#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"

# -------------------------------------------------------------------
# 2) POSIX-kompatibler Deploy-Wrapper (von Certbot aufgerufen)
# -------------------------------------------------------------------
cat >/usr/local/sbin/mailwolt-deploy.sh <<'WRAP'
#!/bin/sh
# POSIX-safe Certbot deploy-hook (ohne bashisms)
set -eu

# Installer-ENV laden (liefert UI_HOST/WEBMAIL_HOST/MAIL_HOSTNAME etc.)
if [ -r /etc/mailwolt/installer.env ]; then
  # shellcheck disable=SC1091
  . /etc/mailwolt/installer.env
fi

UI_HOST="${UI_HOST:-}"
WEBMAIL_HOST="${WEBMAIL_HOST:-}"
MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
ACME_BASE="/etc/letsencrypt/live"

copy_cert() {
  le_base="$1"    # z.B. /etc/letsencrypt/live/ui.example.com
  target_dir="$2" # z.B. /etc/ssl/ui

  cert="${le_base}/fullchain.pem"
  key="${le_base}/privkey.pem"

  [ -s "$cert" ] || { echo "[deploy] missing $cert"; return 1; }
  [ -s "$key"  ] || { echo "[deploy] missing $key";  return 1; }

  mkdir -p "$target_dir"

  # echte Dateien (keine Symlinks), feste Rechte
  install -m 0644 "$cert" "${target_dir}/fullchain.pem"
  install -m 0600 "$key"  "${target_dir}/privkey.pem"

  echo "[+] Copied ${target_dir}/fullchain.pem und privkey.pem ← ${le_base}"
}

reload_services() {
  kind="$1" # ui | mail
  if command -v systemctl >/dev/null 2>&1; then
    if [ "$kind" = "mail" ]; then
      systemctl reload postfix  2>/dev/null || true
      systemctl reload dovecot  2>/dev/null || true
    else
      systemctl reload nginx    2>/dev/null || true
    fi
  fi
}

# Certbot-Kontext
LINEAGE="${RENEWED_LINEAGE:-}"
HOST=""
if [ -n "$LINEAGE" ]; then
  HOST="$(basename "$LINEAGE")"
fi

did_any=0

maybe_copy_for_host() {
  host="$1"
  dir="$2"
  [ -n "$host" ] || return 0

  # Fall A: Certbot liefert RENEWED_DOMAINS (Space-getrennt)
  if [ -n "${RENEWED_DOMAINS:-}" ]; then
    case " ${RENEWED_DOMAINS} " in
      *" ${host} "*) copy_cert "${ACME_BASE}/${host}" "${dir}" && did_any=1 ;;
    esac
    return 0
  fi

  # Fall B: Erst-issue / kein RENEWED_DOMAINS → über LINEAGE matchen
  if [ -n "$HOST" ] && [ "$HOST" = "$host" ]; then
    copy_cert "${ACME_BASE}/${host}" "${dir}" && did_any=1
  fi
}

# Gezieltes Kopieren
maybe_copy_for_host "$UI_HOST"       "/etc/ssl/ui"
maybe_copy_for_host "$WEBMAIL_HOST"  "/etc/ssl/webmail"
maybe_copy_for_host "$MAIL_HOSTNAME" "/etc/ssl/mail"

# Fallback (Erstlauf): kopiere vorhandene Lineages
if [ "$did_any" -eq 0 ]; then
  [ -n "$UI_HOST"       ] && [ -d "${ACME_BASE}/${UI_HOST}"       ] && copy_cert "${ACME_BASE}/${UI_HOST}"       "/etc/ssl/ui"
  [ -n "$WEBMAIL_HOST"  ] && [ -d "${ACME_BASE}/${WEBMAIL_HOST}"  ] && copy_cert "${ACME_BASE}/${WEBMAIL_HOST}"  "/etc/ssl/webmail"
  [ -n "$MAIL_HOSTNAME" ] && [ -d "${ACME_BASE}/${MAIL_HOSTNAME}" ] && copy_cert "${ACME_BASE}/${MAIL_HOSTNAME}" "/etc/ssl/mail"
fi

