#!/usr/bin/bash

## Managed by Ansible ##

# Variables set by Ansible
cert_src_path="{{ lego_cert_dir }}"

# Certificate destination variables (if defined)
cert_dest_path="{{ lego_certificate_destination.path | default('') }}"
cert_owner="{{ lego_certificate_destination.owner | default('') }}"
cert_group="{{ lego_certificate_destination.group | default('') }}"

# Service reload variables (if defined)
service_name="{{ lego_services_reload.name | default('') }}"
service_command="{{ lego_services_reload.command | default('') }}"

copy_certificate_files() {
  local domain="$1"
  local success=true
  
  # Check if destination is defined
  if [ -z "$cert_dest_path" ]; then
    echo "No certificate destination defined, skipping copy"
    return 0
  fi
  
  echo "Copying certificate files for $domain..."
  echo "Copying to $cert_dest_path..."
  
  # Create destination directory if it doesn't exist
  mkdir -p "$cert_dest_path"
  
  # Copy certificate files
  cp "$cert_src_path/${domain}.crt" "$cert_dest_path/${domain}.crt" || success=false
  cp "$cert_src_path/${domain}.key" "$cert_dest_path/${domain}.key" || success=false
  
  # Copy issuer cert if it exists
  if [ -f "$cert_src_path/${domain}.issuer.crt" ]; then
    cp "$cert_src_path/${domain}.issuer.crt" "$cert_dest_path/${domain}.issuer.crt" || success=false
  fi
  
  # Set standard secure permissions
  # 644 for certificates, 600 for keys
  chmod 644 "$cert_dest_path/${domain}.crt" || success=false
  chmod 600 "$cert_dest_path/${domain}.key" || success=false
  
  # Set issuer cert permissions if it exists
  if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
    chmod 644 "$cert_dest_path/${domain}.issuer.crt" || success=false
  fi
  
  # Set ownership if specified
  if [ -n "$cert_owner" ] && [ -n "$cert_group" ]; then
    if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
      chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" "$cert_dest_path/${domain}.issuer.crt" || success=false
    else
      chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" || success=false
    fi
  fi
  
  if $success; then
    echo "Certificate files copied successfully"
    return 0
  else
    echo "Error copying certificate files"
    return 1
  fi
}

reload_service() {
  local domain="$1"
  local success=true
  
  # Check if service reload is defined
  if [ -z "$service_name" ] && [ -z "$service_command" ]; then
    echo "No service reload defined, skipping reload"
    return 0
  fi
  
  echo "Reloading service..."
  
  if [ -n "$service_command" ]; then
    echo "Running command: $service_command"
    eval "$service_command" || success=false
  elif [ -n "$service_name" ]; then
    echo "Reloading $service_name..."
    systemctl reload "$service_name" || systemctl restart "$service_name" || success=false
  fi
  
  if $success; then
    echo "Service reloaded successfully"
    return 0
  else
    echo "Error reloading service"
    return 1
  fi
}

# Check if domain is provided as parameter
if [ $# -lt 1 ]; then
  echo "Error: Domain parameter is required"
  echo "Usage: $0 <domain>"
  exit 1
fi

# Get domain from parameter
domain="$1"

# Main execution
echo "Certificate renewal hook triggered for $domain"

# Call the functions
copy_certificate_files "$domain"
copy_result=$?

reload_service "$domain"
reload_result=$?

# Send webhook notification
message="$domain certificate was successfully renewed"

if [ -n "$cert_dest_path" ]; then
  message="${message}, files copied"
fi

if [ -n "$service_name" ] || [ -n "$service_command" ]; then
  message="${message}, and service reloaded"
fi

if [ $copy_result -eq 0 ] && [ $reload_result -eq 0 ]; then
  echo "$message"
else
  echo "$domain certificate was renewed but post-renewal tasks failed"
fi