#!/bin/bash

# SSL证书设置脚本 - 使用Let's Encrypt

set -e

echo "🔒 设置SSL证书..."
echo

# 检查是否为root用户
if [ "$EUID" -ne 0 ]; then
    echo "❌ 请使用sudo运行此脚本"
    exit 1
fi

# 获取域名
read -p "请输入您的域名 (例如: example.com): " DOMAIN
if [ -z "$DOMAIN" ]; then
    echo "❌ 域名不能为空"
    exit 1
fi

read -p "请输入您的邮箱地址: " EMAIL
if [ -z "$EMAIL" ]; then
    echo "❌ 邮箱地址不能为空"
    exit 1
fi

echo "域名: $DOMAIN"
echo "邮箱: $EMAIL"
echo

# 安装nginx
echo "📦 安装nginx..."
apt update
apt install -y nginx

# 安装certbot
echo "📦 安装certbot..."
apt install -y certbot python3-certbot-nginx

# 创建基本nginx配置
echo "⚙️  创建nginx配置..."
cat > /etc/nginx/sites-available/chatapp << EOF
server {
    listen 80;
    server_name $DOMAIN www.$DOMAIN;
    
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
    
    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
    }
    
    location /api/ {
        proxy_pass http://localhost:5000;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
    }
    
    location /socket.io/ {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
    }
}
EOF

# 启用站点
ln -sf /etc/nginx/sites-available/chatapp /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default

# 测试nginx配置
nginx -t

# 重启nginx
systemctl restart nginx
systemctl enable nginx

echo "✅ nginx配置完成"
echo

# 获取SSL证书
echo "🔒 获取SSL证书..."
certbot --nginx -d $DOMAIN -d www.$DOMAIN --email $EMAIL --agree-tos --no-eff-email

# 设置自动续期
echo "⏰ 设置证书自动续期..."
(crontab -l 2>/dev/null; echo "0 12 * * * /usr/bin/certbot renew --quiet") | crontab -

# 复制完整的nginx配置
echo "⚙️  应用完整nginx配置..."
sed "s/your-domain.com/$DOMAIN/g" nginx-proxy.conf > /etc/nginx/sites-available/chatapp
nginx -t
systemctl reload nginx

echo
echo "🎉 SSL设置完成！"
echo
echo "🌐 您的网站现在可以通过以下地址访问:"
echo "  - https://$DOMAIN"
echo "  - https://www.$DOMAIN"
echo
echo "🔒 SSL证书信息:"
certbot certificates
echo
echo "📋 管理命令:"
echo "  - 续期证书: sudo certbot renew"
echo "  - 查看证书: sudo certbot certificates"
echo "  - 测试续期: sudo certbot renew --dry-run"