#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

ACME_WEBROOT="/var/www/letsencrypt"
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"

# Staging optional (verbraucht kein Live-Limit)
CERTBOT_EXTRA=()
LE_STAGING="${LE_STAGING:-0}"
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)

# Einheitliche LE-Mail (Fallback)
LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"

resolve_ok() {
  local host="$1"
  local pats=()
  [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
  [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
  [[ ${#pats[@]} -eq 0 ]] && return 0
  getent ahosts "$host" | awk '{print $1}' | sort -u \
    | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
}

probe_http() {
  local host="$1"
  echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
  curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
  || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
}

issue() {
  local host="${1:-}"
  [[ -z "$host" ]] && return 0

  echo "[i] Versuche LE für ${host} …"

  if ! resolve_ok "$host"; then
    echo "[!] DNS zeigt (noch) nicht hierher – überspringe: ${host}"
    return 0
  fi

  if ! probe_http "$host"; then
    echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
    # wir versuchen trotzdem – Certbot meldet sich, falls es scheitert
  fi

  EXTRA_ARGS=()
  # Für MX den Key wiederverwenden → stabiler TLSA (3 1 1)
  [[ "$host" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)

  # WICHTIG: Deploy-Wrapper anhängen, damit Symlinks/Nginx gesetzt werden
  certbot certonly \
    --agree-tos -m "${LE_MAIL}" --non-interactive \
    --webroot -w "${ACME_WEBROOT}" -d "${host}" \
    --deploy-hook /usr/local/sbin/mw-deploy.sh \
    "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
}

if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
  issue "${UI_HOST:-}"
  issue "${WEBMAIL_HOST:-}"
  issue "${MAIL_HOSTNAME:-}"

  # Nginx nur neu laden, wenn aktiv
  if systemctl is-active --quiet nginx; then
    systemctl reload nginx || true
  fi
else
  echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
fi