#!/bin/sh
# SSL Certificate Initialization Script for Docker
# This script is used to obtain the initial SSL certificate

set -e

DOMAIN_NAME="${DOMAIN_NAME:-}"
SSL_EMAIL="${SSL_EMAIL:-}"
STAGING="${SSL_STAGING:-0}"

if [ -z "$DOMAIN_NAME" ]; then
    echo "ERROR: DOMAIN_NAME environment variable is required"
    echo ""
    echo "Usage:"
    echo "  DOMAIN_NAME=yourdomain.com SSL_EMAIL=your@email.com docker-compose -f docker-compose.prod.yml run --rm certbot-init"
    echo ""
    echo "For testing (staging server):"
    echo "  DOMAIN_NAME=yourdomain.com SSL_EMAIL=your@email.com SSL_STAGING=1 docker-compose -f docker-compose.prod.yml run --rm certbot-init"
    exit 1
fi

if [ -z "$SSL_EMAIL" ]; then
    echo "ERROR: SSL_EMAIL environment variable is required"
    echo ""
    echo "Usage:"
    echo "  DOMAIN_NAME=yourdomain.com SSL_EMAIL=your@email.com docker-compose -f docker-compose.prod.yml run --rm certbot-init"
    exit 1
fi

echo "=========================================="
echo "SSL Certificate Initialization"
echo "=========================================="
echo "Domain: $DOMAIN_NAME"
echo "Email: $SSL_EMAIL"
echo ""

# Use staging server if SSL_STAGING=1 (for testing)
STAGING_FLAG=""
if [ "$STAGING" = "1" ]; then
    echo "WARNING: Using Let's Encrypt staging server (for testing only)"
    STAGING_FLAG="--staging"
fi

# Wait for nginx to be ready (it needs to serve the challenge)
echo "Waiting for nginx to be ready..."
sleep 5

# Obtain certificate using webroot method
echo "Requesting SSL certificate from Let's Encrypt..."
certbot certonly \
    --webroot \
    --webroot-path=/var/www/certbot \
    --email "$SSL_EMAIL" \
    --agree-tos \
    --no-eff-email \
    --force-renewal \
    $STAGING_FLAG \
    -d "$DOMAIN_NAME"

if [ $? -eq 0 ]; then
    echo ""
    echo "=========================================="
    echo "✅ SSL certificate obtained successfully!"
    echo "=========================================="
    echo "Certificate location: /etc/letsencrypt/live/$DOMAIN_NAME/"
    echo ""
    echo "Next steps:"
    echo "1. Update nginx.prod.conf with your domain name:"
    echo "   Replace \${DOMAIN_NAME:-default} with $DOMAIN_NAME"
    echo "   Or set DOMAIN_NAME environment variable in docker-compose.prod.yml"
    echo ""
    echo "2. Restart nginx container:"
    echo "   docker-compose -f docker-compose.prod.yml restart nginx"
    echo ""
    echo "3. Verify HTTPS is working:"
    echo "   curl https://$DOMAIN_NAME/health"
    echo ""
    echo "4. Certificates will auto-renew every 12 hours"
else
    echo ""
    echo "=========================================="
    echo "❌ SSL certificate obtainment failed"
    echo "=========================================="
    echo "Please check:"
    echo "1. Domain DNS is pointing to this server"
    echo "2. Port 80 is accessible from the internet"
    echo "3. Nginx container is running and can serve /.well-known/acme-challenge/"
    exit 1
fi