#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=lib.sh
. "${SCRIPT_DIR}/lib.sh"

qipai_certbot_status() {
  local live_dir webroot_dir renewal_file
  live_dir="/etc/letsencrypt/live/${QIPAI_DOMAIN}"
  webroot_dir="/var/www/certbot"
  renewal_file="/etc/letsencrypt/renewal/${QIPAI_DOMAIN}.conf"

  qipai_info "certbot domain: ${QIPAI_DOMAIN}"
  qipai_info "certbot webroot: ${webroot_dir}"
  qipai_info "certificate live dir: ${live_dir}"

  if command -v certbot >/dev/null 2>&1; then
    qipai_pass "certbot: $(command -v certbot)"
    certbot --version 2>/dev/null || true
  else
    qipai_warn "certbot not installed"
  fi

  if [ -d "$webroot_dir" ]; then
    qipai_pass "webroot exists: ${webroot_dir}"
  else
    qipai_warn "webroot not found: ${webroot_dir}"
  fi

  if [ -f "${live_dir}/fullchain.pem" ] && [ -f "${live_dir}/privkey.pem" ]; then
    qipai_pass "certificate files exist for ${QIPAI_DOMAIN}"
    openssl x509 -in "${live_dir}/fullchain.pem" -noout -subject -issuer -dates 2>/dev/null || true
  else
    qipai_warn "certificate files not found for ${QIPAI_DOMAIN}"
  fi

  if [ -f "$renewal_file" ]; then
    qipai_pass "renewal config exists: ${renewal_file}"
  else
    qipai_warn "renewal config not found: ${renewal_file}"
  fi

  if command -v systemctl >/dev/null 2>&1; then
    systemctl is-enabled --quiet certbot.timer 2>/dev/null && qipai_pass "certbot.timer enabled" || qipai_warn "certbot.timer not enabled or not installed"
    systemctl is-active --quiet certbot.timer 2>/dev/null && qipai_pass "certbot.timer active" || qipai_warn "certbot.timer not active"
  else
    qipai_warn "systemctl not available; certbot timer check skipped"
  fi

  qipai_info "manual issue command:"
  qipai_info "sudo certbot certonly --webroot -w ${webroot_dir} -d ${QIPAI_DOMAIN}"
  qipai_info "manual renewal dry-run:"
  qipai_info "sudo certbot renew --dry-run"
}

if [ "${1:-}" = "--run" ]; then
  qipai_certbot_status
fi