#!/bin/bash

# SSL证书配置脚本
set -e

# 颜色定义
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m'

log_info() {
    echo -e "${GREEN}[INFO]${NC} $1"
}

log_warning() {
    echo -e "${YELLOW}[WARNING]${NC} $1"
}

log_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

# 检查域名
check_domain() {
    local domain=$1
    if [ -z "$domain" ]; then
        log_error "请提供域名"
        exit 1
    fi
    
    log_info "检查域名: $domain"
    if ! nslookup $domain > /dev/null 2>&1; then
        log_warning "域名解析失败，请确保域名已正确配置"
    fi
}

# 使用Let's Encrypt获取证书
setup_letsencrypt() {
    local domain=$1
    local email=$2
    
    log_info "使用Let's Encrypt获取SSL证书..."
    
    # 安装certbot
    if ! command -v certbot &> /dev/null; then
        log_info "安装certbot..."
        if command -v apt-get &> /dev/null; then
            sudo apt-get update
            sudo apt-get install -y certbot
        elif command -v yum &> /dev/null; then
            sudo yum install -y certbot
        else
            log_error "无法自动安装certbot，请手动安装"
            exit 1
        fi
    fi
    
    # 创建webroot目录
    mkdir -p /var/www/certbot
    
    # 获取证书
    sudo certbot certonly \
        --webroot \
        --webroot-path=/var/www/certbot \
        --email $email \
        --agree-tos \
        --no-eff-email \
        -d $domain
    
    # 复制证书到项目目录
    sudo cp /etc/letsencrypt/live/$domain/fullchain.pem ssl/
    sudo cp /etc/letsencrypt/live/$domain/privkey.pem ssl/
    sudo chown $(whoami):$(whoami) ssl/*.pem
    
    log_info "SSL证书配置完成"
}

# 生成自签名证书（开发/测试用）
setup_selfsigned() {
    local domain=$1
    
    log_info "生成自签名SSL证书..."
    
    # 创建ssl目录
    mkdir -p ssl
    
    # 生成私钥
    openssl genrsa -out ssl/privkey.pem 2048
    
    # 生成证书
    openssl req -new -x509 -key ssl/privkey.pem -out ssl/fullchain.pem -days 365 \
        -subj "/C=CN/ST=State/L=City/O=Organization/CN=$domain"
    
    log_warning "已生成自签名证书，仅用于开发/测试环境"
    log_warning "生产环境请使用有效的SSL证书"
}

# 配置证书自动续期
setup_auto_renewal() {
    local domain=$1
    
    log_info "配置证书自动续期..."
    
    # 创建续期脚本
    cat > ssl-renew.sh << EOF
#!/bin/bash
certbot renew --quiet
if [ \$? -eq 0 ]; then
    cp /etc/letsencrypt/live/$domain/fullchain.pem ssl/
    cp /etc/letsencrypt/live/$domain/privkey.pem ssl/
    docker-compose -f docker-compose.prod.yml restart nginx-proxy
fi
EOF
    
    chmod +x ssl-renew.sh
    
    # 添加到crontab
    (crontab -l 2>/dev/null; echo "0 3 * * * $(pwd)/ssl-renew.sh") | crontab -
    
    log_info "证书自动续期配置完成"
}

# 主函数
main() {
    echo "🔒 SSL证书配置脚本"
    echo "=================="
    
    read -p "请输入域名: " DOMAIN
    check_domain $DOMAIN
    
    echo ""
    echo "请选择证书类型："
    echo "1) Let's Encrypt (免费，推荐生产环境)"
    echo "2) 自签名证书 (开发/测试环境)"
    echo ""
    read -p "请输入选择 (1-2): " choice
    
    case $choice in
        1)
            read -p "请输入邮箱地址: " EMAIL
            if [ -z "$EMAIL" ]; then
                log_error "邮箱地址不能为空"
                exit 1
            fi
            setup_letsencrypt $DOMAIN $EMAIL
            setup_auto_renewal $DOMAIN
            ;;
        2)
            setup_selfsigned $DOMAIN
            ;;
        *)
            log_error "无效选择"
            exit 1
            ;;
    esac
    
    # 更新nginx配置中的域名
    if [ -f "nginx-proxy.conf" ]; then
        sed -i "s/your-domain.com/$DOMAIN/g" nginx-proxy.conf
        log_info "已更新nginx配置中的域名"
    fi
    
    # 更新环境配置
    if [ -f ".env.production" ]; then
        sed -i "s/DOMAIN=your-domain.com/DOMAIN=$DOMAIN/g" .env.production
        log_info "已更新环境配置中的域名"
    fi
    
    echo ""
    log_info "SSL证书配置完成！"
    echo "证书文件位置:"
    echo "  - 证书: ssl/fullchain.pem"
    echo "  - 私钥: ssl/privkey.pem"
    echo ""
    echo "现在可以使用HTTPS模式部署:"
    echo "  ./deploy-prod.sh https"
}

# 运行主函数
main "$@"