#!/bin/bash

# ============================================
# SSL 证书自动配置脚本 (使用 Certbot)
# ============================================
# 前置条件：
# 1. 域名已解析到服务器
# 2. 80 端口可从外网访问
# 3. Docker 和 Docker Compose 已安装
# ============================================

set -e

DOMAIN_RESUME_WEB=${DOMAIN_RESUME_WEB:-me.dxz99wyr.cn}
DOMAIN_MINIAPP_WEB=${DOMAIN_MINIAPP_WEB:-www.dxz99wyr.cn}
DOMAIN_RESUME_API=${DOMAIN_RESUME_API:-api-resume.dxz99wyr.cn}
DOMAIN_MINIAPP_API=${DOMAIN_MINIAPP_API:-api-miniapp.dxz99wyr.cn}

# 证书存储目录
SSL_DIR="$(cd "$(dirname "$0")/.." && pwd)/nginx/ssl"
mkdir -p "$SSL_DIR"

echo "=========================================="
echo "  SSL 证书自动配置"
echo "=========================================="
echo ""
echo "将为以下域名申请证书："
echo "  - $DOMAIN_RESUME_WEB"
echo "  - $DOMAIN_MINIAPP_WEB"
echo "  - $DOMAIN_RESUME_API"
echo "  - $DOMAIN_MINIAPP_API"
echo ""

# 检查 Certbot 是否安装
if ! command -v certbot &> /dev/null; then
    echo "正在安装 Certbot..."
    if command -v apt-get &> /dev/null; then
        apt-get update
        apt-get install -y certbot
    elif command -v yum &> /dev/null; then
        yum install -y certbot
    elif command -v apk &> /dev/null; then
        apk add certbot
    else
        echo "错误：无法自动安装 Certbot，请手动安装"
        exit 1
    fi
fi

# 使用 Certbot 申请证书（standalone 模式）
echo "正在申请证书..."
certbot certonly \
    --standalone \
    --agree-tos \
    --non-interactive \
    --email admin@dxz99wyr.cn \
    -d "$DOMAIN_RESUME_WEB" \
    -d "$DOMAIN_MINIAPP_WEB" \
    -d "$DOMAIN_RESUME_API" \
    -d "$DOMAIN_MINIAPP_API" \
    || {
        echo ""
        echo "证书申请失败，可能原因："
        echo "  1. 域名未正确解析到本服务器"
        echo "  2. 80 端口被占用或防火墙阻止"
        echo "  3. 请确保上述域名都已添加 A 记录指向本服务器 IP"
        exit 1
    }

# 复制证书到项目目录
CERT_DIR="/etc/letsencrypt/live"
for domain in "$DOMAIN_RESUME_WEB" "$DOMAIN_MINIAPP_WEB" "$DOMAIN_RESUME_API" "$DOMAIN_MINIAPP_API"; do
    if [ -d "$CERT_DIR/$domain" ]; then
        cp "$CERT_DIR/$domain/fullchain.pem" "$SSL_DIR/$domain.crt"
        cp "$CERT_DIR/$domain/privkey.pem" "$SSL_DIR/$domain.key"
        echo "已复制证书: $domain"
    fi
done

# 设置自动续期
echo ""
echo "设置证书自动续期..."
(crontab -l 2>/dev/null | grep -v "certbot renew"; echo "0 3 * * * certbot renew --quiet --deploy-hook 'docker exec main-nginx nginx -s reload'") | crontab -

echo ""
echo "=========================================="
echo "  SSL 证书配置完成"
echo "=========================================="
echo ""
echo "请执行以下步骤启用 HTTPS："
echo "  1. 将 nginx/conf.d/ssl-template.conf 的内容取消注释"
echo "  2. 根据实际域名修改 server_name 和证书路径"
echo "  3. 重启 Nginx: docker-compose restart nginx"
echo ""
echo "证书将自动续期，每天凌晨 3 点检查"
echo ""