#!/bin/bash
# Obtain TLS certificates from Let's Encrypt for evosync.ru
# Run once on first deploy: sudo ./scripts/init-letsencrypt.sh

set -euo pipefail

DOMAIN="evosync.ru"
EMAIL="${LETSENCRYPT_EMAIL:-admin@evosync.ru}"
COMPOSE="docker compose"
CERTBOT_DIR="./certbot"

echo "==> Creating certbot directories..."
mkdir -p "$CERTBOT_DIR/conf" "$CERTBOT_DIR/www"

echo "==> Starting nginx (HTTP only, for ACME challenge)..."
# Temporarily use a basic config that doesn't require certs
cat > nginx/nginx-temp.conf <<'TMPCONF'
server {
    listen 80;
    server_name evosync.ru www.evosync.ru;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 200 'Setting up TLS...';
        add_header Content-Type text/plain;
    }
}
TMPCONF

$COMPOSE up -d nginx

echo "==> Requesting certificate from Let's Encrypt..."
docker run --rm \
    -v "$(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt" \
    -v "$(pwd)/$CERTBOT_DIR/www:/var/www/certbot" \
    --network "${COMPOSE_PROJECT_NAME:-evo-syncgit}_default" \
    certbot/certbot certonly \
    --webroot \
    --webroot-path=/var/www/certbot \
    --email "$EMAIL" \
    --agree-tos \
    --no-eff-email \
    -d "$DOMAIN" \
    -d "www.$DOMAIN"

echo "==> Restoring production nginx config..."
rm -f nginx/nginx-temp.conf

echo "==> Restarting nginx with TLS..."
$COMPOSE restart nginx

echo "==> Done! TLS certificate installed for $DOMAIN"
echo "    Set up auto-renewal with: sudo crontab -e"
echo "    Add: 0 3 * * * cd $(pwd) && docker run --rm -v $(pwd)/$CERTBOT_DIR/conf:/etc/letsencrypt -v $(pwd)/$CERTBOT_DIR/www:/var/www/certbot certbot/certbot renew --quiet && docker compose restart nginx"