#!/usr/bin/env bash
# =============================================================================
# dev-cert-refresh.sh — Regenerate the unified mkcert wildcard for *.apricot.lan
# =============================================================================
# One cert covers every dev hostname under apricot.lan via SAN patterns. Adding
# a new dev subdomain that falls under an existing pattern requires NO cert
# work — just add the server block to infrastructure/Caddyfile.local with
# `import local_tls`.
#
# Re-run this script when:
#   - You need a new SAN pattern (e.g. a new two-label suffix like *.example.apricot.lan)
#   - The cert is approaching expiry (mkcert default is ~27 months)
#   - The mkcert root CA was reinstalled (rootCA fingerprint changed)
#
# Caddy reloads automatically — the cert file path is referenced by the
# `(local_tls)` snippet in infrastructure/Caddyfile.local and Caddy watches it.
# =============================================================================
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
CERT_DIR="$REPO_ROOT/infrastructure/certs"
CRT="$CERT_DIR/_wildcard.apricot.lan.crt"
KEY="$CERT_DIR/_wildcard.apricot.lan.key"

# SAN patterns — edit this list when a new naming dimension appears.
# mkcert wildcards match exactly one label level, so multi-label suffixes
# (e.g. foo.bar.apricot.lan) need their own *.bar.apricot.lan entry.
SANS=(
  "*.apricot.lan"          # cocotte, sansonnet, quinn, etc.
  "*.quinn.apricot.lan"    # admin, ai, api, data, docs, m, my, sso, vip, www
  "*.com.apricot.lan"      # ATT defensive previews (adulttherapytour.com.apricot.lan, ...)
  "*.tours.apricot.lan"    # adulttherapy.tours.apricot.lan
  "*.singles.apricot.lan"  # apa.singles, futa.singles
  "apricot.lan"            # bare apex
)

if ! command -v mkcert >/dev/null 2>&1; then
  echo "ERROR: mkcert not in PATH. Install with: brew install mkcert" >&2
  exit 1
fi

mkdir -p "$CERT_DIR"
echo "[dev-cert-refresh] generating cert with ${#SANS[@]} SAN patterns"
mkcert -cert-file "$CRT" -key-file "$KEY" "${SANS[@]}"

chmod 600 "$KEY"
chmod 644 "$CRT"

echo "[dev-cert-refresh] cert SANs:"
openssl x509 -in "$CRT" -noout -ext subjectAltName | sed 's/^/  /'

echo "[dev-cert-refresh] reloading Caddy (if running)"
if pgrep -f "caddy run --config" >/dev/null; then
  "$HOME/.local/bin/caddy" reload --config "$REPO_ROOT/infrastructure/Caddyfile.local" --address 127.0.0.1:2019 \
    && echo "[dev-cert-refresh] reload OK" \
    || echo "[dev-cert-refresh] reload failed — restart manually"
else
  echo "[dev-cert-refresh] Caddy not running; start it via your usual flow"
fi

echo "[dev-cert-refresh] done."