#!/usr/bin/env bash
# 生成自签通配证书（仅 test/dev 用，浏览器会告警，curl -k 可绕过）
#
# 用法：sudo bash gen-self-signed-wildcard.sh [domain_suffix]
#   默认 domain_suffix = apps.ffworkspace.test.faradayfuturecn.com
#
# 产物：/etc/ssl/internal-app-platform/wildcard-apps.{crt,key}（有效期 825 天）
#
# 生产 / UAT 必须用公司内部 CA 或 LE DNS-01，不要用本脚本。

set -euo pipefail

if [[ $EUID -ne 0 ]]; then
  echo "需要 sudo 运行" >&2
  exit 1
fi

DOMAIN_SUFFIX="${1:-apps.ffworkspace.test.faradayfuturecn.com}"
CERT_DIR=/etc/ssl/internal-app-platform
CERT="${CERT_DIR}/wildcard-apps.crt"
KEY="${CERT_DIR}/wildcard-apps.key"

install -d -m 0755 "$CERT_DIR"

if [[ -f $CERT && -f $KEY ]]; then
  EXP=$(openssl x509 -enddate -noout <"$CERT" | cut -d= -f2)
  echo "[gen-cert] 已存在 cert，到期 $EXP；如要重签删后再跑：sudo rm $CERT $KEY"
  exit 0
fi

openssl req -x509 -nodes -newkey rsa:2048 -days 825 \
  -keyout "$KEY" -out "$CERT" \
  -subj "/CN=*.${DOMAIN_SUFFIX}/O=FFAIWorkspace/OU=internal-app-platform (self-signed test)" \
  -addext "subjectAltName=DNS:*.${DOMAIN_SUFFIX},DNS:${DOMAIN_SUFFIX}"

chmod 0644 "$CERT"
chmod 0600 "$KEY"

echo "[gen-cert] 生成完成："
echo "  cert: $CERT"
echo "  key:  $KEY"
echo "  到期: $(openssl x509 -enddate -noout <"$CERT" | cut -d= -f2)"
echo
echo "下一步：sudo nginx -t && sudo systemctl reload nginx"