// Command edgeguard-ctl is the admin CLI for setup, migrations and
// (later) cluster ops. v1 wires migrate + initdb so postinst can
// initialise a fresh node; cluster-* and promote remain stubs until
// Phase 3.
package main

import (
	"fmt"
	"os"

	"git.netcell-it.de/projekte/edgeguard-native/internal/services/setup"
)

var version = "1.0.78"

const usage = `edgeguard-ctl — EdgeGuard CLI

Usage:
  edgeguard-ctl <command> [args]

Commands:
  version                      Print version and exit
  migrate up                   Apply pending migrations
  migrate down                 Roll back the most recent migration (dev only)
  migrate check                Validate embedded migrations (no DB connect)
  migrate dump [dir]           Write embedded SQL files to dir (default: ./migrations)
  initdb                       Create PostgreSQL role + database (idempotent)
  render-config                Regenerate haproxy / nftables configs from PG (--no-reload, --only=)
  wg-import [--path <dir>]     Import existing /etc/wireguard/*.conf files into the DB
  reset-password               Generate a one-time token for the /reset-password UI flow
  cluster-join                 Join an existing cluster (Phase 3, not yet implemented)
  promote                      Promote this node's PG to primary (Phase 3, not yet implemented)
  dump-config                  Print effective config (Phase 3, not yet implemented)
`

func main() {
	if len(os.Args) < 2 {
		fmt.Fprint(os.Stderr, usage)
		os.Exit(2)
	}
	switch os.Args[1] {
	case "-h", "--help", "help":
		fmt.Print(usage)
	case "version", "--version":
		fmt.Println(version)
	case "migrate":
		os.Exit(cmdMigrate(os.Args[2:]))
	case "initdb":
		os.Exit(cmdInitDB(os.Args[2:]))
	case "render-config":
		os.Exit(cmdRenderConfig(os.Args[2:]))
	case "wg-import":
		os.Exit(cmdWGImport(os.Args[2:]))
	case "reset-password":
		os.Exit(cmdResetPassword())
	case "cluster-join", "cluster-leave", "promote", "dump-config":
		fmt.Fprintf(os.Stderr, "edgeguard-ctl: %q is a Phase-3 stub — not yet implemented\n", os.Args[1])
		os.Exit(1)
	default:
		fmt.Fprintf(os.Stderr, "edgeguard-ctl: unknown command %q\n", os.Args[1])
		fmt.Fprint(os.Stderr, usage)
		os.Exit(2)
	}
}

// cmdResetPassword generates a single-use reset token and prints it to
// stdout. Operator pastes it into the /reset-password UI within 30 min.
// File mode 0600, owned by the edgeguard user — the CLI muss als sudo
// edgeguard ausgeführt werden (oder als root); fremde User sehen das
// Token nicht.
func cmdResetPassword() int {
	store := setup.NewStore(setup.DefaultDir)
	token, err := store.GenerateResetToken()
	if err != nil {
		fmt.Fprintf(os.Stderr, "edgeguard-ctl reset-password: %v\n", err)
		return 1
	}
	fmt.Println("Admin-Password-Reset-Token (gültig 30 Minuten):")
	fmt.Println()
	fmt.Println("    " + token)
	fmt.Println()
	fmt.Println("→ UI öffnen: https://<box-fqdn>/reset-password")
	fmt.Println("→ Token eingeben, neues Passwort setzen (min. 12 Zeichen)")
	fmt.Println("→ Token ist single-use und wird beim erfolgreichen Reset gelöscht.")
	return 0
}