#!/bin/bash

# SSL Certificate Setup Script for Multi-Tenant Domain
# This script sets up Let's Encrypt wildcard certificates

set -e

DOMAIN="dev.uggla.uamils.com"
EMAIL="admin@uamils.com"
STAGING=1  # Set to 0 for production certificates

echo "Setting up SSL certificates for domain: $DOMAIN"

# Create required directories
mkdir -p ./certbot/conf
mkdir -p ./certbot/www
mkdir -p ./nginx/ssl

# Function to get certificate
get_certificate() {
    local domain=$1
    local email=$2
    local staging=$3
    
    if [ $staging -eq 1 ]; then
        local staging_flag="--staging"
        echo "Getting STAGING certificate (for testing)..."
    else
        local staging_flag=""
        echo "Getting PRODUCTION certificate..."
    fi
    
    echo "Requesting wildcard certificate for $domain and *.$domain"
    
    docker-compose -f docker-compose.production.yml run --rm certbot \
        certonly \
        --manual \
        --preferred-challenges=dns \
        --email $email \
        --server https://acme-v02.api.letsencrypt.org/directory \
        --agree-tos \
        --no-eff-email \
        $staging_flag \
        -d $domain \
        -d "*.$domain"
}

# Check if certificate already exists
if [ -d "./certbot/conf/live/$DOMAIN" ]; then
    echo "Certificate already exists for $DOMAIN"
    read -p "Do you want to renew it? (y/n): " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]; then
        echo "Renewing certificate..."
        docker-compose -f docker-compose.production.yml run --rm certbot renew
    fi
else
    echo "No certificate found. Creating new certificate..."
    
    echo "IMPORTANT: You need to manually add DNS TXT records during this process!"
    echo "The certbot will pause and show you the TXT records to add."
    echo ""
    echo "You'll need to add DNS TXT records like:"
    echo "  _acme-challenge.$DOMAIN TXT \"[value-shown-by-certbot]\""
    echo "  _acme-challenge.$DOMAIN TXT \"[another-value-for-wildcard]\""
    echo ""
    read -p "Press Enter when you're ready to continue..."
    
    get_certificate $DOMAIN $EMAIL $STAGING
fi

# Set up certificate renewal cron job
echo "Setting up automatic certificate renewal..."

# Create renewal script
cat > ./scripts/renew-certs.sh << 'EOF'
#!/bin/bash
cd /path/to/your/project
docker-compose -f docker-compose.production.yml run --rm certbot renew
docker-compose -f docker-compose.production.yml exec nginx nginx -s reload
EOF

chmod +x ./scripts/renew-certs.sh

echo ""
echo "SSL certificate setup completed!"
echo ""
echo "NEXT STEPS:"
echo "1. Add this to your crontab for automatic renewal:"
echo "   0 12 * * * /path/to/your/project/scripts/renew-certs.sh"
echo ""
echo "2. Update your .env.production file with correct domain settings"
echo ""
echo "3. Start the production environment:"
echo "   docker-compose -f docker-compose.production.yml up -d"
echo ""

if [ $STAGING -eq 1 ]; then
    echo "NOTE: You're using STAGING certificates (for testing)."
    echo "Change STAGING=0 in this script and run again for production certificates."
fi