEM_MAIL_HOSTNAME:-}}
PUBLIC_IP=${3:-${LIMRISTEM_MAIL_PUBLIC_IP:-}}
PUBLIC_IPV6=${4:-${LIMRISTEM_MAIL_PUBLIC_IPV6:-}}
SELECTOR=${5:-${LIMRISTEM_MAIL_DKIM_SELECTOR:-default}}
OUT_DIR=${6:-${LIMRISTEM_MAIL_LIVE_BUNDLE_DIR:-/var/lib/limristem-mail/live-deployment}}
MTA_STS_HOST=${7:-${LIMRISTEM_MAIL_MTA_STS_HOST:-mta-sts.${DOMAIN}}}

if [[ -z "$DOMAIN" || -z "$MAIL_HOST" ]]; then
  echo "Usage: export-live-bundle.sh <domain> [mail-host] [public-ip] [public-ipv6] [selector] [output-dir] [mta-sts-host]" >&2
  exit 1
fi

mkdir -p "$OUT_DIR"

"$SCRIPT_DIR/generate-dns-plan.sh" "$DOMAIN" "$MAIL_HOST" "$SELECTOR" "$MTA_STS_HOST" "" "$PUBLIC_IP" "$PUBLIC_IPV6" \
  > "$OUT_DIR/dns-zone-${DOMAIN}.txt"

cat > "$OUT_DIR/rdns-request.txt" <<EOF
Limristem eMail reverse DNS request
============================

Primary domain: $DOMAIN
Mail host: $MAIL_HOST
IPv4: ${PUBLIC_IP:-<set-public-ipv4>}
IPv6: ${PUBLIC_IPV6:-<set-public-ipv6>}

Request to provider:
- Set PTR/rDNS of the public IPv4 to $MAIL_HOST
EOF

if [[ -n "$PUBLIC_IPV6" ]]; then
  cat >> "$OUT_DIR/rdns-request.txt" <<EOF
- Set PTR/rDNS of the public IPv6 to $MAIL_HOST
EOF
fi

cat > "$OUT_DIR/firewall-ports.txt" <<EOF
Required inbound ports
======================
25/tcp   SMTP
465/tcp  SMTPS
587/tcp  Submission
110/tcp  POP3
995/tcp  POP3S
143/tcp  IMAP
993/tcp  IMAPS
80/tcp   HTTP (Let's Encrypt / redirect / validation)
443/tcp  HTTPS (API + MTA-STS policy)

Required outbound ports
=======================
25/tcp   SMTP delivery to remote MX
53/tcp+udp DNS resolution
80/tcp   package updates / ACME
443/tcp  package updates / ACME / reputation and policy checks
123/udp  NTP recommended
EOF

cat > "$OUT_DIR/mail-client-settings.txt" <<EOF
Mail client settings
====================
Incoming IMAP: $MAIL_HOST port 993 TLS
Incoming POP3: $MAIL_HOST port 995 TLS
Outgoing SMTP submission: $MAIL_HOST port 587 STARTTLS
Outgoing SMTPS: $MAIL_HOST port 465 TLS
Username: full email address
Authentication: required
EOF

cat > "$OUT_DIR/post-install-checklist.txt" <<EOF
Limristem eMail live deployment checklist
==================================

1. Publish the records in dns-zone-${DOMAIN}.txt.
2. Publish PTR/rDNS using rdns-request.txt.
3. Open the ports listed in firewall-ports.txt.
4. Wait for DNS propagation and confirm A/AAAA/MX/TXT visibility.
5. Verify the certificate on $MAIL_HOST and, if enabled, on $MTA_STS_HOST.
6. Run:
   $SCRIPT_DIR/deliverability-check.sh $DOMAIN $MAIL_HOST ${PUBLIC_IP:-<public-ip>} $SELECTOR $MTA_STS_HOST
7. Verify SMTP STARTTLS, IMAPS, POP3S, and client authentication.
8. Send test mail to major providers and confirm SPF/DKIM/DMARC alignment.
9. Warm up the outbound IP gradually and monitor logs / reputation.
EOF

printf 'Bundle created in %s\n' "$OUT_DIR"