#!/usr/bin/env bash
set -euo pipefail

DOMAIN="dev4.4nkweb.com"
EMAIL="admin@4nkweb.com"
ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"

mkdir -p "$ROOT_DIR/acme/.well-known/acme-challenge" "$ROOT_DIR/letsencrypt" "$ROOT_DIR/letsencrypt_lib" "$ROOT_DIR/certs"

# Renew certificates using the same webroot method (volumes must be consistent)
docker run --rm \
  -v "$ROOT_DIR/acme:/var/www/certbot" \
  -v "$ROOT_DIR/letsencrypt:/etc/letsencrypt" \
  -v "$ROOT_DIR/letsencrypt_lib:/var/lib/letsencrypt" \
  certbot/certbot renew --non-interactive || true

# Fallback: issue if missing (first time)
if [ ! -f "$ROOT_DIR/letsencrypt/live/$DOMAIN/fullchain.pem" ]; then
  docker run --rm \
    -v "$ROOT_DIR/acme:/var/www/certbot" \
    -v "$ROOT_DIR/letsencrypt:/etc/letsencrypt" \
    -v "$ROOT_DIR/letsencrypt_lib:/var/lib/letsencrypt" \
    certbot/certbot certonly --webroot -w /var/www/certbot -d "$DOMAIN" --email "$EMAIL" --agree-tos --non-interactive
fi

install -m 0644 "$ROOT_DIR/letsencrypt/live/$DOMAIN/fullchain.pem" "$ROOT_DIR/certs/server.crt"
install -m 0600 "$ROOT_DIR/letsencrypt/live/$DOMAIN/privkey.pem" "$ROOT_DIR/certs/server.key"

# Reload reverse proxy with updated files
docker compose -f "$ROOT_DIR/docker-compose.yml" up -d --no-deps --force-recreate reverse_proxy

echo "Certificates installed for $DOMAIN and reverse proxy reloaded."