#!/bin/bash

# SSL Certificate Installation Script for Gitea Production
# This script installs Let's Encrypt SSL certificates for repos.guschin.info

set -e

echo "==================================="
echo "SSL Certificate Installation"
echo "==================================="

# Load environment variables
if [ -f .env ]; then
    source .env
    echo "✓ Loaded environment variables from .env"
else
    echo "✗ Error: .env file not found!"
    exit 1
fi

# Check if running in production environment
if [ "${GITEA_DOMAIN}" != "repos.guschin.info" ]; then
    echo "✗ Warning: This script is intended for production (repos.guschin.info)"
    echo "  Current domain: ${GITEA_DOMAIN}"
    read -p "Continue anyway? (y/N): " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        exit 1
    fi
fi

# Check if certbot is installed
if ! command -v certbot &> /dev/null; then
    echo "Certbot is not installed. Installing..."

    # Detect OS and install certbot
    if [ -f /etc/debian_version ]; then
        # Debian/Ubuntu
        sudo apt-get update
        sudo apt-get install -y certbot
    elif [ -f /etc/redhat-release ]; then
        # RHEL/CentOS/Fedora
        sudo yum install -y certbot
    elif [ -f /etc/arch-release ]; then
        # Arch Linux
        sudo pacman -S --noconfirm certbot
    else
        echo "✗ Error: Unsupported OS. Please install certbot manually."
        exit 1
    fi

    echo "✓ Certbot installed"
fi

# Verify Docker is running
if ! docker info > /dev/null 2>&1; then
    echo "✗ Error: Docker is not running!"
    exit 1
fi

echo "✓ Docker is running"

# Create directory for certificates
CERT_DIR="./certs"
mkdir -p ${CERT_DIR}
echo "✓ Certificate directory created: ${CERT_DIR}"

# Email for Let's Encrypt notifications
read -p "Enter email address for Let's Encrypt notifications: " EMAIL

if [ -z "$EMAIL" ]; then
    echo "✗ Error: Email address is required!"
    exit 1
fi

echo ""
echo "Obtaining SSL certificate for ${GITEA_DOMAIN}..."
echo "This will:"
echo "  1. Verify domain ownership"
echo "  2. Obtain SSL certificate from Let's Encrypt"
echo "  3. Configure automatic renewal"
echo ""

# Stop Gitea if running to free up port 80
if docker ps | grep -q gitea; then
    echo "Stopping Gitea container to free up port 80..."
    docker-compose stop gitea
fi

# Obtain certificate using standalone mode
sudo certbot certonly \
    --standalone \
    --preferred-challenges http \
    --email ${EMAIL} \
    --agree-tos \
    --no-eff-email \
    -d ${GITEA_DOMAIN}

if [ $? -eq 0 ]; then
    echo "✓ SSL certificate obtained successfully!"

    # Copy certificates to local directory
    sudo cp /etc/letsencrypt/live/${GITEA_DOMAIN}/fullchain.pem ${CERT_DIR}/
    sudo cp /etc/letsencrypt/live/${GITEA_DOMAIN}/privkey.pem ${CERT_DIR}/
    sudo chown $(id -u):$(id -g) ${CERT_DIR}/*.pem

    echo "✓ Certificates copied to ${CERT_DIR}"
else
    echo "✗ Error: Failed to obtain SSL certificate!"
    exit 1
fi

# Setup automatic renewal
echo ""
echo "Setting up automatic certificate renewal..."

# Create renewal hook script
RENEWAL_HOOK="/etc/letsencrypt/renewal-hooks/deploy/gitea-reload.sh"
sudo mkdir -p /etc/letsencrypt/renewal-hooks/deploy

cat << 'EOF' | sudo tee ${RENEWAL_HOOK} > /dev/null
#!/bin/bash
# Gitea SSL certificate renewal hook

CERT_DIR="/path/to/git.git/certs"
DOMAIN="repos.guschin.info"

# Copy new certificates
cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem ${CERT_DIR}/
cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem ${CERT_DIR}/

# Restart Gitea to load new certificates
cd /path/to/git.git
docker-compose restart gitea

echo "Gitea SSL certificates updated and service restarted"
EOF

# Update the path in renewal hook
sudo sed -i "s|/path/to/git.git|$(pwd)|g" ${RENEWAL_HOOK}
sudo chmod +x ${RENEWAL_HOOK}

echo "✓ Renewal hook installed"

# Test automatic renewal
echo ""
echo "Testing automatic renewal..."
sudo certbot renew --dry-run

if [ $? -eq 0 ]; then
    echo "✓ Automatic renewal test passed"
else
    echo "✗ Warning: Automatic renewal test failed"
    echo "  Please check certbot configuration"
fi

echo ""
echo "==================================="
echo "SSL Certificate Installation Complete!"
echo "==================================="
echo ""
echo "Certificate details:"
echo "  Domain: ${GITEA_DOMAIN}"
echo "  Certificate location: /etc/letsencrypt/live/${GITEA_DOMAIN}/"
echo "  Local copy: ${CERT_DIR}"
echo ""
echo "Next steps:"
echo "  1. Update docker-compose.yml to use a reverse proxy (nginx/traefik)"
echo "  2. Configure the reverse proxy to use the certificates"
echo "  3. Start Gitea: docker-compose up -d"
echo ""
echo "Note: Certificates will automatically renew every 60 days"