# TLSA-Refresh (tolerant falls App noch nicht ready)
if command -v php >/dev/null 2>&1 && [ -f /var/www/mailwolt/artisan ]; then
  (cd /var/www/mailwolt && php artisan dns:tlsa:refresh) || true
fi

# Services neu laden
if [ -n "$HOST" ]; then
  if [ -n "$MAIL_HOSTNAME" ] && [ "$HOST" = "$MAIL_HOSTNAME" ]; then
    reload_services mail
  else
    reload_services ui
  fi
else
  reload_services ui
fi

exit 0
WRAP
chmod +x /usr/local/sbin/mailwolt-deploy.sh

# -------------------------------------------------------------------
# 3) Certbot deploy-hook, der den Wrapper aufruft
# -------------------------------------------------------------------
install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-certs.sh <<'HOOK'
#!/bin/sh
exec /usr/local/sbin/mailwolt-deploy.sh
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-certs.sh


log "[✓] MailWolt Deploy-Hook eingerichtet"

##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
## Persistente Installer-Variablen (werden vom Wrapper gelesen)
#install -d -m 0755 /etc/mailwolt
#cat >/etc/mailwolt/installer.env <<EOF
#UI_HOST=${UI_HOST}
#WEBMAIL_HOST=${WEBMAIL_HOST}
#MAIL_HOSTNAME=${MAIL_HOSTNAME}
#BASE_DOMAIN=${BASE_DOMAIN}
#LE_EMAIL=${LE_EMAIL:-admin@${BASE_DOMAIN}}
#SYSMAIL_SUB="${SYSMAIL_SUB}"
#SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN}"
#DKIM_ENABLE="${DKIM_ENABLE}"
#DKIM_SELECTOR="${DKIM_SELECTOR}"
#DKIM_GENERATE="${DKIM_GENERATE}"
#APP_ENV=${APP_ENV:-production}
#EOF
#
#log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
#
## 1) Wrapper, den Certbot bei Issue/Renew aufruft
#cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
##!/usr/bin/env bash
#set -euo pipefail
#
## Installer-Variablen laden
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#UI_HOST="${UI_HOST:-}"
#WEBMAIL_HOST="${WEBMAIL_HOST:-}"
#MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
#
## --- Kopieren statt Symlinks (damit Laravel lesen kann) ---------------------
#copy_cert() {
#  local le_base="$1" target_dir="$2"
#  local cert="${le_base}/fullchain.pem"
#  local key="${le_base}/privkey.pem"
#
#  [[ -s "$cert" && -s "$key" ]] || return 0
#
#  install -d -m 0755 "$target_dir"
#
#  # Vorhandene Symlinks entfernen, sonst kopierst du in die LE-Datei hinein
#  [ -L "${target_dir}/fullchain.pem" ] && rm -f "${target_dir}/fullchain.pem"
#  [ -L "${target_dir}/privkey.pem"  ] && rm -f "${target_dir}/privkey.pem"
#
#  # Echte Dateien ablegen
#  install -m 0644 "$cert" "${target_dir}/fullchain.pem"
#  install -m 0600 "$key"  "${target_dir}/privkey.pem"
#
#  echo "[+] Copied ${target_dir}/fullchain.pem und privkey.pem ← ${le_base}"
#}
#
## Nur Domains bearbeiten, die in diesem Lauf betroffen sind.
## Bei manchen Distros ist RENEWED_DOMAINS auf Erst-issue leer -> Fallback nutzen.
#RDOMS=" ${RENEWED_DOMAINS:-} "
#did_any=0
#
#maybe_copy_for() {
#  local host="$1" dir="$2"
#  [[ -z "$host" ]] && return 0
#  if [[ "$RDOMS" == *" ${host} "* ]]; then
#    copy_cert "/etc/letsencrypt/live/${host}" "${dir}"
#    did_any=1
#  fi
#}
#
## 1) Normalfall: nur die vom Certbot gemeldeten Hosts kopieren
#maybe_copy_for "$UI_HOST"      "/etc/ssl/ui"
#maybe_copy_for "$WEBMAIL_HOST" "/etc/ssl/webmail"
#maybe_copy_for "$MAIL_HOSTNAME" "/etc/ssl/mail"
#
## 2) Fallback: Beim Erstlauf/Edge-Cases alles kopieren, was bereits existiert
#if [[ "$did_any" -eq 0 ]]; then
#  [[ -n "$UI_HOST"       && -d "/etc/letsencrypt/live/${UI_HOST}"      ]] && copy_cert "/etc/letsencrypt/live/${UI_HOST}"      "/etc/ssl/ui"
#  [[ -n "$WEBMAIL_HOST"  && -d "/etc/letsencrypt/live/${WEBMAIL_HOST}" ]] && copy_cert "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail"
#  [[ -n "$MAIL_HOSTNAME" && -d "/etc/letsencrypt/live/${MAIL_HOSTNAME}"]] && copy_cert "/etc/letsencrypt/live/${MAIL_HOSTNAME}"/etc/ssl/mail
#fi
#
## Optional: TLSA via Laravel (tolerant, falls App noch nicht gebaut)
#if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ] && [ -f /var/www/mailwolt/artisan ]; then
#  (cd /var/www/mailwolt && php artisan dns:tlsa:refresh) || true
#fi
#
## Nginx nur neu laden, wenn aktiv
#if systemctl is-active --quiet nginx; then
#  systemctl reload nginx || true
#fi
#WRAP
#chmod +x /usr/local/sbin/mw-deploy.sh
#
## 2) Certbot-Deploy-Hook: ruft den Wrapper bei jeder erfolgreichen Ausstellung/Renew auf
#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-certs.sh <<'HOOK'
##!/usr/bin/env bash
#exec /usr/local/sbin/mw-deploy.sh
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-certs.sh
#
#log "[✓] MailWolt Deploy-Hook eingerichtet"

