#!/bin/bash
#
# Script to automate WordPress installation.
# Includes dependency checks, WP-CLI installation, database setup,
# WordPress core installation, and configuration.
#

# --- Configuration ---

# Exit immediately if a command exits with a non-zero status.
set -e
# Treat unset variables as an error when substituting.
set -u
# Pipe commands return the exit status of the last command in the pipe
set -o pipefail

# Colors for output messages
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# --- Default Values ---
# Avoid insecure defaults. Consider making these mandatory or generating random ones.
# Leaving them blank to force user input or argument passing.
WP_ADMIN_USER=""
WP_ADMIN_PASS=""
WP_ADMIN_EMAIL=""
WP_ROOT="/var/www/webroot/ROOT" # Default WordPress root directory
DOMAIN=""                      # Domain will be determined or required
DB_HOST="127.0.0.1"
DB_ROOT_USER="root"
DB_ROOT_PASS=""                # Require user to provide this for security
SKIP_DB_ROOT_RESET="false"     # By default, perform the root password reset (use --skip-db-root-reset to disable)
WEB_USER="litespeed"           # Web server user (e.g., www-data, apache, nginx)
WEB_GROUP="litespeed"          # Web server group

# --- Helper Functions ---

# Print informational messages
info() {
    printf "${BLUE}[INFO] %s${NC}\n" "$@"
}

# Print success messages
success() {
    printf "${GREEN}[SUCCESS] %s${NC}\n" "$@"
}

# Print warning messages
warning() {
    printf "${YELLOW}[WARNING] %s${NC}\n" "$@"
}

# Print error messages and exit
error_exit() {
    printf "${RED}[ERROR] %s${NC}\n" "$@" >&2
    exit 1
}

# Function to display usage information
usage() {
    printf "Usage: %s [OPTIONS]\n" "$0"
    printf "\n"
    printf "Automates the installation of WordPress.\n"
    printf "\n"
    printf "Required Options:\n"
    printf "  --wpusername=USERNAME   WordPress admin username (mandatory)\n"
    printf "  --wppassword=PASSWORD   WordPress admin password (mandatory)\n"
    printf "  --wpemail=EMAIL         WordPress admin email (mandatory)\n"
    printf "  --dbrootpass=PASSWORD   Current MySQL/MariaDB root password (mandatory unless resetting)\n"
    printf "\n"
    printf "Optional Options:\n"
    printf "  --wproot=PATH           WordPress installation directory (default: %s)\n" "$WP_ROOT"
    printf "  --domain=DOMAIN         Domain name for the site (default: auto-detected from hostname)\n"
    printf "  --webuser=USER          Web server user (default: %s)\n" "$WEB_USER"
    printf "  --webgroup=GROUP        Web server group (default: %s)\n" "$WEB_GROUP"
    printf "  --dbhost=HOST           Database host (default: %s)\n" "$DB_HOST"
    printf "  --reset-db-root-pass    Perform the risky root password reset (requires sudo without password)\n"
    printf "  -h, --help              Display this help message\n"
    printf "\n"
    printf "Example:\n"
    printf "  %s --wpusername=myuser --wppassword='securePass' --wpemail=me@example.com --dbrootpass='currentRootPass'\n" "$0"
    printf "  %s --wpusername=myuser --wppassword='securePass' --wpemail=me@example.com --reset-db-root-pass --domain=example.com\n" "$0"
    exit 1
}

# Function to check if a command exists
command_exists() {
    command -v "$1" &> /dev/null
}

# Function to generate a random secure password
generate_password() {
    openssl rand -base64 16 # Increased length slightly
}

# Function to clean up temporary files
cleanup() {
    info "Cleaning up temporary files..."
    rm -f "$WP_CLI_CONFIG_PATH"
    # Add any other cleanup tasks here
}

