#!/usr/bin/env bash
set -euo pipefail

CERT_DIR="${1:-./certs}"
mkdir -p "$CERT_DIR"
chmod 700 "$CERT_DIR"

CN="${CN:-$(hostname -I | awk '{print $1}')}"
KEY="$CERT_DIR/server.key"
CRT="$CERT_DIR/server.crt"

echo "Génération certificat auto-signé pour CN=${CN} dans ${CERT_DIR}"
openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
  -keyout "$KEY" -out "$CRT" \
  -subj "/CN=${CN}" >/dev/null 2>&1 || {
  echo "openssl a échoué"; exit 1; }

echo "Certificats générés:"
ls -l "$KEY" "$CRT"
chmod 600 "$KEY"
chmod 644 "$CRT"