##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
## Persistente Installer-Variablen (werden vom Wrapper gelesen)
#install -d -m 0755 /etc/mailwolt
#cat >/etc/mailwolt/installer.env <<EOF
#UI_HOST=${UI_HOST}
#WEBMAIL_HOST=${WEBMAIL_HOST}
#MAIL_HOSTNAME=${MAIL_HOSTNAME}
#BASE_DOMAIN=${BASE_DOMAIN}
#LE_EMAIL=${LE_EMAIL:-admin@${BASE_DOMAIN}}
#APP_ENV=${APP_ENV:-production}
#EOF
#
#log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
#
## 1) Wrapper, den Certbot bei Issue/Renew aufruft
#cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
##!/usr/bin/env bash
#set -euo pipefail
#
## Installer-Variablen laden
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#UI_HOST="${UI_HOST:-}"
#WEBMAIL_HOST="${WEBMAIL_HOST:-}"
#MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
#
## --- Kopieren statt Symlinks (damit Laravel lesen kann) ---------------------
#copy_cert() {
#  local le_base="$1" target_dir="$2"
#  local cert="${le_base}/fullchain.pem"
#  local key="${le_base}/privkey.pem"
#
#  [[ -s "$cert" && -s "$key" ]] || return 0
#
#  # Zielordner sicherstellen
#  install -d -m 0755 "$target_dir"
#
#  # Falls vorher Symlinks existieren → entfernen, sonst würde "install" das Ziel des Links überschreiben
#  [ -L "${target_dir}/fullchain.pem" ] && rm -f "${target_dir}/fullchain.pem"
#  [ -L "${target_dir}/privkey.pem"  ] && rm -f "${target_dir}/privkey.pem"
#
#  # KOPIEREN mit sauberen Rechten (Chain world-readable, Key nur root)
#  install -m 0644 "$cert" "${target_dir}/fullchain.pem"
#  install -m 0600 "$key"  "${target_dir}/privkey.pem"
#
#  echo "[+] Copied ${target_dir}/fullchain.pem und privkey.pem ← ${le_base}"
#}
#
## Nur für Domains arbeiten, die in diesem Lauf betroffen sind
#RDOMS=" ${RENEWED_DOMAINS:-} "
#
## UI
#if [[ -n "$UI_HOST" && "$RDOMS" == *" ${UI_HOST} "* ]]; then
#  copy_cert "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui"
#fi
## Webmail
#if [[ -n "$WEBMAIL_HOST" && "$RDOMS" == *" ${WEBMAIL_HOST} "* ]]; then
#  copy_cert "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail"
#fi
## MX
#if [[ -n "$MAIL_HOSTNAME" && "$RDOMS" == *" ${MAIL_HOSTNAME} "* ]]; then
#  copy_cert "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail"
#fi
#
## Optional: TLSA via Laravel (still tolerant, falls App noch nicht gebaut)
#if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ] && [ -f /var/www/mailwolt/artisan ]; then
#  (cd /var/www/mailwolt && php artisan dns:tlsa:refresh) || true
#fi
#
## Nginx nur neu laden, wenn aktiv
#if systemctl is-active --quiet nginx; then
#  systemctl reload nginx || true
#fi
#WRAP
#chmod +x /usr/local/sbin/mw-deploy.sh
#
## 2) Certbot-Deploy-Hook: ruft den Wrapper bei jeder erfolgreichen Ausstellung/Renew auf
#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
##!/usr/bin/env bash
#exec /usr/local/sbin/mw-deploy.sh
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
#
#log "[✓] MailWolt Deploy-Hook eingerichtet"