# --- Argument Parsing ---
# Using getopt for better argument handling
TEMP=$(getopt -o h --longoptions help,wpusername:,wppassword:,wpemail:,wproot:,domain:,dbhost:,dbrootpass:,reset-db-root-pass,webuser:,webgroup: -n "$0" -- "$@")
if [ $? != 0 ]; then
    error_exit "Terminating... Invalid arguments."
fi

# Note the quotes around "$TEMP": they are essential!
eval set -- "$TEMP"
unset TEMP

PERFORM_DB_ROOT_RESET="false"

while true; do
    case "$1" in
        --wpusername) WP_ADMIN_USER="$2"; shift 2 ;;
        --wppassword) WP_ADMIN_PASS="$2"; shift 2 ;;
        --wpemail) WP_ADMIN_EMAIL="$2"; shift 2 ;;
        --wproot) WP_ROOT="$2"; shift 2 ;;
        --domain) DOMAIN="$2"; shift 2 ;;
        --dbhost) DB_HOST="$2"; shift 2 ;;
        --dbrootpass) DB_ROOT_PASS="$2"; shift 2 ;;
        --reset-db-root-pass) PERFORM_DB_ROOT_RESET="true"; shift 1 ;;
        --webuser) WEB_USER="$2"; shift 2 ;;
        --webgroup) WEB_GROUP="$2"; shift 2 ;;
        -h|--help) usage ;;
        --) shift ; break ;; # End of options
        *) error_exit "Internal error! Unexpected option: $1";;
    esac
done

# --- Validation ---
info "Validating parameters..."

if [[ -z "$WP_ADMIN_USER" ]]; then error_exit "WordPress admin username (--wpusername) is required."; fi
if [[ -z "$WP_ADMIN_PASS" ]]; then error_exit "WordPress admin password (--wppassword) is required."; fi
if [[ -z "$WP_ADMIN_EMAIL" ]]; then error_exit "WordPress admin email (--wpemail) is required."; fi
if [[ ! "$WP_ADMIN_EMAIL" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$ ]]; then error_exit "Invalid email format for --wpemail."; fi
if [[ "$PERFORM_DB_ROOT_RESET" == "false" && -z "$DB_ROOT_PASS" ]]; then error_exit "Database root password (--dbrootpass) is required unless --reset-db-root-pass is used."; fi
if [[ "$PERFORM_DB_ROOT_RESET" == "true" && -n "$DB_ROOT_PASS" ]]; then warning "Both --reset-db-root-pass and --dbrootpass provided. Will perform reset and ignore provided root password."; fi
if [[ ! -d "$WP_ROOT" ]]; then error_exit "WordPress root directory '$WP_ROOT' does not exist or is not a directory."; fi
if ! id "$WEB_USER" &>/dev/null; then error_exit "Web user '$WEB_USER' does not exist."; fi
if ! getent group "$WEB_GROUP" &>/dev/null; then error_exit "Web group '$WEB_GROUP' does not exist."; fi

# --- Determine Domain ---
if [[ -z "$DOMAIN" ]]; then
    if ! command_exists hostname; then error_exit "'hostname' command not found. Please specify --domain."; fi
    FULL_HOSTNAME=$(hostname -f)
    # Attempt to remove common node prefixes, make this more robust if needed
    DOMAIN=$(echo "$FULL_HOSTNAME" | sed -E 's/^(node[0-9]*-|wp-|web-|host-)//')
    if [[ -z "$DOMAIN" || "$DOMAIN" == "$FULL_HOSTNAME" ]]; then
        warning "Could not reliably determine domain from hostname '$FULL_HOSTNAME'. Using it as is."
        DOMAIN="$FULL_HOSTNAME"
    fi
    info "Auto-detected domain: $DOMAIN (Use --domain to override)"
else
    info "Using specified domain: $DOMAIN"
fi

