#!/bin/bash
set -euo pipefail

MAIL_DOMAIN="${BOSS_MAIL_DOMAIN:-boss.hyzq.net}"
SOURCE_DIR="${BOSS_MAIL_TLS_SOURCE_DIR:-/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${MAIL_DOMAIN}}"
SOURCE_CERT="${BOSS_MAIL_TLS_CERT_SOURCE:-${SOURCE_DIR}/${MAIL_DOMAIN}.crt}"
SOURCE_KEY="${BOSS_MAIL_TLS_KEY_SOURCE:-${SOURCE_DIR}/${MAIL_DOMAIN}.key}"
TARGET_DIR="${BOSS_MAIL_TLS_TARGET_DIR:-/etc/boss-mail/tls}"
TARGET_CERT="${TARGET_DIR}/fullchain.pem"
TARGET_KEY="${TARGET_DIR}/privkey.pem"

if [[ ! -f "${SOURCE_CERT}" || ! -f "${SOURCE_KEY}" ]]; then
  echo "Missing Caddy TLS assets for ${MAIL_DOMAIN} under ${SOURCE_DIR}" >&2
  exit 1
fi

install -d -m 700 "${TARGET_DIR}"

changed=0
if [[ ! -f "${TARGET_CERT}" ]] || ! cmp -s "${SOURCE_CERT}" "${TARGET_CERT}"; then
  install -m 644 "${SOURCE_CERT}" "${TARGET_CERT}"
  changed=1
fi

if [[ ! -f "${TARGET_KEY}" ]] || ! cmp -s "${SOURCE_KEY}" "${TARGET_KEY}"; then
  install -m 600 "${SOURCE_KEY}" "${TARGET_KEY}"
  changed=1
fi

if [[ "${changed}" -eq 1 ]]; then
  systemctl restart postfix dovecot
fi

echo "boss-mail-cert-sync completed"