#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

# Stabile Pfade
MAIL_SSL_DIR="/etc/ssl/mail"
UI_SSL_DIR="/etc/ssl/ui"
WEBMAIL_SSL_DIR="/etc/ssl/webmail"

ensure_dir root root 0755 "$MAIL_SSL_DIR"
ensure_dir root root 0755 "$UI_SSL_DIR"
ensure_dir root root 0755 "$WEBMAIL_SSL_DIR"
ensure_dir root root 0755 "/var/www/letsencrypt"

# Self-signed Quick-Gen (wenn kein LE kommt)
self_signed(){
  local dir="$1"
  local cert="${dir}/fullchain.pem" key="${dir}/privkey.pem"
  [[ -s "$cert" && -s "$key" ]] && return 0
  log "Self-signed für $dir …"
  openssl req -x509 -newkey rsa:2048 -sha256 -days 825 -nodes \
    -subj "/CN=${SERVER_PUBLIC_IPV4}/O=${APP_NAME}/C=DE" \
    -keyout "$key" -out "$cert" >/dev/null 2>&1
  chmod 600 "$key"; chmod 644 "$cert"
}

self_signed "$MAIL_SSL_DIR"
self_signed "$UI_SSL_DIR"
self_signed "$WEBMAIL_SSL_DIR"

issue_cert(){
  local host="$1"
  if resolve_ok "$host"; then
    log "LE für $host …"
    certbot certonly --agree-tos -m "${LE_EMAIL}" \
      --non-interactive --webroot -w /var/www/letsencrypt -d "$host" \
      || warn "LE fehlgeschlagen für $host – Self-signed bleibt aktiv."
  else
    warn "DNS zeigt nicht auf diese IP: $host – LE wird übersprungen."
  fi
}

link_if_present(){
  local host="$1" target_dir="$2"
  local base="/etc/letsencrypt/live/$host"
  if [[ -f "$base/fullchain.pem" && -f "$base/privkey.pem" ]]; then
    ln -sf "$base/fullchain.pem" "$target_dir/fullchain.pem"
    ln -sf "$base/privkey.pem"  "$target_dir/privkey.pem"
    log "TLS verlinkt: $target_dir -> $base"
  fi
}

# Echte Domain? Dann versuchen
if [[ "$BASE_DOMAIN" != "example.com" ]]; then
  issue_cert "$UI_HOST"
  issue_cert "$WEBMAIL_HOST"
  issue_cert "$MAIL_HOSTNAME"

  link_if_present "$UI_HOST"       "$UI_SSL_DIR"
  link_if_present "$WEBMAIL_HOST"  "$WEBMAIL_SSL_DIR"
  link_if_present "$MAIL_HOSTNAME" "$MAIL_SSL_DIR"
else
  warn "BASE_DOMAIN=example.com – bleibe bei Self-signed."
fi

# LE-Deploy-Hook (Symlinks aktuell halten)
install -d /etc/letsencrypt/renewal-hooks/deploy
cat >/etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh <<'HOOK'
#!/usr/bin/env bash
set -euo pipefail
UI_SSL_DIR="/etc/ssl/ui"
WEBMAIL_SSL_DIR="/etc/ssl/webmail"
MAIL_SSL_DIR="/etc/ssl/mail"
UI_HOST="${UI_HOST}"
WEBMAIL_HOST="${WEBMAIL_HOST}"
MX_HOST="${MAIL_HOSTNAME}"

link_if() {
  local le_base="/etc/letsencrypt/live/$1" target_dir="$2"
  if [[ -f "$le_base/fullchain.pem" && -f "$le_base/privkey.pem" ]]; then
    install -d -m 0755 "$target_dir"
    ln -sf "$le_base/fullchain.pem" "$target_dir/fullchain.pem"
    ln -sf "$le_base/privkey.pem"  "$target_dir/privkey.pem"
    echo "[+] Linked $target_dir -> $le_base"
  fi
}
link_if "$UI_HOST"      "$UI_SSL_DIR"
link_if "$WEBMAIL_HOST" "$WEBMAIL_SSL_DIR"
link_if "$MX_HOST"      "$MAIL_SSL_DIR"
systemctl reload nginx || true
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/50-mailwolt-symlinks.sh