# --- Dependency Checks ---
info "Checking dependencies..."
declare -a dependencies=("php" "mysql" "curl" "openssl" "sudo" "hostname" "sed" "systemctl" "getopt")
for cmd in "${dependencies[@]}"; do
    if ! command_exists "$cmd"; then
        error_exit "Required command '$cmd' is not installed. Please install it first."
    fi
done
# Specific check for pkill if reset is chosen
if [[ "$PERFORM_DB_ROOT_RESET" == "true" ]]; then
    if ! command_exists pkill; then error_exit "'pkill' command not found, but required for --reset-db-root-pass."; fi
    if ! command_exists mysqld_safe; then error_exit "'mysqld_safe' command not found, but required for --reset-db-root-pass."; fi
fi
success "All dependencies found."

# --- WP-CLI Setup ---
WP_CLI_PATH="/usr/local/bin/wp"

# Check if WP-CLI is installed and executable
if ! command_exists wp; then
    info "WP-CLI not found. Installing WP-CLI..."
    if ! curl -o wp-cli.phar https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar; then
        error_exit "Failed to download WP-CLI."
    fi
    chmod +x wp-cli.phar
    if ! sudo mv wp-cli.phar "$WP_CLI_PATH"; then
        error_exit "Failed to move WP-CLI to $WP_CLI_PATH. Check sudo permissions."
    fi
    # Verify installation
    if ! command_exists wp; then
        error_exit "WP-CLI installation failed unexpectedly."
    fi
    success "WP-CLI installed successfully to $WP_CLI_PATH"
else
    success "WP-CLI is already installed."
fi

# Set up temporary WP-CLI config for HTTP_HOST if needed
export WP_CLI_CONFIG_PATH="/tmp/wp-cli-config-$RANDOM.yml"
cat > "$WP_CLI_CONFIG_PATH" <<EOF
# Temporary config to help WP-CLI resolve the site URL
# This might not always be necessary depending on server config
apache_modules:
  - mod_rewrite
_:
  server:
    HTTP_HOST: $DOMAIN
    HTTPS: on # Assume HTTPS
EOF
# Set trap to clean up the temp file on exit
trap cleanup EXIT

# --- Database Setup ---
info "Setting up database..."
DB_NAME="wpdb_$(openssl rand -hex 4)"
DB_USER="wpuser_$(openssl rand -hex 4)"
DB_PASSWORD=$(generate_password)

if [[ "$PERFORM_DB_ROOT_RESET" == "true" ]]; then
    # --- Risky Root Password Reset ---
    warning "Attempting to reset MariaDB/MySQL root password. This is risky!"
    new_root_password=$(generate_password)
    info "New root password will be: $new_root_password"

    info "Stopping MariaDB service..."
    if ! sudo systemctl stop mariadb; then error_exit "Failed to stop MariaDB service."; fi
    # Wait a moment to ensure it stopped
    sleep 3

    info "Starting MariaDB in safe mode (skip-grant-tables)..."
    sudo mysqld_safe --skip-grant-tables --skip-networking &
    MYSQLD_SAFE_PID=$!
    # Wait for MariaDB to likely start in safe mode
    sleep 10 # Increased wait time for reliability

    info "Attempting to reset root password..."
    # Try multiple common root user variations
    if ! sudo mysql --protocol=socket -u root <<-EOF
FLUSH PRIVILEGES;
ALTER USER 'root'@'localhost' IDENTIFIED BY '$new_root_password';
ALTER USER 'root'@'127.0.0.1' IDENTIFIED BY '$new_root_password';
FLUSH PRIVILEGES;
EXIT
EOF
    then
        warning "Failed initial root password reset attempt. Trying alternative command..."
        # Fallback for older MySQL/MariaDB versions
        if ! sudo mysql --protocol=socket -u root <<-EOF
FLUSH PRIVILEGES;
UPDATE mysql.user SET Password=PASSWORD('$new_root_password') WHERE User='root' AND Host='localhost';
UPDATE mysql.user SET Password=PASSWORD('$new_root_password') WHERE User='root' AND Host='127.0.0.1';
FLUSH PRIVILEGES;
EXIT
EOF
        then
             warning "Both root password reset methods failed. Trying grant table directly (less reliable)."
             # This might be needed on some very old or strangely configured systems
             if ! sudo mysql --protocol=socket -u mysql <<-EOF
FLUSH PRIVILEGES;
UPDATE mysql.user SET authentication_string=PASSWORD('$new_root_password') WHERE User='root';
FLUSH PRIVILEGES;
EXIT
EOF
             then
                error_exit "All attempts to reset the root password failed. Check MySQL/MariaDB logs. Manual intervention required."
             fi
        fi
    fi
    success "Root password likely reset in safe mode."

