#!/bin/bash
# SSL 证书配置脚本（Let's Encrypt）
# 用途：为备案域名配置 HTTPS 证书

set -e

if [ -z "$DOMAIN" ]; then
    echo "错误: 未设置 DOMAIN 环境变量"
    echo "请设置: export DOMAIN=your-domain.com"
    exit 1
fi

if [ -z "$SSL_EMAIL" ]; then
    echo "错误: 未设置 SSL_EMAIL 环境变量"
    echo "请设置: export SSL_EMAIL=your-email@example.com"
    exit 1
fi

echo "=== SSL 证书配置（Let's Encrypt）==="
echo "域名: $DOMAIN"
echo "邮箱: $SSL_EMAIL"
echo ""

# 检查 Certbot
if ! command -v certbot &> /dev/null; then
    echo "安装 Certbot..."
    if [ -f /etc/debian_version ]; then
        sudo apt-get update
        sudo apt-get install -y certbot python3-certbot-nginx
    elif [ -f /etc/redhat-release ]; then
        sudo yum install -y certbot python3-certbot-nginx
    else
        echo "错误: 未检测到支持的 Linux 发行版"
        exit 1
    fi
fi

echo "[1/3] 确保 HTTP 服务运行（用于验证）..."
docker-compose up -d backend nginx
sleep 3

echo "[2/3] 获取 SSL 证书..."
sudo certbot certonly --nginx \
    -d "$DOMAIN" \
    -d "www.$DOMAIN" \
    --email "$SSL_EMAIL" \
    --agree-tos \
    --non-interactive \
    --preferred-challenges http

echo "[3/3] 更新 Nginx 配置..."
# 更新 nginx-ssl.conf，使用实际证书路径
sed -i "s|ssl_certificate.*|ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;|" deploy/nginx-ssl.conf
sed -i "s|ssl_certificate_key.*|ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;|" deploy/nginx-ssl.conf

# 更新 docker-compose.yml，挂载证书目录
# 注意：需要手动更新 docker-compose.yml 的 volumes

echo "✓ SSL 证书配置完成"
echo ""
echo "证书路径: /etc/letsencrypt/live/$DOMAIN/"
echo ""
echo "请更新 docker-compose.yml，添加证书挂载："
echo "  volumes:"
echo "    - /etc/letsencrypt:/etc/letsencrypt:ro"
echo ""
echo "然后重启 Nginx: docker-compose restart nginx"