#!/usr/bin/env bash
# selfsigned.sh — create a long-lived self-signed cert with SANs
# Usage: sudo ./selfsigned.sh [days] [outdir]

set -euo pipefail

# Prompt for domain if not provided
read -rp "Enter the domain (e.g., panel.example.com): " DOMAIN
if [[ -z "$DOMAIN" ]]; then
  echo "Domain cannot be empty." >&2
  exit 1
fi

DAYS="${1:-36500}"                               # Default: 100 years
OUTDIR="${2:-/etc/ssl/selfsigned/$DOMAIN}"

command -v openssl >/dev/null 2>&1 || { echo "openssl is required"; exit 1; }

mkdir -p "$OUTDIR"
chmod 700 "$OUTDIR"

CONF="$OUTDIR/openssl.cnf"
KEY="$OUTDIR/$DOMAIN.key"
CRT="$OUTDIR/$DOMAIN.crt"
PEM="$OUTDIR/$DOMAIN.pem"

cat > "$CONF" <<EOF
[req]
default_bits       = 4096
prompt             = no
default_md         = sha256
distinguished_name = dn
x509_extensions    = v3_req

[dn]
C  = US
O  = Self-Signed
OU = IT
CN = ${DOMAIN}

[v3_req]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${DOMAIN}
DNS.2 = *.${DOMAIN}
IP.1  = 127.0.0.1
EOF

# Generate key + cert
openssl req -x509 -nodes -newkey rsa:4096 \
  -days "$DAYS" \
  -keyout "$KEY" \
  -out "$CRT" \
  -config "$CONF"

# Combined PEM (useful for HAProxy, some tools)
cat "$CRT" "$KEY" > "$PEM"
chmod 600 "$KEY" "$CRT" "$PEM"

echo "✅ Self-signed certificate created:"
echo "  Cert : $CRT"
echo "  Key  : $KEY"
echo "  PEM  : $PEM"
echo "  Conf : $CONF"
echo
echo "📌 Add this to your nginx config:"
echo "    ssl_certificate     $CRT;"
echo "    ssl_certificate_key $KEY;"