    info "Stopping MariaDB safe mode process..."
    # Attempt to kill the background mysqld_safe process gracefully first, then force if needed
    sudo kill $MYSQLD_SAFE_PID || true # Try killing the specific PID
    sleep 2
    sudo pkill -f mysqld_safe || true # Broader attempt
    sleep 2
    sudo pkill -f mariadbd || sudo pkill -f mysqld || true # Kill any lingering daemons
    sleep 3

    info "Starting MariaDB service normally..."
    if ! sudo systemctl start mariadb; then error_exit "Failed to start MariaDB service after password reset."; fi
    sleep 5 # Allow time for service to initialize

    if ! sudo systemctl is-active --quiet mariadb; then error_exit "MariaDB service failed to start or become active. Check service status."; fi
    success "MariaDB service started successfully with new root password."
    DB_ROOT_PASS="$new_root_password" # Use the newly set password
else
    info "Using provided root password to create database and user."
    # Test connection with provided root password
    if ! mysql -u "$DB_ROOT_USER" -p"$DB_ROOT_PASS" -h "$DB_HOST" -e "SELECT 1;" &> /dev/null; then
        error_exit "Failed to connect to database using provided root credentials. Check user, password, and host."
    fi
    success "Database root connection successful."
fi

# --- Create WordPress Database and User ---
info "Creating WordPress database '$DB_NAME' and user '$DB_USER'..."
# Use printf for safer password injection into the command
SQL_COMMAND=$(printf "CREATE DATABASE IF NOT EXISTS %s CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; CREATE USER IF NOT EXISTS '%s'@'%s' IDENTIFIED BY '%s'; GRANT ALL PRIVILEGES ON %s.* TO '%s'@'%s'; FLUSH PRIVILEGES;" \
    "$DB_NAME" "$DB_USER" "$DB_HOST" "$DB_PASSWORD" "$DB_NAME" "$DB_USER" "$DB_HOST")

if ! mysql -u "$DB_ROOT_USER" -p"$DB_ROOT_PASS" -h "$DB_HOST" -e "$SQL_COMMAND"; then
    error_exit "Failed to create WordPress database or user. Check MySQL/MariaDB logs and permissions."
fi
success "Database and user created successfully."

# --- WordPress Installation ---
info "Navigating to WordPress root: $WP_ROOT"
cd "$WP_ROOT" || error_exit "Failed to change directory to $WP_ROOT"

# Backup existing wp-config.php if it exists
if [[ -f "wp-config.php" ]]; then
    BACKUP_NAME="wp-config.php.bak.$(date +%Y%m%d%H%M%S)"
    info "Backing up existing wp-config.php to $BACKUP_NAME"
    cp wp-config.php "$BACKUP_NAME"
fi

