#!/bin/bash

# SSL Setup script using Let's Encrypt for SmartSolTech

if [ -z "$1" ] || [ -z "$2" ]; then
    echo "Usage: ./setup-ssl.sh <domain> <email>"
    echo "Example: ./setup-ssl.sh smartsoltech.kr admin@smartsoltech.kr"
    exit 1
fi

DOMAIN=$1
EMAIL=$2

echo "🔒 Setting up SSL for $DOMAIN..."

# Create directories
mkdir -p certbot/conf
mkdir -p certbot/www

# Stop nginx if running
docker-compose -f docker-compose.prod.yml stop nginx 2>/dev/null || true

# Get certificate
echo "📝 Requesting SSL certificate..."
docker-compose -f docker-compose.prod.yml run --rm certbot certonly \
    --webroot \
    --webroot-path=/var/www/certbot \
    --email $EMAIL \
    --agree-tos \
    --no-eff-email \
    --force-renewal \
    -d $DOMAIN \
    -d www.$DOMAIN

if [ $? -eq 0 ]; then
    echo "✅ SSL certificate obtained successfully!"
    
    # Update nginx configuration for HTTPS
    cat > nginx-ssl.conf << 'EOF'
upstream django_app {
    server web:8000;
}

# HTTP redirect to HTTPS
server {
    listen 80;
    server_name DOMAIN_PLACEHOLDER www.DOMAIN_PLACEHOLDER;
    
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    
    location / {
        return 301 https://$server_name$request_uri;
    }
}

# HTTPS server
server {
    listen 443 ssl http2;
    server_name DOMAIN_PLACEHOLDER www.DOMAIN_PLACEHOLDER;
    
    ssl_certificate /etc/letsencrypt/live/DOMAIN_PLACEHOLDER/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/DOMAIN_PLACEHOLDER/privkey.pem;
    
    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    
    client_max_body_size 20M;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    location / {
        proxy_pass http://django_app;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_redirect off;
        proxy_buffering off;
    }

    location /static/ {
        alias /app/smartsoltech/staticfiles/;
        expires 30d;
        add_header Cache-Control "public, immutable";
    }

    location /media/ {
        alias /app/smartsoltech/media/;
        expires 30d;
        add_header Cache-Control "public, immutable";
    }

    # Deny access to sensitive files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
}
EOF

    # Replace domain placeholder
    sed -i "s/DOMAIN_PLACEHOLDER/$DOMAIN/g" nginx-ssl.conf
    
    echo ""
    echo "📋 SSL certificate installed!"
    echo ""
    echo "Next steps:"
    echo "1. Replace nginx.conf with nginx-ssl.conf:"
    echo "   mv nginx-ssl.conf nginx.conf"
    echo ""
    echo "2. Update .env file with your domain:"
    echo "   ALLOWED_HOSTS=localhost,127.0.0.1,$DOMAIN,www.$DOMAIN"
    echo "   CSRF_TRUSTED_ORIGINS=https://$DOMAIN,https://www.$DOMAIN"
    echo ""
    echo "3. Restart services:"
    echo "   docker-compose -f docker-compose.prod.yml restart"
    
else
    echo "❌ Failed to obtain SSL certificate"
    exit 1
fi