##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#install -d -m 0755 /etc/mailwolt
#cat >/etc/mailwolt/installer.env <<EOF
#UI_HOST=${UI_HOST}
#WEBMAIL_HOST=${WEBMAIL_HOST}
#MAIL_HOSTNAME=${MAIL_HOSTNAME}
#BASE_DOMAIN=${BASE_DOMAIN}
#LE_EMAIL=${LE_EMAIL:-admin@${BASE_DOMAIN}}
#APP_ENV=${APP_ENV:-production}
#EOF
#
#log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
#
## 1) Wrapper, den Certbot bei Issue/Renew aufruft
#cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
##!/usr/bin/env bash
#set -euo pipefail
#
## Installer-Variablen laden (UI_HOST, WEBMAIL_HOST, MAIL_HOSTNAME, optional LE_EMAIL etc.)
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#UI_HOST="${UI_HOST:-}"
#WEBMAIL_HOST="${WEBMAIL_HOST:-}"
#MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
#
#link_if() {
#  local le_base="$1" target_dir="$2"
#  local cert="${le_base}/fullchain.pem"
#  local key="${le_base}/privkey.pem"
#  [[ -s "$cert" && -s "$key" ]] || return 0
#  install -d -m 0755 "$target_dir"
#  ln -sf "$cert" "${target_dir}/fullchain.pem"
#  ln -sf "$key"  "${target_dir}/privkey.pem"
#  chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true
#  chmod 600 "${target_dir}/privkey.pem"  2>/dev/null || true
#  echo "[+] Linked ${target_dir} -> ${le_base}"
#}
#
## Nur für Domains arbeiten, die im aktuellen Lauf erneuert/ausgestellt wurden
#RDOMS=" ${RENEWED_DOMAINS:-} "
#
## UI
#if [[ -n "$UI_HOST" && "$RDOMS" == *" ${UI_HOST} "* ]]; then
#  link_if "/etc/letsencrypt/live/${UI_HOST}" "/etc/ssl/ui"
#fi
## Webmail
#if [[ -n "$WEBMAIL_HOST" && "$RDOMS" == *" ${WEBMAIL_HOST} "* ]]; then
#  link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}" "/etc/ssl/webmail"
#fi
## MX
#if [[ -n "$MAIL_HOSTNAME" && "$RDOMS" == *" ${MAIL_HOSTNAME} "* ]]; then
#  link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail"
#fi
#
## Optional: TLSA via Laravel, falls App schon vorhanden (sonst still überspringen)
#if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then
#  (cd /var/www/mailwolt && php artisan dns:tlsa:refresh) || true
#fi
#
## Nginx nur neu laden, wenn aktiv
#if systemctl is-active --quiet nginx; then
#  systemctl reload nginx || true
#fi
#WRAP
#chmod +x /usr/local/sbin/mw-deploy.sh
#
## 2) Certbot-Deploy-Hooks einrichten (ruft nur den Wrapper auf)
#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
##!/usr/bin/env bash
#exec /usr/local/sbin/mw-deploy.sh
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
#
#log "[✓] MailWolt Deploy-Hook eingerichtet"

