#!/usr/bin/env bash
# delete-projects-vps3.sh — Elimina cuentas HestiaCP y sus registros Airtable
# Correr directamente en VPS3 (Donweb 2 / HestiaCP) como root.
#
# Uso:
#   ./delete-projects-vps3.sh <user1,user2,user3> [--dry-run] [--keep-airtable] [--yes]
#   ./delete-projects-vps3.sh --all [--prefix=PREFIJO] [--dry-run] [--keep-airtable] [--yes]

set -uo pipefail

export PATH="/usr/local/hestia/bin:/usr/local/bin:/usr/bin:/bin:$PATH"

# Usuarios protegidos — nunca se eliminan
PROTECTED_USERS=("admin" "bewpro")

########################################
# FLAGS
########################################

DRY_RUN=false
KEEP_AIRTABLE=false
AUTO_CONFIRM=false
ALL_MODE=false
PREFIX_FILTER=""
CPANEL_USERS_RAW=""

usage() {
  cat <<'EOF'
Uso:
  ./delete-projects-vps3.sh <user1,user2,user3> [opciones]
  ./delete-projects-vps3.sh --all [--prefix=STR] [opciones]

Opciones:
  --all            Elimina TODOS los usuarios HestiaCP (excepto admin y bewpro).
  --prefix=STR     Con --all, filtra solo usuarios que empiecen con STR.
  --dry-run        Muestra qué se borraría sin ejecutar cambios.
  --keep-airtable  Borra solo las cuentas HestiaCP, mantiene Airtable.
  --yes            No pide confirmación interactiva.
  -h, --help       Muestra esta ayuda.

Ejemplos:
  ./delete-projects-vps3.sh user1,user2,user3
  ./delete-projects-vps3.sh --all --dry-run
  ./delete-projects-vps3.sh --all --prefix=stres --yes
  ./delete-projects-vps3.sh --all --yes
EOF
}

while (($#)); do
  case "$1" in
    --dry-run)       DRY_RUN=true;                   shift ;;
    --keep-airtable) KEEP_AIRTABLE=true;             shift ;;
    --yes)           AUTO_CONFIRM=true;              shift ;;
    --all)           ALL_MODE=true;                  shift ;;
    --prefix=*)      PREFIX_FILTER="${1#--prefix=}"; shift ;;
    -h|--help)       usage; exit 0 ;;
    -*)
      echo "Opción no reconocida: $1" >&2
      usage; exit 1
      ;;
    *)
      if [[ -z "$CPANEL_USERS_RAW" ]]; then
        CPANEL_USERS_RAW="$1"
      else
        echo "Parámetro inesperado: $1" >&2
        usage; exit 1
      fi
      shift
      ;;
  esac
done

if [[ "$ALL_MODE" == "false" && -z "$CPANEL_USERS_RAW" ]]; then
  echo "Debes indicar al menos un usuario o usar --all." >&2
  usage; exit 1
fi

########################################
# CHEQUEO ROOT
########################################

if [[ "$(id -u)" -ne 0 ]]; then
  echo "ERROR: Este script debe ejecutarse como root." >&2
  exit 1
fi

########################################
# CARGAR CONFIG
########################################

CONFIG_FILE="/root/scripts/.airtable.env"
[[ -f "$CONFIG_FILE" ]] && source "$CONFIG_FILE"

AIRTABLE_TOKEN="${AIRTABLE_TOKEN:-}"
AIRTABLE_BASE_ID="${AIRTABLE_BASE_ID:-}"
AIRTABLE_PROJECTS_TABLE="${AIRTABLE_TABLE_ID:-}"
AIRTABLE_SUBS_TABLE="${AIRTABLE_SUBSCRIPTIONS_TRACKING_TABLE:-tblnpr52JhFBBi2Mg}"
HOSTINGER_TOKEN="${HOSTINGER_TOKEN:-}"
HOSTINGER_DNS_ZONE="bewpro.com"

API_BASE=""
if [[ -n "$AIRTABLE_TOKEN" && -n "$AIRTABLE_BASE_ID" ]]; then
  API_BASE="https://api.airtable.com/v0/${AIRTABLE_BASE_ID}"
fi

########################################
# FUNCIÓN: verificar usuario protegido
########################################

is_protected() {
  local user="$1"
  for protected in "${PROTECTED_USERS[@]}"; do
    [[ "$user" == "$protected" ]] && return 0
  done
  return 1
}

