#!/usr/bin/env bash

# Generate TLS certificates for Mailu mail server
# Uses the shared CA from the infrastructure

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CA_DIR="$SCRIPT_DIR/../ca"
MAILU_DIR="$SCRIPT_DIR"

echo "Generating TLS certificates for Mailu..."
echo "Directory: $MAILU_DIR"
echo ""

# Check if CA exists
if [ ! -f "$CA_DIR/ca-cert.pem" ] || [ ! -f "$CA_DIR/ca-key.pem" ]; then
    echo "ERROR: CA certificates not found. Please run generate-certificates.sh first."
    exit 1
fi

# Clean up old certificates
echo "Cleaning up old certificates..."
rm -f "$MAILU_DIR/mailu-cert.pem" "$MAILU_DIR/mailu-key.pem" "$MAILU_DIR/mailu.csr" 2>/dev/null || true

# =====================================
# Generate Mailu Server Certificates
# =====================================

echo "Generating Mailu server certificates..."

# Generate Mailu server private key
openssl genrsa -out "$MAILU_DIR/mailu-key.pem" 4096

# Create certificate signing request (CSR)
openssl req -new -key "$MAILU_DIR/mailu-key.pem" -out "$MAILU_DIR/mailu.csr" \
  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Mail/CN=mail.bakewise.ai"

# Create SAN configuration for Mailu
cat > "$MAILU_DIR/san.cnf" <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = California
L = SanFrancisco
O = BakeryIA
OU = Mail
CN = mail.bakewise.ai

[v3_req]
keyUsage = keyEncipherment, dataEncipherment, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = mail.bakewise.ai
DNS.2 = mailu-front.bakery-ia.svc.cluster.local
DNS.3 = mailu-front.bakery-ia
DNS.4 = mailu-front
DNS.5 = localhost
DNS.6 = *.bakewise.ai
IP.1 = 127.0.0.1
EOF

# Sign the certificate with CA (valid for 3 years)
openssl x509 -req -in "$MAILU_DIR/mailu.csr" \
  -CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
  -out "$MAILU_DIR/mailu-cert.pem" -days 1095 \
  -extensions v3_req -extfile "$MAILU_DIR/san.cnf"

# Set proper permissions
chmod 600 "$MAILU_DIR/mailu-key.pem"
chmod 644 "$MAILU_DIR/mailu-cert.pem"

# Copy CA cert for Mailu clients
cp "$CA_DIR/ca-cert.pem" "$MAILU_DIR/ca-cert.pem"

echo "✓ Mailu certificates generated"
echo ""

# =====================================
# Verify Certificates
# =====================================

echo "Verifying certificates..."
echo "Mailu certificate details:"
openssl x509 -in "$MAILU_DIR/mailu-cert.pem" -noout -subject -issuer -dates
openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$MAILU_DIR/mailu-cert.pem"

echo ""
echo "===================="
echo "✓ Mailu certificates generated successfully!"
echo ""
echo "Generated files:"
echo "  - $MAILU_DIR/mailu-cert.pem (Server certificate)"
echo "  - $MAILU_DIR/mailu-key.pem (Server private key)"
echo "  - $MAILU_DIR/ca-cert.pem (CA certificate for clients)"
echo ""
echo "Next steps:"
echo "  1. Create Kubernetes secret: mailu-tls-secret"
echo "  2. Mount in mailu-front deployment"
echo ""