# Download WordPress core files if necessary (index.php is a good indicator)
# Run wp commands as the web user if possible, falling back to --allow-root if needed
WP_RUN_ARGS=("--path=$WP_ROOT")
# Determine if sudo is needed to run as web user
SUDO_CMD=""
if [[ "$(id -u)" -ne "$(id -u "$WEB_USER")" ]]; then
    SUDO_CMD="sudo -u $WEB_USER"
    # Check if we can sudo without password, otherwise need --allow-root
    if ! sudo -n -u "$WEB_USER" true &>/dev/null; then
        warning "Cannot sudo to '$WEB_USER' without a password. Using --allow-root for WP-CLI commands."
        SUDO_CMD="" # Clear sudo command
        WP_RUN_ARGS+=("--allow-root")
    else
         info "Running WP-CLI commands as user '$WEB_USER'."
    fi
fi


if [[ ! -f "index.php" || ! -d "wp-admin" ]]; then
    info "WordPress core files not found. Downloading..."
    if ! $SUDO_CMD wp core download "${WP_RUN_ARGS[@]}" --skip-content --version=latest; then
        error_exit "Failed to download WordPress core files."
    fi
    success "WordPress core downloaded."
else
    info "WordPress files already exist. Skipping download."
fi

# --- Create wp-config.php ---
# Using wp cli command is generally preferred, but manual creation is more robust if WP-CLI has issues.
# We'll stick to the manual creation from your original script as it included specific fixes.
info "Creating wp-config.php..."
# Generate Salts using WP-CLI if possible, otherwise fallback to openssl
SALTS=$($SUDO_CMD wp config salt generate --raw "${WP_RUN_ARGS[@]}" 2>/dev/null || {
    warning "Could not generate salts using WP-CLI, falling back to openssl (less standard format)."
    echo "define( 'AUTH_KEY',         '$(generate_password)' );"
    echo "define( 'SECURE_AUTH_KEY',  '$(generate_password)' );"
    echo "define( 'LOGGED_IN_KEY',    '$(generate_password)' );"
    echo "define( 'NONCE_KEY',        '$(generate_password)' );"
    echo "define( 'AUTH_SALT',        '$(generate_password)' );"
    echo "define( 'SECURE_AUTH_SALT', '$(generate_password)' );"
    echo "define( 'LOGGED_IN_SALT',   '$(generate_password)' );"
    echo "define( 'NONCE_SALT',       '$(generate_password)' );"
})

# Use cat with heredoc for wp-config.php creation
cat > wp-config.php <<EOF
<?php
/**
 * The base configuration for WordPress
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', '${DB_NAME}' );

/** Database username */
define( 'DB_USER', '${DB_USER}' );

/** Database password */
define( 'DB_PASSWORD', '${DB_PASSWORD}' );

/** Database hostname */
define( 'DB_HOST', '${DB_HOST}' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' ); // Use utf8mb4 for better character support

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 * Generate these at: https://api.wordpress.org/secret-key/1.1/salt/
 * You can change these at any point to invalidate all existing cookies. This will force all users to have to log in again.
 */
${SALTS}
/**#@-*/

/**
 * WordPress database table prefix.
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
\$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 * @link https://wordpress.org/support/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */

define( 'WP_MEMORY_LIMIT', '256M' );
define( 'WP_AUTO_UPDATE_CORE', false ); // Or 'minor' or true

// Define site URL and home URL (ensure protocol matches server setup)
define( 'WP_HOME', 'https://${DOMAIN}' );
define( 'WP_SITEURL', 'https://${DOMAIN}' );

// If using a reverse proxy, this might be needed:
// if (isset(\$_SERVER['HTTP_X_FORWARDED_PROTO']) && \$_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
//     \$_SERVER['HTTPS'] = 'on';
// }

// Fix missing HTTP_HOST for CLI operations
if ( defined( 'WP_CLI' ) && WP_CLI && ! isset( \$_SERVER['HTTP_HOST'] ) ) {
    \$_SERVER['HTTP_HOST'] = '${DOMAIN}';
}


/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
	define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
EOF

if [[ ! -f "wp-config.php" ]]; then
    error_exit "Failed to create wp-config.php file."
fi
success "wp-config.php created successfully."