########################################
# FUNCIÓN DNS HOSTINGER
########################################

delete_hostinger_dns() {
  local subdomain="$1"

  if [[ -z "${HOSTINGER_TOKEN:-}" ]]; then
    echo "  WARN: HOSTINGER_TOKEN no configurado — DNS no eliminado"
    return 0
  fi

  local result http_code body
  result=$(curl -sS -w "\n%{http_code}" -X DELETE \
    -H "Authorization: Bearer ${HOSTINGER_TOKEN}" \
    -H "Content-Type: application/json" \
    -d "{\"filters\": [{\"name\": \"${subdomain}\", \"type\": \"A\"}]}" \
    "https://developers.hostinger.com/api/dns/v1/zones/${HOSTINGER_DNS_ZONE}")

  http_code=$(echo "$result" | tail -1)
  body=$(echo "$result" | head -n -1)

  if [[ "$http_code" =~ ^2 ]]; then
    echo "  ✓ DNS eliminado: ${subdomain}.${HOSTINGER_DNS_ZONE}"
  else
    echo "  WARN: DNS delete HTTP ${http_code}: ${body}" >&2
  fi
}

########################################
# FUNCIONES AIRTABLE
########################################

urlencode() {
  python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.argv[1], safe=''))" "$1"
}

airtable_get() {
  local table="$1" formula="$2" max_records="${3:-}"
  local encoded url
  encoded="$(urlencode "$formula")"
  url="${API_BASE}/${table}?filterByFormula=${encoded}"
  [[ -n "$max_records" ]] && url="${url}&maxRecords=${max_records}"
  curl -sS -H "Authorization: Bearer ${AIRTABLE_TOKEN}" "$url"
}

airtable_delete_record() {
  local table="$1" record_id="$2"
  curl -sS -X DELETE \
    -H "Authorization: Bearer ${AIRTABLE_TOKEN}" \
    "${API_BASE}/${table}/${record_id}" > /dev/null
}

extract_project_info() {
  python3 - "$1" <<'PYEOF'
import json, sys
try:
    data = json.loads(sys.argv[1])
except Exception:
    print("||"); raise SystemExit(0)
records = data.get("records", [])
if not records:
    print("||"); raise SystemExit(0)
r = records[0]
rid    = r.get("id", "")
fields = r.get("fields", {})
name   = fields.get("Name", "")
server = fields.get("SERVER", fields.get("Server", "")).strip()
print(f"{rid}|{name}|{server}")
PYEOF
}

extract_subscription_ids() {
  python3 - "$1" <<'PYEOF'
import json, sys
try:
    data = json.loads(sys.argv[1])
except Exception:
    raise SystemExit(0)
for rec in data.get("records", []):
    rid = rec.get("id")
    if rid:
        print(rid)
PYEOF
}

########################################
# FUNCIÓN: hacer backup antes de eliminar
########################################

backup_user_before_delete() {
  local USERNAME="$1"

  if [[ "$DRY_RUN" == "true" ]]; then
    echo "  DRY RUN — Would backup: v-backup-user ${USERNAME}"
    return 0
  fi

  local reply
  read -r -p "  ¿Hacer backup de '${USERNAME}' antes de eliminar? [y/N]: " reply
  if [[ ! "$reply" =~ ^[Yy]$ ]]; then
    echo "  Backup omitido."
    return 0
  fi

  echo "  Ejecutando backup de '${USERNAME}'..."
  if v-backup-user "${USERNAME}" 2>&1; then
    echo "  ✓ Backup completado para '${USERNAME}'"
  else
    echo "  WARN: El backup falló para '${USERNAME}'." >&2
    local abort_reply
    read -r -p "  El backup falló. ¿Continuar con la eliminación de todos modos? [y/N]: " abort_reply
    if [[ ! "$abort_reply" =~ ^[Yy]$ ]]; then
      echo "  Eliminación cancelada para '${USERNAME}'."
      return 1
    fi
  fi

  return 0
}

########################################
# FUNCIÓN: procesar un solo usuario
########################################

process_single_user() {
  local USERNAME="$1"

  echo ""
  echo "========================================"
  echo "  DELETE: ${USERNAME}"
  echo "========================================"

  # ── Buscar en Airtable ──
  local PROJECT_ID="" PROJECT_NAME=""
  local SUB_IDS=()

  if [[ -n "$API_BASE" && -n "$AIRTABLE_PROJECTS_TABLE" ]]; then
    local PROJECT_JSON PROJECT_INFO
    PROJECT_JSON="$(airtable_get "$AIRTABLE_PROJECTS_TABLE" "{Cpanel_User}=\"${USERNAME}\"" "1")"
    PROJECT_INFO="$(extract_project_info "$PROJECT_JSON")"

