#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

ACME_WEBROOT="/var/www/letsencrypt"
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"

# Let's Encrypt: Staging optional (für Tests)
CERTBOT_EXTRA=()
LE_STAGING="${LE_STAGING:-0}"
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)

# Einheitliche LE-E-Mail mit Fallback
LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"

# DNS zeigt auf diese Kiste?
resolve_ok() {
  local host="$1"
  local pats=()
  [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
  [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
  [[ ${#pats[@]} -eq 0 ]] && return 0
  getent ahosts "$host" | awk '{print $1}' | sort -u \
    | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
}

# HTTP-01 erreichbar?
probe_http() {
  local host="$1"
  echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
  curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
  || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
}

# Ein Zertifikat ausstellen
issue() {
  local host="$1"
  [[ -z "$host" ]] && return 0

  echo "[i] Versuche LE für ${host} …"

  if ! resolve_ok "$host"; then
    echo "[!] DNS zeigt (noch) nicht hierher – überspringe: ${host}"
    return 0
  fi

  if ! probe_http "$host"; then
    echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
  fi

  EXTRA_ARGS=()
  # MX: Key wiederverwenden → stabiler TLSA-Hash (3 1 1)
  [[ "${host}" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)

  certbot certonly \
    --agree-tos -m "${LE_MAIL}" --non-interactive \
    --webroot -w "${ACME_WEBROOT}" -d "${host}" \
    --deploy-hook /usr/local/sbin/mw-deploy.sh \
    "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
}

# ------------------- Hauptlauf -------------------
if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
  issue "${UI_HOST:-}"
  issue "${WEBMAIL_HOST:-}"
  issue "${MAIL_HOSTNAME:-}"

  # Falls Deploy-Hook erst JETZT angelegt wurde: einmal manuell ausführen
  if [[ -x /usr/local/sbin/mw-deploy.sh ]]; then
    /usr/local/sbin/mw-deploy.sh || true
  fi

  # Nginx nur neu laden, wenn aktiv
  if systemctl is-active --quiet nginx; then
    systemctl reload nginx || true
  fi
else
  echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
fi

##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#ACME_WEBROOT="/var/www/letsencrypt"
#install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
#
## Let's Encrypt: Staging optional aktivieren (keine echten Zertifikate)
#CERTBOT_EXTRA=()
#LE_STAGING="${LE_STAGING:-0}"  # 1 = Staging
#[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
#
## Einheitliche LE-E-Mail mit Fallback
#LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"
#
## DNS-Auflösung gegen unsere bekannte(n) IP(s) prüfen (nur als Warnsignal)
#resolve_ok() {
#  local host="$1"
#  local pats=()
#  [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
#  [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
#  [[ ${#pats[@]} -eq 0 ]] && return 0
#  getent ahosts "$host" | awk '{print $1}' | sort -u \
#    | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
#}
#
## HTTP-01 Erreichbarkeit schnell antesten (IPv4/IPv6)
#probe_http() {
#  local host="$1"
#  echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
#  curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
#  || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
#}
#
## Ein Zertifikat für einen Host ausstellen
#issue() {
#  local host="$1"
#  [[ -z "$host" ]] && return 0
#
#  echo "[i] Versuche LE für ${host} …"
#
#  if ! resolve_ok "$host"; then
#    echo "[!] DNS zeigt (noch) nicht hierher – überspringe: ${host}"
#    return 0
#  fi
#
#  if ! probe_http "$host"; then
#    echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
#    # wir versuchen es trotzdem – Certbot meldet sich, falls es scheitert
#  fi
#
#  # Für MX den Key wiederverwenden (stabiler TLSA-Hash 3 1 1)
#  EXTRA_ARGS=()
#  [[ "${host}" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)
#
#  certbot certonly \
#    --agree-tos -m "${LE_MAIL}" --non-interactive \
#    --webroot -w "${ACME_WEBROOT}" -d "${host}" \
#    --deploy-hook /usr/local/sbin/mw-deploy.sh \
#    "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
#}
#
## -----------------------------------------------------------------------------
## Hauptlauf
## -----------------------------------------------------------------------------
#if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
#  issue "${UI_HOST:-}"
#  issue "${WEBMAIL_HOST:-}"
#  issue "${MAIL_HOSTNAME:-}"
#
#  # Der Deploy-Hook hat Symlinks bereits gesetzt und nginx ggf. neu geladen.
#  # Optional trotzdem manuell ausführen (harmlos, hilft bei exotischen Setups):
#  if [[ -d /etc/letsencrypt/renewal-hooks/deploy ]]; then
#    run-parts /etc/letsencrypt/renewal-hooks/deploy || true
#  fi
#  if systemctl is-active --quiet nginx; then
#    systemctl reload nginx || true
#  fi
#else
#  echo "[i] BASE_DOMAIN=example.com – LE-Ausstellung wird übersprungen."
#fi
#
###!/usr/bin/env bash
##set -euo pipefail
##source ./lib.sh
##
##ACME_WEBROOT="/var/www/letsencrypt"
##install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
##
##CERTBOT_EXTRA=()
##LE_STAGING="${LE_STAGING:-0}"  # 1 = Let's Encrypt Staging aktivieren
##[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
##
##resolve_ok() {
##  local host="$1"
##  local pats=()
##  [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
##  [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
##  # Wenn gar nichts bekannt ist, lieber nicht blockieren:
##  [[ ${#pats[@]} -eq 0 ]] && return 0
##  getent ahosts "$host" | awk '{print $1}' | sort -u \
##    | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
##}
##
##probe_http() {
##  local host="$1"
##  echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
##  curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
##  || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
##}
##
##issue() {
##  local host="$1"
##  echo "[i] Versuche LE für ${host} …"
##  resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher – skip ${host}"; return 0; }
##
##  if ! probe_http "$host"; then
##    echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
##  fi
##
##  # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
##  EXTRA_ARGS=()
##  [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
##
##  certbot certonly --agree-tos -m "$LE_EMAIL" --non-interactive \
##    --webroot -w "$ACME_WEBROOT" -d "$UI_HOST" \
##    --deploy-hook /usr/local/sbin/mw-deploy.sh
##
##  certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
##    --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
##    "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
##}
##
##if [[ "$BASE_DOMAIN" != "example.com" ]]; then
##  issue "$UI_HOST"
##  issue "$WEBMAIL_HOST"
##  issue "$MAIL_HOSTNAME"
##
##run-parts /etc/letsencrypt/renewal-hooks/deploy || true
##systemctl reload nginx || true
##
##  # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
##  MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
##  if [[ -s "$MX_CERT" ]]; then
##    HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
##      | openssl pkey -pubin -outform DER \
##      | openssl dgst -sha256 | sed 's/^.*= //')"
##    TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
##    install -d -m 0755 /etc/mailwolt/dns
##    echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
##    echo "[TLSA] ${TLSA_LINE}"
##  fi
##else
##  echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
##fi