#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

CONF_BASE="/etc/${APP_USER}"
CERT_DIR="${CONF_BASE}/ssl"
UI_SSL_DIR="/etc/ssl/ui"; WEBMAIL_SSL_DIR="/etc/ssl/webmail"; MAIL_SSL_DIR="/etc/ssl/mail"
UI_CERT="${UI_SSL_DIR}/fullchain.pem"; UI_KEY="${UI_SSL_DIR}/privkey.pem"
WEBMAIL_CERT="${WEBMAIL_SSL_DIR}/fullchain.pem"; WEBMAIL_KEY="${WEBMAIL_SSL_DIR}/privkey.pem"
MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"; MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"

install -d -m 0750 "$CERT_DIR"
CERT="${CERT_DIR}/cert.pem"; KEY="${CERT_DIR}/key.pem"

if [[ ! -s "$CERT" || ! -s "$KEY" ]]; then
  log "Self-signed Zertifikat erzeugen …"
  OSSL_CFG="${CERT_DIR}/openssl.cnf"
  cat > "$OSSL_CFG" <<CFG
[req]
default_bits=2048
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
[dn]
CN=${SERVER_PUBLIC_IPV4}
O=${APP_NAME}
C=DE
[req_ext]
subjectAltName=@alt_names
[alt_names]
IP.1=${SERVER_PUBLIC_IPV4}
CFG
  openssl req -x509 -newkey rsa:2048 -days 825 -nodes -keyout "$KEY" -out "$CERT" -config "$OSSL_CFG"
  chgrp www-data "$CERT" "$KEY" || true
  chmod 640 "$KEY" "$CERT"
fi

install -d -m 0755 "$UI_SSL_DIR" "$WEBMAIL_SSL_DIR" "$MAIL_SSL_DIR"
ln -sf "$CERT" "$UI_CERT";     ln -sf "$KEY" "$UI_KEY"
ln -sf "$CERT" "$WEBMAIL_CERT";ln -sf "$KEY" "$WEBMAIL_KEY"
ln -sf "$CERT" "$MAIL_CERT";   ln -sf "$KEY" "$MAIL_KEY"

# --- Mail-Zertifikate: Rechte für Postfix & Dovecot -------------------------
# WICHTIG: Rechte am *Target* (KEY/CERT im $CERT_DIR) setzen, nicht an den Symlinks.
if [[ -f "$KEY" && -f "$CERT" ]]; then
  echo "[+] Setze Berechtigungen für Mail-Zertifikate …"
  # Key: nur root + Gruppe lesen. Gruppe → postfix
  chgrp postfix "$KEY" || true
  chmod 640     "$KEY" || true
  # Dovecot zusätzlich Leserechte via ACL
  setfacl -m u:dovecot:r "$KEY" || true
  # Zertifikat darf weltweit lesbar sein
  chmod 644     "$CERT" || true
else
  echo "[!] Zertifikatsdateien fehlen: $KEY oder $CERT" >&2
fi

# Optional: kurze Info, wohin verlinkt wurde
echo "[i] Mail TLS: $MAIL_CERT -> $CERT ; $MAIL_KEY -> $KEY"