# --- Set Permissions ---
info "Setting file permissions..."
# Set ownership first
if ! sudo chown -R "${WEB_USER}:${WEB_GROUP}" "$WP_ROOT"; then
    error_exit "Failed to set ownership on $WP_ROOT."
fi
# Set directory and file permissions
# Ensure the script runner has write access to the directory to run find
cd "$WP_ROOT" || error_exit "Failed to cd into $WP_ROOT before setting permissions"
if ! sudo find . -type d -exec chmod 755 {} \; ; then
    warning "Could not set directory permissions using find. Check sudo permissions."
fi
if ! sudo find . -type f -exec chmod 644 {} \; ; then
     warning "Could not set file permissions using find. Check sudo permissions."
fi
# Ensure wp-config.php is readable by the web server, but not world-writable
if ! sudo chmod 640 wp-config.php; then # More secure permission
    warning "Could not set specific permissions on wp-config.php."
fi
success "File permissions set."

# --- WordPress Core Installation ---
# Check if WordPress is already installed before attempting installation
if ! $SUDO_CMD wp core is-installed "${WP_RUN_ARGS[@]}"; then
    info "WordPress is not installed. Proceeding with installation..."
    if ! $SUDO_CMD wp core install \
        --url="https://$DOMAIN" \
        --title="My WordPress Site on $DOMAIN" \
        --admin_user="$WP_ADMIN_USER" \
        --admin_password="$WP_ADMIN_PASS" \
        --admin_email="$WP_ADMIN_EMAIL" \
        --skip-email \
        "${WP_RUN_ARGS[@]}"; then # Added skip-email
        error_exit "WordPress core installation failed."
    fi

    info "Removing default plugins (Akismet, Hello Dolly)..."
    $SUDO_CMD wp plugin delete akismet hello "${WP_RUN_ARGS[@]}" --quiet || warning "Could not delete default plugins."

    success "WordPress installed successfully."
else
    info "WordPress is already installed."
    # Optionally update URL if needed (be careful with this)
    # info "Verifying site URL..."
    # $SUDO_CMD wp option update siteurl "https://$DOMAIN" "${WP_RUN_ARGS[@]}"
    # $SUDO_CMD wp option update home "https://$DOMAIN" "${WP_RUN_ARGS[@]}"
fi

# --- Final Summary ---
success "WordPress setup completed!"
printf "\n--- ${YELLOW}Installation Summary${NC} ---\n"
printf "Site URL:         ${GREEN}https://%s${NC}\n" "$DOMAIN"
printf "WP Root:          ${GREEN}%s${NC}\n" "$WP_ROOT"
printf "Web User:         ${GREEN}%s${NC}\n" "$WEB_USER"
printf "Web Group:        ${GREEN}%s${NC}\n" "$WEB_GROUP"
printf "\n"
printf "${YELLOW}Admin Credentials:${NC}\n"
printf "  Username:       ${GREEN}%s${NC}\n" "$WP_ADMIN_USER"
printf "  Password:       ${YELLOW}%s${NC} (Keep this safe!)\n" "$WP_ADMIN_PASS"
printf "  Email:          ${GREEN}%s${NC}\n" "$WP_ADMIN_EMAIL"
printf "\n"
printf "${YELLOW}Database Credentials:${NC}\n"
printf "  Database Name:  ${GREEN}%s${NC}\n" "$DB_NAME"
printf "  Username:       ${GREEN}%s${NC}\n" "$DB_USER"
printf "  Password:       ${YELLOW}%s${NC} (Keep this safe!)\n" "$DB_PASSWORD"
printf "  Host:           ${GREEN}%s${NC}\n" "$DB_HOST"
if [[ "$PERFORM_DB_ROOT_RESET" == "true" ]]; then
    printf "\n${RED}IMPORTANT: The MySQL/MariaDB root password was reset to:${NC}\n"
    printf "  Root Password:  ${YELLOW}%s${NC}\n" "$DB_ROOT_PASS"
fi
printf "---------------------------\n"

exit 0