#!/bin/bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
INFRA_DIR="$(dirname "$SCRIPT_DIR")"
CERT_DIR="${INFRA_DIR}/certs"
DOMAIN="${1:-eifeldc.local}"

echo "=== Generating self-signed SSL certificate for ${DOMAIN} ==="

rm -rf "${CERT_DIR}"
mkdir -p "${CERT_DIR}/live/${DOMAIN}"
mkdir -p "${CERT_DIR}/archive"

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout "${CERT_DIR}/live/${DOMAIN}/privkey.pem" \
    -out "${CERT_DIR}/live/${DOMAIN}/fullchain.pem" \
    -subj "/CN=${DOMAIN}" \
    -addext "subjectAltName=DNS:${DOMAIN},DNS:localhost,IP:127.0.0.1"

cp "${CERT_DIR}/live/${DOMAIN}/fullchain.pem" "${CERT_DIR}/live/${DOMAIN}/cert.pem"

cp "${CERT_DIR}/live/${DOMAIN}/fullchain.pem" "${CERT_DIR}/archive/${DOMAIN}-fullchain.pem"
cp "${CERT_DIR}/live/${DOMAIN}/privkey.pem" "${CERT_DIR}/archive/${DOMAIN}-privkey.pem"

echo ""
echo "Certificates generated:"
echo "  Cert: ${CERT_DIR}/live/${DOMAIN}/fullchain.pem"
echo "  Key:  ${CERT_DIR}/live/${DOMAIN}/privkey.pem"
echo ""
echo "For Docker deployment, copy certs to the nginx-certs volume:"
echo "  docker volume inspect infra_nginx-certs"
echo "  sudo cp -r ${CERT_DIR}/live/${DOMAIN}/* <volume_mountpoint>/live/${DOMAIN}/"
echo ""
echo "Or for local dev, update nginx config to point to ${CERT_DIR}/live/${DOMAIN}/"