    PROJECT_ID="${PROJECT_INFO%%|*}"
    local _rest="${PROJECT_INFO#*|}"
    PROJECT_NAME="${_rest%%|*}"
    local PROJECT_SERVER="${_rest#*|}"

    if [[ -n "$PROJECT_ID" ]]; then
      echo "  Airtable Project : ${PROJECT_NAME:-?} (${PROJECT_ID})"
      echo "  Servidor         : ${PROJECT_SERVER:-NO SET}"

      local SUBS_JSON
      SUBS_JSON="$(airtable_get "$AIRTABLE_SUBS_TABLE" "SEARCH(\"${PROJECT_NAME}\",{Project})")"
      while IFS= read -r rid; do
        [[ -n "$rid" ]] && SUB_IDS+=("$rid")
      done < <(extract_subscription_ids "$SUBS_JSON")
      echo "  Subscriptions    : ${#SUB_IDS[@]} registro(s)"
    else
      echo "  Airtable Project : NO ENCONTRADO (Cpanel_User=${USERNAME})"
    fi
  else
    echo "  Airtable         : NO CONFIGURADO"
  fi

  # ── Verificar cuenta en HestiaCP local ──
  local USER_EXISTS=false
  if id "${USERNAME}" &>/dev/null; then
    USER_EXISTS=true
    echo "  HestiaCP account : EXISTS"
  else
    echo "  HestiaCP account : NO ENCONTRADO"
  fi

  echo ""

  # ── Dry run ──
  if [[ "$DRY_RUN" == "true" ]]; then
    echo "  DRY RUN — nada eliminado."
    [[ "$USER_EXISTS" == "true" ]] && echo "  Would backup:  v-backup-user '${USERNAME}'"
    [[ "$USER_EXISTS" == "true" ]] && echo "  Would delete: HestiaCP user '${USERNAME}'"
    [[ -n "$PROJECT_ID" ]]         && echo "  Would delete: Airtable Project ${PROJECT_ID}"
    for sub_id in "${SUB_IDS[@]}"; do
      echo "  Would delete: Airtable Subscription ${sub_id}"
    done
    return 0
  fi

  # ── Backup antes de eliminar ──
  if [[ "$USER_EXISTS" == "true" ]]; then
    backup_user_before_delete "${USERNAME}" || return 0
  fi

  # ── Confirmación ──
  if [[ "$AUTO_CONFIRM" != "true" ]]; then
    local reply
    read -r -p "  Eliminar '${USERNAME}'? [y/N/a(ll)/q(uit)]: " reply
    case "$reply" in
      [Yy])  : ;;
      [Aa])  AUTO_CONFIRM=true ;;
      [Qq])  echo "Abortado."; exit 0 ;;
      *)     echo "  Saltando '${USERNAME}'."; return 0 ;;
    esac
  fi

  # ── Eliminar cuenta HestiaCP ──
  if [[ "$USER_EXISTS" == "true" ]]; then
    echo "  Eliminando cuenta HestiaCP..."
    if v-delete-user "${USERNAME}" yes 2>&1; then
      echo "  ✓ Cuenta HestiaCP eliminada"
    else
      echo "  WARN: v-delete-user falló — intentando limpieza manual..." >&2
      userdel -r "${USERNAME}" 2>/dev/null || true
      rm -rf "/home/${USERNAME}" 2>/dev/null || true
      echo "  ✓ Usuario eliminado (fallback)"
    fi
  else
    echo "  HestiaCP: cuenta no encontrada — saltando"
  fi

  # ── Eliminar DNS ──
  delete_hostinger_dns "${USERNAME}"

  # ── Eliminar registros Airtable ──
  if [[ "$KEEP_AIRTABLE" != "true" && -n "$API_BASE" ]]; then
    for sub_id in "${SUB_IDS[@]}"; do
      airtable_delete_record "$AIRTABLE_SUBS_TABLE" "$sub_id"
      echo "  ✓ Subscription eliminada: ${sub_id}"
    done

    if [[ -n "$PROJECT_ID" ]]; then
      airtable_delete_record "$AIRTABLE_PROJECTS_TABLE" "$PROJECT_ID"
      echo "  ✓ Project eliminado: ${PROJECT_ID}"
    fi
  fi

  echo "  ✓ '${USERNAME}' eliminado."
  return 0
}

########################################
# CONSTRUIR LISTA DE USUARIOS
########################################

USERS=()

if [[ "$ALL_MODE" == "true" ]]; then
  echo ""
  echo "Consultando usuarios en HestiaCP local..."

