#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

ACME_WEBROOT="/var/www/letsencrypt"
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"

CERTBOT_EXTRA=()
LE_STAGING="${LE_STAGING:-0}"  # 1 = Let's Encrypt Staging aktivieren
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)

resolve_ok() {
  local host="$1"
  local pats=()
  [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
  [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
  # Wenn gar nichts bekannt ist, lieber nicht blockieren:
  [[ ${#pats[@]} -eq 0 ]] && return 0
  getent ahosts "$host" | awk '{print $1}' | sort -u \
    | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
}

probe_http() {
  local host="$1"
  echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
  curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
  || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
}

issue() {
  local host="$1"
  echo "[i] Versuche LE für ${host} …"
  resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher – skip ${host}"; return 0; }

  if ! probe_http "$host"; then
    echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
  fi

  # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
  EXTRA_ARGS=()
  [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)

  certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
    --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
    "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
}

if [[ "$BASE_DOMAIN" != "example.com" ]]; then
  issue "$UI_HOST"
  issue "$WEBMAIL_HOST"
  issue "$MAIL_HOSTNAME"

  systemctl reload nginx || true

  # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
  MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
  if [[ -s "$MX_CERT" ]]; then
    HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
      | openssl pkey -pubin -outform DER \
      | openssl dgst -sha256 | sed 's/^.*= //')"
    TLSA_LINE="_25._tcp.${MAIL_HOSTNAME}. IN TLSA 3 1 1 ${HASH}"
    install -d -m 0755 /etc/mailwolt/dns
    echo "${TLSA_LINE}" > "/etc/mailwolt/dns/${MAIL_HOSTNAME}.tlsa.txt"
    echo "[TLSA] ${TLSA_LINE}"
  fi
else
  echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
fi