#!/bin/bash

# SSL Certificate Setup Script for VPS Deployment
# This script helps set up SSL certificates for your nginx configuration

set -e

DOMAIN="candivista.com"
EMAIL="blindxfish@gmail.com"  # Change this to your email
NGINX_CONF_DIR="./nginx"
SSL_DIR="./nginx/ssl"

echo "Setting up SSL certificates for $DOMAIN"

# Create SSL directory if it doesn't exist
mkdir -p "$SSL_DIR"

# Check if we have a domain name or just IP
if [[ $DOMAIN =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
    echo "IP address detected: $DOMAIN"
    echo "For IP addresses, you'll need to use self-signed certificates or a service like Cloudflare"
    echo "Generating self-signed certificate..."
    
    # Generate self-signed certificate
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
        -keyout "$SSL_DIR/key.pem" \
        -out "$SSL_DIR/cert.pem" \
        -subj "/C=US/ST=State/L=City/O=Organization/CN=$DOMAIN"
    
    echo "Self-signed certificate generated successfully!"
    echo "Note: Browsers will show a security warning for self-signed certificates."
    echo "For production, consider using Cloudflare or a domain name with Let's Encrypt."
    
else
    echo "Domain name detected: $DOMAIN"
    echo "Setting up Let's Encrypt certificate..."
    
    # Install certbot if not already installed
    if ! command -v certbot &> /dev/null; then
        echo "Installing certbot..."
        if [[ "$OSTYPE" == "linux-gnu"* ]]; then
            sudo apt-get update
            sudo apt-get install -y certbot
        elif [[ "$OSTYPE" == "darwin"* ]]; then
            brew install certbot
        else
            echo "Please install certbot manually for your OS"
            exit 1
        fi
    fi
    
    # Create webroot directory for Let's Encrypt challenge
    mkdir -p "$SSL_DIR/webroot/.well-known/acme-challenge"
    
    # Get certificate
    sudo certbot certonly --webroot \
        -w "$SSL_DIR/webroot" \
        -d "$DOMAIN" \
        --email "$EMAIL" \
        --agree-tos \
        --non-interactive
    
    # Copy certificates to our SSL directory
    sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$SSL_DIR/cert.pem"
    sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$SSL_DIR/key.pem"
    sudo chown $(whoami):$(whoami) "$SSL_DIR/cert.pem" "$SSL_DIR/key.pem"
    
    echo "Let's Encrypt certificate installed successfully!"
    echo "Setting up auto-renewal..."
    
    # Add renewal script
    cat > "$SSL_DIR/renew.sh" << 'EOF'
#!/bin/bash
certbot renew --quiet
docker-compose restart nginx
EOF
    
    chmod +x "$SSL_DIR/renew.sh"
    
    # Add to crontab for auto-renewal
    (crontab -l 2>/dev/null; echo "0 12 * * * $SSL_DIR/renew.sh") | crontab -
    
    echo "Auto-renewal configured!"
fi

echo "SSL setup complete!"
echo "Certificate: $SSL_DIR/cert.pem"
echo "Private key: $SSL_DIR/key.pem"
echo ""
echo "Next steps:"
echo "1. Update your .env file with production values"
echo "2. Run: docker-compose -f docker-compose.yml --env-file env.production up -d"
echo "3. Test your setup: https://$DOMAIN"