##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Let's Encrypt Deploy-Hooks und Wrapper anlegen …"
#
## 1) Wrapper-Skript, das Symlinks setzt und Nginx reloaded
#cat >/usr/local/sbin/mw-deploy.sh <<'WRAP'
##!/usr/bin/env bash
#set -euo pipefail
#
#link_if() {
#  local le_base="$1" target_dir="$2"
#  local cert="${le_base}/fullchain.pem"
#  local key="${le_base}/privkey.pem"
#  [[ -s "$cert" && -s "$key" ]] || return 0
#  install -d -m 0755 "$target_dir"
#  ln -sf "$cert" "${target_dir}/fullchain.pem"
#  ln -sf "$key"  "${target_dir}/privkey.pem"
#  chmod 644 "${target_dir}/fullchain.pem" 2>/dev/null || true
#  chmod 600 "${target_dir}/privkey.pem"  2>/dev/null || true
#  echo "[+] Linked ${target_dir} -> ${le_base}"
#}
#
#UI_HOST="${UI_HOST:-}"
#WEBMAIL_HOST="${WEBMAIL_HOST:-}"
#MAIL_HOSTNAME="${MAIL_HOSTNAME:-}"
#
#[[ -n "$UI_HOST"       ]] && link_if "/etc/letsencrypt/live/${UI_HOST}"       "/etc/ssl/ui"
#[[ -n "$WEBMAIL_HOST"  ]] && link_if "/etc/letsencrypt/live/${WEBMAIL_HOST}"  "/etc/ssl/webmail"
#[[ -n "$MAIL_HOSTNAME" ]] && link_if "/etc/letsencrypt/live/${MAIL_HOSTNAME}" "/etc/ssl/mail"
#
#if systemctl is-active --quiet nginx; then
#  systemctl reload nginx || true
#fi
#WRAP
#
#chmod +x /usr/local/sbin/mw-deploy.sh
#
## 2) Certbot Deploy-Hook-Verzeichnis + Symlink für Renewals
#install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
#cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
##!/usr/bin/env bash
#exec /usr/local/sbin/mw-deploy.sh
#HOOK
#chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
#
#log "[✓] MailWolt Deploy-Hook eingerichtet"
#
###!/usr/bin/env bash
##set -euo pipefail
##source ./lib.sh
##
### ────────────────────────────────────────────────────────────────────────────
### 21-le-deploy-hook.sh
###   • legt /etc/mailwolt/installer.env an (falls fehlt)
###   • erzeugt Deploy-Hooks:
###       - 50-mailwolt-symlinks.sh  → verlinkt LE-Zerts nach /etc/ssl/{ui,webmail,mail}
###       - 60-mailwolt-tlsa.sh      → aktualisiert TLSA (3 1 1) für MX bei jedem Renew
###   • KEIN Reload von Postfix/Dovecot (kommt später im Installer)
### ────────────────────────────────────────────────────────────────────────────
##
### 0) Hostnamen persistent speichern (für spätere Deploys)
##install -d -m 0755 /etc/mailwolt
##if [[ ! -f /etc/mailwolt/installer.env ]]; then
##  cat >/etc/mailwolt/installer.env <<EOF
##UI_HOST=${UI_HOST}
##WEBMAIL_HOST=${WEBMAIL_HOST}
##MAIL_HOSTNAME=${MAIL_HOSTNAME}
##EOF
##  echo "[+] /etc/mailwolt/installer.env erstellt."
##fi
##
### 1) Deploy-Hooks-Verzeichnis anlegen
##install -d -m 0755 /etc/letsencrypt/renewal-hooks/deploy
##
### ────────────────────────────────────────────────────────────────────────────
### 2) 50-mailwolt-symlinks.sh
### ────────────────────────────────────────────────────────────────────────────
##cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<HOOK
###!/usr/bin/env bash
##set -euo pipefail
##
##UI_LE="/etc/letsencrypt/live/${UI_HOST}"
##WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
##MX_LE="/etc/letsencrypt/live/${MAIL_HOSTNAME}"
##
##UI_SSL_DIR="/etc/ssl/ui"
##WEBMAIL_SSL_DIR="/etc/ssl/webmail"
##MAIL_SSL_DIR="/etc/ssl/mail"
