#!/usr/bin/env bash
set -euo pipefail

if [ "$#" -lt 3 ]; then
  echo "Usage: $0 <DOMAIN> <INSTALL_ID> <FRONTEND_PORT>" >&2
  exit 1
fi

DOMAIN="$1"
INSTALL_ID="$2"
FRONTEND_PORT="$3"

CERTBOT_BIN="${CERTBOT_BIN:-certbot}"
CERTBOT_EMAIL="${CERTBOT_EMAIL:-ops@vozex.cloud}"
ACME_ROOT="${VOZEX_ACME_WEBROOT:-/www/wwwroot/vozex.cloud/_acme-challenge}"
PROXY_SYNC_BIN="${VOZEX_PROXY_SYNC_BIN:-/usr/local/bin/vozex-proxy-sync}"

if ! command -v "${CERTBOT_BIN}" >/dev/null 2>&1; then
  echo "[vozex-ssl-issue] certbot not found: ${CERTBOT_BIN}" >&2
  exit 1
fi

mkdir -p "${ACME_ROOT}/.well-known/acme-challenge"

"${PROXY_SYNC_BIN}" "${DOMAIN}" "${INSTALL_ID}" "${FRONTEND_PORT}"

"${CERTBOT_BIN}" certonly \
  --webroot \
  -w "${ACME_ROOT}" \
  -d "${DOMAIN}" \
  --email "${CERTBOT_EMAIL}" \
  --agree-tos \
  --non-interactive \
  --keep-until-expiring

"${PROXY_SYNC_BIN}" "${DOMAIN}" "${INSTALL_ID}" "${FRONTEND_PORT}"

printf 'SSL ready for %s\n' "${DOMAIN}"