#!/usr/bin/env bash
# scripts/setup-renewal-cron.sh
# Installs/updates a daily cron entry for automated TLS renewal.

set -euo pipefail

REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
TLS_ENV_FILE="${REPO_DIR}/.tls-renewal.env"
LOG_DIR="${REPO_DIR}/logs"
LOG_FILE="${LOG_DIR}/tls-renew.log"
CRON_MARKER="# nextcloud-docker tls renewal"
CRON_SCHEDULE="${RENEW_CRON_SCHEDULE:-17 3 * * *}"
DEFAULT_TOKEN_SCRIPT="${HOME}/bin/cloudflare-api-usertoken.sh"

if [ -f "${TLS_ENV_FILE}" ]; then
  # shellcheck disable=SC1090
  set -a
  source "${TLS_ENV_FILE}"
  set +a
fi

if [ -z "${LETSENCRYPT_EMAIL:-}" ]; then
  echo "ERROR: LETSENCRYPT_EMAIL is not set."
  echo "Export it in your shell before running this script."
  exit 1
fi

CLOUDFLARE_TOKEN_SCRIPT="${CLOUDFLARE_TOKEN_SCRIPT:-${DEFAULT_TOKEN_SCRIPT}}"
CF_DNS_PROPAGATION_SECONDS="${CF_DNS_PROPAGATION_SECONDS:-60}"

mkdir -p "${LOG_DIR}"
chmod 700 "${LOG_DIR}"

cat > "${TLS_ENV_FILE}" <<ENVFILE
LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL}
CLOUDFLARE_TOKEN_SCRIPT=${CLOUDFLARE_TOKEN_SCRIPT}
CF_DNS_PROPAGATION_SECONDS=${CF_DNS_PROPAGATION_SECONDS}
ENVFILE
chmod 600 "${TLS_ENV_FILE}"

CRON_COMMAND="cd ${REPO_DIR} && /usr/bin/env bash ${REPO_DIR}/scripts/renew-production-tls.sh >> ${LOG_FILE} 2>&1"
CRON_LINE="${CRON_SCHEDULE} ${CRON_COMMAND} ${CRON_MARKER}"

{
  crontab -l 2>/dev/null | grep -v "${CRON_MARKER}" || true
  echo "${CRON_LINE}"
} | crontab -

echo "==> Installed cron renewal job:"
echo "    ${CRON_LINE}"
echo "==> Stored renewal defaults in ${TLS_ENV_FILE}"
echo "==> Logs will be written to ${LOG_FILE}"