##
### Zielverzeichnisse anlegen (einmalig)
##install -d -m 0755 "\$UI_SSL_DIR" "\$WEBMAIL_SSL_DIR" "\$MAIL_SSL_DIR"
##
##link_if() {
##  local le_base="\$1" target_dir="\$2"
##  local cert="\${le_base}/fullchain.pem"
##  local key="\${le_base}/privkey.pem"
##  [[ -s "\$cert" && -s "\$key" ]] || return 0
##  ln -sf "\$cert" "\${target_dir}/fullchain.pem"
##  ln -sf "\$key"  "\${target_dir}/privkey.pem"
##  chmod 644 "\${target_dir}/fullchain.pem" 2>/dev/null || true
##  chmod 600 "\${target_dir}/privkey.pem"  2>/dev/null || true
##  echo "[+] Linked \${target_dir} -> \${le_base}"
##}
##
### Verlinken (nur wenn Host konfiguriert)
##[[ -n "${UI_HOST}"       ]] && link_if "\$UI_LE"      "\$UI_SSL_DIR"
##[[ -n "${WEBMAIL_HOST}"  ]] && link_if "\$WEBMAIL_LE" "\$WEBMAIL_SSL_DIR"
##[[ -n "${MAIL_HOSTNAME}" ]] && link_if "\$MX_LE"      "\$MAIL_SSL_DIR"
##
### Nur reloaden, wenn Nginx aktiv ist (Installer startet ihn später erst)
##if systemctl is-active --quiet nginx; then
##  systemctl reload nginx || true
##fi
##HOOK
##chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh
##
### ────────────────────────────────────────────────────────────────────────────
### 3) 60-mailwolt-tlsa.sh
###    → nutzt Laravel, falls vorhanden; sonst Fallback mit OpenSSL.
###    → schreibt nur, wenn sich der Hash geändert hat (idempotent)
### ────────────────────────────────────────────────────────────────────────────
##cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<'HOOK'
###!/usr/bin/env bash
##set -euo pipefail
##
### installer.env lesen
##set +u
##[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
##set -u
##
##APP_ENV_VAL="${APP_ENV:-production}"
##BASE_DOMAIN_VAL="${BASE_DOMAIN:-example.com}"
##
##case "$APP_ENV_VAL" in
##  local|dev|development) exit 0 ;;
##esac
##[ "$BASE_DOMAIN_VAL" = "example.com" ] && exit 0
##
##MX_HOST="${MAIL_HOSTNAME:-}"
##SERVICE="_25._tcp"
##DNS_DIR="/etc/mailwolt/dns"
##OUT_FILE="${DNS_DIR}/${MX_HOST}.tlsa.txt"
##
### Nur reagieren, wenn MX-Zertifikat betroffen war
##case " ${RENEWED_DOMAINS:-} " in
##  *" ${MX_HOST} "*) ;;
##  *) exit 0 ;;
##esac
##
##CERT="${RENEWED_LINEAGE}/fullchain.pem"
##[ -s "$CERT" ] || exit 0
##
### Wenn Laravel vorhanden ist → interner Command (DB + Datei idempotent)
##if command -v php >/dev/null 2>&1 && [ -d /var/www/mailwolt ]; then
##  cd /var/www/mailwolt || exit 0
##  php artisan dns:tlsa:refresh || true
##  exit 0
##fi
##
### Fallback: nur Datei aktualisieren, wenn Hash sich ändert
##HASH="$(openssl x509 -in "$CERT" -noout -pubkey \
##  | openssl pkey -pubin -outform DER \
##  | openssl dgst -sha256 | sed 's/^.*= //')"
##NEW_LINE="${SERVICE}.${MX_HOST}. IN TLSA 3 1 1 ${HASH}"
##
##mkdir -p "$DNS_DIR"
##
##if [ -r "$OUT_FILE" ] && grep -q "IN TLSA" "$OUT_FILE"; then
##  if grep -q "$HASH" "$OUT_FILE"; then
##    echo "[TLSA] Unverändert – kein Update nötig."
##    exit 0
##  fi
##fi
##
##echo "$NEW_LINE" > "$OUT_FILE"
##echo "[TLSA] Aktualisiert: $NEW_LINE"
##HOOK
##chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh
##
### ────────────────────────────────────────────────────────────────────────────
##echo "[✓] Deploy-Hooks installiert."