#!/usr/bin/env bash

set -euo pipefail

usage() {
  cat <<'EOF'
Usage:
  create-nginx-certs.sh --domain <domain> [--output <name>]

Options:
  -d, --domain   Domain name to use for the certificate Common Name and SAN
  -o, --output   Output file base name (defaults to the domain name)
  -h, --help     Show this help message

Examples:
  ./create-nginx-certs.sh --domain mydomain.local
  ./create-nginx-certs.sh --domain mydomain.local --output foo
EOF
}

DOMAIN=""
OUTPUT_BASE=""

while [[ $# -gt 0 ]]; do
  case "$1" in
    -d|--domain)
      if [[ $# -lt 2 ]]; then
        echo "Error: --domain requires a value" >&2
        usage >&2
        exit 1
      fi
      DOMAIN="$2"
      shift 2
      ;;
    -o|--output)
      if [[ $# -lt 2 ]]; then
        echo "Error: --output requires a value" >&2
        usage >&2
        exit 1
      fi
      OUTPUT_BASE="$2"
      shift 2
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "Error: unknown argument: $1" >&2
      usage >&2
      exit 1
      ;;
  esac
done

if [[ -z "$DOMAIN" ]]; then
  echo "Error: --domain is required" >&2
  usage >&2
  exit 1
fi

if [[ -z "$OUTPUT_BASE" ]]; then
  OUTPUT_BASE="$DOMAIN"
fi

CERT_FILE="${OUTPUT_BASE}.pem"
KEY_FILE="${OUTPUT_BASE}.key.pem"
TMP_CONFIG="$(mktemp)"

cleanup() {
  rm -f "$TMP_CONFIG"
}
trap cleanup EXIT

cat > "$TMP_CONFIG" <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[dn]
CN = ${DOMAIN}

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${DOMAIN}
EOF

openssl req -x509 \
  -nodes \
  -days 3650 \
  -newkey rsa:2048 \
  -keyout "$KEY_FILE" \
  -out "$CERT_FILE" \
  -config "$TMP_CONFIG" \
  -extensions req_ext

echo "Created certificate: $CERT_FILE"
echo "Created private key:  $KEY_FILE"