mkdir -p ./certs

CERT_DIR="./certs"
DOMAIN="2weekmail.test"
DOMAIN_CERT_PEM="${CERT_DIR}/${DOMAIN}-cert.pem"
DOMAIN_CERT_KEY="${CERT_DIR}/${DOMAIN}-key.pem"
DOMAIN_CERT_CA="${CERT_DIR}/cacert.pem"
DOMAIN_CERT_CA_KEY="${CERT_DIR}/cakey.pem"

if [ ! -f "${DOMAIN_CERT_PEM}" ] || [ ! -f "${DOMAIN_CERT_KEY}" ] || [ ! -f "${DOMAIN_CERT_CA}" ] || [ ! -f "${DOMAIN_CERT_CA_KEY}" ]; then
  step certificate create "2weekmail Root CA" "${DOMAIN_CERT_CA}" "${DOMAIN_CERT_CA_KEY}" \
    --no-password --insecure \
  --profile root-ca \
  --not-before "2021-01-01T00:00:00+00:00" \
  --not-after "2031-01-01T00:00:00+00:00" \
  --san "2weekmail.test" \
  --san "mail.2weekmail.test" \
  --san "webmail.2weekmail.test" \
    --san "admin.2weekmail.test" \
    --san "api.2weekmail.test" \
    --kty RSA --size 2048

  step certificate create "2weekmail" "${DOMAIN_CERT_PEM}" "${DOMAIN_CERT_KEY}" \
    --no-password --insecure \
    --profile leaf \
    --ca "${DOMAIN_CERT_CA}" \
    --ca-key "${DOMAIN_CERT_CA_KEY}" \
  --not-before "2021-01-01T00:00:00+00:00" \
  --not-after "2031-01-01T00:00:00+00:00" \
  --san "2weekmail.test" \
  --san "mail.2weekmail.test" \
  --san "webmail.2weekmail.test" \
  --san "admin.2weekmail.test" \
  --san "api.2weekmail.test" \
  --kty RSA --size 2048
fi

NGINX_CONFIG_FILE="/etc/nginx/sites-enabled/2weekmail.test"
NGINX_CERT_DIR="/etc/nginx/certs"
LOCAL_CONFIG_FILE="./2weekmail.test"

# Check if the local config file exists
if [ ! -f "${LOCAL_CONFIG_FILE}" ]; then
  echo "Error: Local Nginx config file ${LOCAL_CONFIG_FILE} not found"
  exit 1
fi

# Check if SSL configuration is already in the file
if ! grep -q "listen 443 ssl" "${LOCAL_CONFIG_FILE}"; then
  echo "Adding SSL configuration to Nginx config file"
  
  # For each server block, add SSL configuration
  for SERVER_NAME in "webmail.2weekmail.test" "admin.2weekmail.test" "api.2weekmail.test" "2weekmail.test"; do
    # Find the server block for this server_name
    if grep -q "server_name ${SERVER_NAME}" "${LOCAL_CONFIG_FILE}"; then
      # Add SSL configuration after the listen 80 line
      sed -i "/server_name ${SERVER_NAME}/i\\    listen 443 ssl;" "${LOCAL_CONFIG_FILE}"
      
      # Add SSL certificate configuration after server_name line
      sed -i "/server_name ${SERVER_NAME}/a\\    ssl_certificate /etc/nginx/certs/2weekmail.test-cert.pem;\n    ssl_certificate_key /etc/nginx/certs/2weekmail.test-key.pem;\n    ssl_protocols TLSv1.2 TLSv1.3;\n    ssl_prefer_server_ciphers on;\n    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;\n\n    # Redirect HTTP to HTTPS\n    if (\$scheme != \"https\") {\n        return 301 https://\$host\$request_uri;\n    }" "${LOCAL_CONFIG_FILE}"
      
      echo "Added SSL configuration for ${SERVER_NAME}"
    fi
  done
fi

# Create symbolic link to nginx sites-enabled if it doesn't exist
if [ ! -f "${NGINX_CONFIG_FILE}" ]; then
  echo "Creating symbolic link to Nginx config file"
  ln -s $(pwd)/2weekmail.test "${NGINX_CONFIG_FILE}"
fi

# Create nginx cert directory if it doesn't exist
if [ ! -d "${NGINX_CERT_DIR}" ]; then
  echo "Creating nginx cert directory"
  mkdir -p "${NGINX_CERT_DIR}"
fi

# Create symbolic links to certificate files if they don't exist
if [ ! -f "${NGINX_CERT_DIR}/${DOMAIN}-cert.pem" ] || [ ! -f "${NGINX_CERT_DIR}/${DOMAIN}-key.pem" ]; then
  echo "Creating nginx cert files"
  ln -s $(pwd)/certs/${DOMAIN}-cert.pem "${NGINX_CERT_DIR}/${DOMAIN}-cert.pem"
  ln -s $(pwd)/certs/${DOMAIN}-key.pem "${NGINX_CERT_DIR}/${DOMAIN}-key.pem"
fi

# Reload nginx to apply changes
echo "Reloading nginx configuration"
if command -v systemctl &> /dev/null; then
  systemctl reload nginx
elif command -v service &> /dev/null; then
  service nginx reload
else
  echo "Warning: Could not reload Nginx. Please reload it manually."
fi