<?php

namespace App\Console\Commands;

use Illuminate\Console\Command;
use Symfony\Component\Process\Process;

class ProvisionCert extends Command
{
    protected $signature = 'mailwolt:provision-cert
        {domain : z.B. mail.example.com}
        {--email= : E-Mail für Let\'s Encrypt}
        {--self-signed : Statt LE ein self-signed Zertifikat erzeugen}';

    protected $description = 'Beschafft ein Zertifikat (LE oder self-signed) und setzt Nginx darauf.';

    private string $sslDir = '/etc/mailwolt/ssl';
    private string $certPath;
    private string $keyPath;

    public function handle(): int
    {
        $domain = $this->argument('domain');
        $email  = (string)$this->option('email');
        $self   = (bool)$this->option('self-signed');

        $this->certPath = "{$this->sslDir}/cert.pem";
        $this->keyPath  = "{$this->sslDir}/key.pem";

        if (!is_dir($this->sslDir)) {
            @mkdir($this->sslDir, 0750, true);
            @chgrp($this->sslDir, 'www-data');
        }

        if ($self) {
            return $this->issueSelfSigned($domain);
        }

        // Versuche Let's Encrypt – bei Fehler fallback self-signed
        $rc = $this->issueLetsEncrypt($domain, $email);
        if ($rc !== 0) {
            $this->warn('Let’s Encrypt fehlgeschlagen – erstelle Self-Signed als Fallback…');
            return $this->issueSelfSigned($domain);
        }
        return $rc;
    }

    private function issueLetsEncrypt(string $domain, string $email): int
    {
        if (empty($email)) {
            $this->error('Für Let’s Encrypt ist --email erforderlich.');
            return 2;
        }

        // Webroot sicherstellen (Nginx-Standort ist im Installer bereits konfiguriert)
        @mkdir('/var/www/letsencrypt', 0755, true);

        $cmd = [
            'bash','-lc',
            // non-interactive, webroot challenge
            "certbot certonly --webroot -w /var/www/letsencrypt -d {$domain} ".
            "--email ".escapeshellarg($email)." --agree-tos --no-eff-email --non-interactive --rsa-key-size 2048"
        ];
        $p = new Process($cmd, null, ['PATH' => getenv('PATH') ?: '/usr/bin:/bin']);
        $p->setTimeout(600);
        $p->run(function($type,$buff){ $this->output->write($buff); });

        if (!$p->isSuccessful()) {
            $this->error('Certbot-Fehler.');
            return 1;
        }

        // Pfade vom Certbot-Store
        $leBase = "/etc/letsencrypt/live/{$domain}";
        $fullchain = "{$leBase}/fullchain.pem";
        $privkey   = "{$leBase}/privkey.pem";

        if (!is_file($fullchain) || !is_file($privkey)) {
            $this->error("LE-Dateien fehlen unter {$leBase}");
            return 1;
        }

        // In unsere Standard-Pfade kopieren (Nginx zeigt bereits darauf)
        if (!@copy($fullchain, $this->certPath) || !@copy($privkey, $this->keyPath)) {
            $this->error('Konnte Zertifikate nicht in /etc/mailwolt/ssl kopieren.');
            return 1;
        }

        @chown($this->certPath, 'root');    @chgrp($this->certPath, 'www-data'); @chmod($this->certPath, 0640);
        @chown($this->keyPath,  'root');    @chgrp($this->keyPath,  'www-data'); @chmod($this->keyPath, 0640);

        // Nginx reload
        $reload = new Process(['bash','-lc','systemctl reload nginx']);
        $reload->run();

        $this->info('Let’s Encrypt Zertifikat gesetzt und Nginx neu geladen.');
        return 0;
    }

    private function issueSelfSigned(string $domain): int
    {
        $cfgPath = "{$this->sslDir}/openssl.cnf";
        $cfg = <<<CFG
[req]
default_bits       = 2048
prompt             = no
default_md         = sha256
req_extensions     = req_ext
distinguished_name = dn

[dn]
CN = {$domain}
O  = MailWolt
C  = DE

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = {$domain}
CFG;
        @file_put_contents($cfgPath, $cfg);

        $cmd = [
            'bash','-lc',
            "openssl req -x509 -newkey rsa:2048 -days 825 -nodes -keyout {$this->keyPath} -out {$this->certPath} -config {$cfgPath}"
        ];
        $p = new Process($cmd);
        $p->setTimeout(60);
        $p->run(function($t,$b){ $this->output->write($b); });

        if (!$p->isSuccessful()) {
            $this->error('Self-Signed Erstellung fehlgeschlagen.');
            return 1;
        }

        @chown($this->certPath, 'root');    @chgrp($this->certPath, 'www-data'); @chmod($this->certPath, 0640);
        @chown($this->keyPath,  'root');    @chgrp($this->keyPath,  'www-data'); @chmod($this->keyPath, 0640);
        @chmod($this->sslDir, 0750);

        $reload = new Process(['bash','-lc','systemctl reload nginx']);
        $reload->run();

        $this->info('Self-Signed Zertifikat erstellt und Nginx neu geladen.');
        return 0;
    }
}