  ALL_USERS_RAW="$(v-list-users plain 2>/dev/null | awk '{print $1}' | grep -v '^USERNAME$' || true)"

  if [[ -z "$ALL_USERS_RAW" ]]; then
    echo "No se encontraron usuarios en HestiaCP." >&2
    exit 1
  fi

  while IFS= read -r u; do
    u="$(echo "$u" | tr -d '[:space:]')"
    [[ -z "$u" ]] && continue

    # Saltar usuarios protegidos
    if is_protected "$u"; then
      echo "  Protegido (saltando): ${u}"
      continue
    fi

    # Aplicar filtro de prefijo si se especificó
    if [[ -n "$PREFIX_FILTER" && "$u" != ${PREFIX_FILTER}* ]]; then
      continue
    fi

    USERS+=("$u")
  done <<< "$ALL_USERS_RAW"

  if [[ ${#USERS[@]} -eq 0 ]]; then
    [[ -n "$PREFIX_FILTER" ]] \
      && echo "No se encontraron usuarios con prefijo '${PREFIX_FILTER}'." \
      || echo "No se encontraron usuarios para eliminar."
    exit 0
  fi

else
  # Lista manual separada por comas
  IFS=',' read -ra RAW_ARRAY <<< "$CPANEL_USERS_RAW"
  for u in "${RAW_ARRAY[@]}"; do
    u="$(echo "$u" | tr -d '[:space:]')"
    [[ -z "$u" ]] && continue
    if is_protected "$u"; then
      echo "WARN: '${u}' está protegido y no puede eliminarse — saltando." >&2
      continue
    fi
    USERS+=("$u")
  done

  if [[ ${#USERS[@]} -eq 0 ]]; then
    echo "Lista vacía tras filtrar usuarios protegidos." >&2
    exit 1
  fi
fi

########################################
# RESUMEN INICIAL
########################################

TOTAL=${#USERS[@]}

echo ""
echo "════════════════════════════════════════════"
echo "  DELETE HestiaCP — ${TOTAL} usuario(s)"
if [[ "$ALL_MODE" == "true" ]]; then
  [[ -n "$PREFIX_FILTER" ]] \
    && echo "  Modo   : --all --prefix=${PREFIX_FILTER}" \
    || echo "  Modo   : --all (TODOS excepto protegidos)"
fi
[[ "$DRY_RUN"       == "true" ]] && echo "  Modo   : DRY RUN"
[[ "$KEEP_AIRTABLE" == "true" ]] && echo "  Info   : registros Airtable se conservan"
echo "  Protegidos: ${PROTECTED_USERS[*]}"
echo "════════════════════════════════════════════"

# Confirmación global
if [[ "$AUTO_CONFIRM" != "true" && "$DRY_RUN" != "true" ]]; then
  echo ""
  [[ "$ALL_MODE" == "true" && -z "$PREFIX_FILTER" ]] && \
    echo "  ⚠️  ATENCIÓN: Esto eliminará TODOS los ${TOTAL} usuarios."
  read -r -p "Proceder con ${TOTAL} usuarios? [y/N]: " global_reply
  if [[ ! "$global_reply" =~ ^[Yy]$ ]]; then
    echo "Cancelado."
    exit 0
  fi
fi

########################################
# LOOP PRINCIPAL
########################################

SUCCEEDED=()
FAILED=()

for USER in "${USERS[@]}"; do
  if process_single_user "$USER"; then
    SUCCEEDED+=("$USER")
  else
    FAILED+=("$USER")
  fi
done

########################################
# RESUMEN FINAL
########################################

echo ""
echo "════════════════════════════════════════════"
echo "  RESUMEN"
echo "  Total  : ${TOTAL}"
echo "  OK     : ${#SUCCEEDED[@]}  $(IFS=', '; [[ ${#SUCCEEDED[@]} -gt 0 ]] && echo "(${SUCCEEDED[*]})" || echo "")"
echo "  Falló  : ${#FAILED[@]}  $(IFS=', ';  [[ ${#FAILED[@]}    -gt 0 ]] && echo "(${FAILED[*]})"    || echo "")"
echo "════════════════════════════════════════════"

[[ ${#FAILED[@]} -gt 0 ]] && exit 1
exit 0