#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

install -d /etc/letsencrypt/renewal-hooks/deploy

cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
#!/usr/bin/env bash
set -euo pipefail

# Env aus dem Installer laden (falls vorhanden), aber unbound vermeiden
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u

UI_SSL_DIR="/etc/ssl/ui"
WEBMAIL_SSL_DIR="/etc/ssl/webmail"
MAIL_SSL_DIR="/etc/ssl/mail"

# Falls Variablen nicht gesetzt sind → leere Defaults (vermeidet unbound)
UI_HOST="${UI_HOST:-}"
WEBMAIL_HOST="${WEBMAIL_HOST:-}"
MX_HOST="${MAIL_HOSTNAME:-}"

UI_LE="/etc/letsencrypt/live/${UI_HOST}"
WEBMAIL_LE="/etc/letsencrypt/live/${WEBMAIL_HOST}"
MX_LE="/etc/letsencrypt/live/${MX_HOST}"

link_if() {
  local le_base="$1" target_dir="$2"
  local cert="${le_base}/fullchain.pem"
  local key="${le_base}/privkey.pem"
  if [ -f "$cert" ] && [ -f "$key" ]; then
    install -d -m 0755 "$target_dir"
    ln -sf "$cert" "${target_dir}/fullchain.pem"
    ln -sf "$key"  "${target_dir}/privkey.pem"
    echo "[+] Linked ${target_dir} -> ${le_base}"
  fi
}

# Nur linken, wenn Hostnamen vorhanden sind
[ -n "$UI_HOST" ]      && link_if "$UI_LE"      "$UI_SSL_DIR"
[ -n "$WEBMAIL_HOST" ] && link_if "$WEBMAIL_LE" "$WEBMAIL_SSL_DIR"
[ -n "$MX_HOST" ]      && link_if "$MX_LE"      "$MAIL_SSL_DIR"

# Dienste neu laden
systemctl reload nginx || true
systemctl reload postfix dovecot || true
HOOK

chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh

# --- 60: TLSA-Hook (bei jedem Renew für MX neu berechnen – falls Key doch rotiert) ---
cat >/etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh <<HOOK
#!/usr/bin/env bash
set -euo pipefail
MX_HOST="${MAIL_HOSTNAME}"

# Nur reagieren, wenn das MX-Zert erneuert wurde
case " \${RENEWED_DOMAINS:-} " in
  *" \${MX_HOST} "*) ;;
  *) exit 0 ;;
esac

CERT="\${RENEWED_LINEAGE}/fullchain.pem"
if [[ -s "\$CERT" ]]; then
  HASH="\$(openssl x509 -in "\$CERT" -noout -pubkey \
    | openssl pkey -pubin -outform DER \
    | openssl dgst -sha256 | sed 's/^.*= //')"
  TLSA_LINE="_25._tcp.\${MX_HOST}. IN TLSA 3 1 1 \${HASH}"
  install -d -m 0755 /etc/mailwolt/dns
  echo "\${TLSA_LINE}" > "/etc/mailwolt/dns/\${MX_HOST}.tlsa.txt"
  echo "[TLSA] \${TLSA_LINE}"
fi
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/60-mailwolt-tlsa.sh