#!/bin/bash

# Let's Encrypt SSL Certificate Installation Script for xmpp.guschin.info
# This script installs SSL certificates via Let's Encrypt (certbot)

set -e

DOMAIN="xmpp.guschin.info"
CERT_PATH="/etc/letsencrypt/live/${DOMAIN}"
EMAIL="${EMAIL:-admin@mguschin.info}"  # Default email or use EMAIL env var
WEBROOT="/var/www/letsencrypt"

echo "========================================"
echo "Let's Encrypt Certificate Installation"
echo "========================================"
echo "Domain: $DOMAIN"
echo "Email: $EMAIL"
echo "Certificate Path: $CERT_PATH"
echo ""

# Check if certbot is installed
if ! command -v certbot &> /dev/null; then
    echo "Installing certbot..."
    apt-get update
    apt-get install -y certbot
fi

# Create webroot directory for ACME challenges
if [ ! -d "$WEBROOT" ]; then
    echo "Creating webroot directory: $WEBROOT"
    mkdir -p "$WEBROOT"
    chmod 755 "$WEBROOT"
fi

# Check if certificate already exists
if [ -d "$CERT_PATH" ]; then
    echo "Certificate already exists at $CERT_PATH"
    read -p "Do you want to renew it? (y/n) " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]; then
        echo "Renewing certificate..."
        certbot renew --force-renewal --non-interactive
    else
        echo "Skipping certificate installation."
        exit 0
    fi
else
    echo "Generating new certificate for $DOMAIN..."
    
    # Install certificate using webroot authenticator
    # Nginx must be configured to serve $WEBROOT/.well-known/acme-challenge/
    certbot certonly \
        --webroot \
        --webroot-path "$WEBROOT" \
        --non-interactive \
        --agree-tos \
        --email "$EMAIL" \
        -d "$DOMAIN"
    
    echo ""
    echo "✓ Certificate installed successfully!"
    echo "  Fullchain: $CERT_PATH/fullchain.pem"
    echo "  Private Key: $CERT_PATH/privkey.pem"
fi

# Set proper permissions for nginx
if id "www-data" &>/dev/null; then
    chmod 755 $CERT_PATH
    chmod 755 $CERT_PATH/..
fi

# Optional: Set up automatic renewal via cron
echo ""
echo "Setting up automatic renewal (optional)..."
if ! grep -q "certbot renew" /etc/cron.d/certbot 2>/dev/null; then
    echo "Configuring automatic certificate renewal..."
    # Certbot automatically installs cron job on most systems
    # But you can manually add it:
    # (crontab -l 2>/dev/null; echo "0 3 * * * certbot renew --quiet") | crontab -
fi

echo ""
echo "========================================"
echo "Certificate installation complete!"
echo "========================================"
echo ""
echo "Next steps:"
echo "1. Ensure your nginx config points to:"
echo "   - ssl_certificate: $CERT_PATH/fullchain.pem"
echo "   - ssl_certificate_key: $CERT_PATH/privkey.pem"
echo "2. Reload nginx: nginx -s reload"
echo "3. Test your SSL setup: https://www.ssllabs.com/ssltest/"
echo ""