namespace ControlPlane.Core.Config;

/// <summary>
/// Central configuration for all infrastructure URLs, network names, and domain values.
/// Bind from the "Clarity" section in appsettings.json or via AppHost environment variables.
/// Eliminates hardcoded strings spread across Worker, AppHost, and generated configs.
/// </summary>
public sealed class ClarityInfraOptions
{
    public const string Section = "Clarity";

    // ── Domain ────────────────────────────────────────────────────────────

    /// <summary>The base DNS domain for all tenant subdomains. e.g. "clarity.test"</summary>
    public string Domain { get; set; } = "clarity.test";

    /// <summary>The Docker network all managed containers are attached to.</summary>
    public string Network { get; set; } = "clarity-net";

    // ── Keycloak ──────────────────────────────────────────────────────────

    /// <summary>Public browser-facing Keycloak URL — used in redirect URIs and JWT iss claim.</summary>
    public string KeycloakPublicUrl { get; set; } = "https://keycloak.clarity.test";

    /// <summary>Internal Docker DNS URL for server-side Keycloak calls (avoids self-signed cert).</summary>
    public string KeycloakInternalUrl { get; set; } = "http://keycloak:8080";

    // ── Vault ─────────────────────────────────────────────────────────────

    /// <summary>Internal Docker DNS URL for Vault — injected into tenant containers.</summary>
    public string VaultInternalUrl { get; set; } = "http://vault:8200";

    // ── nginx SSL certs ───────────────────────────────────────────────────

    /// <summary>Path to the wildcard TLS cert inside the nginx container.</summary>
    public string NginxCertPath { get; set; } = "/etc/nginx/certs/clarity.test.crt";

    /// <summary>Path to the wildcard TLS key inside the nginx container.</summary>
    public string NginxCertKeyPath { get; set; } = "/etc/nginx/certs/clarity.test.key";

    // ── Helpers ───────────────────────────────────────────────────────────

    /// <summary>Builds the public tenant URL for a given subdomain.</summary>
    public string TenantPublicUrl(string subdomain) => $"https://{subdomain}.{Domain}";

    /// <summary>Builds the public Keycloak realm URL for a given realm (browser-facing).</summary>
    public string KeycloakRealmPublicUrl(string realm) => $"{KeycloakPublicUrl}/realms/{realm}";

    /// <summary>Builds the internal Keycloak realm URL for a given realm (server-side).</summary>
    public string KeycloakRealmInternalUrl(string realm) => $"{KeycloakInternalUrl}/realms/{realm}";
}