import subprocess
import os
import sys

# Konfiguracja
DOMAIN = "ldns1.linuxiarz.pl"
WILDCARD_DOMAIN = f"*.{DOMAIN}"
INSTALL_DIR = "/root/.acme.sh/"
DNS_SERVER = "linuxiarz.pl"
KEY_FILE = "/root/tsig.key"
KEY_NAME = "certbot-key"
KEY_ALGO = "hmac-sha512"
SYSTEMD_SERVICE = "AdGuardHome.service"
CERT_DIR = "/etc/ssl/wildcard-linuxiarz.pl"
CERT_KEY_PATH = f"{CERT_DIR}/key.key"
CERT_FULLCHAIN_PATH = f"{CERT_DIR}/cert.crt"

def set_env():
    os.environ["NSUPDATE_SERVER"] = DNS_SERVER
    os.environ["NSUPDATE_KEY"] = KEY_FILE
    os.environ["NSUPDATE_KEY_NAME"] = KEY_NAME
    os.environ["NSUPDATE_KEY_ALGO"] = KEY_ALGO
    os.environ["NSUPDATE_TIMEOUT"] = "120"
    os.environ["RFC2136_SERVER"] = DNS_SERVER
    os.environ["RFC2136_KEY"] = KEY_FILE
    os.environ["RFC2136_KEY_NAME"] = KEY_NAME
    os.environ["RFC2136_KEY_ALGO"] = KEY_ALGO
    os.environ["RFC2136_TIMEOUT"] = "120"

def run_command(cmd):
    result = subprocess.run(cmd, shell=True, text=True, capture_output=True)
    output = result.stdout + result.stderr

    # Rozpoznaj "Skipping" jako nie-błąd
    if result.returncode != 0:
        if "Skipping. Next renewal time is" in output:
            print(output)
            print("ℹ️  Certyfikat jeszcze nie wymaga odnowienia. Pominięto.")
            return False  # ← cert nieodnowiony
        else:
            print(f"❌ Błąd wykonania komendy [{cmd}]:\n{output}")
            sys.exit(1)

    print(output)
    return True

def issue_cert():
    print(f"Generowanie certyfikatu {DOMAIN}")
    cmd = (
        f"{INSTALL_DIR}/acme.sh --log --set-default-ca --server letsencrypt "
        f"--issue --dns dns_nsupdate "
        f"-d {DOMAIN} "
        f"--yes-I-know-dns-manual-mode-enough-go-ahead-please"
    )
    run_command(cmd)
    install_cert()

def renew_cert(force=False):
    print(f"Odnawianie certyfikatu {DOMAIN}")
    cmd = (
        f"{INSTALL_DIR}/acme.sh --renew "
        f"-d {DOMAIN} "
        f"--dns dns_nsupdate"
    )
    if force:
        cmd += " --force"

    updated = run_command(cmd)
    if updated or force:
        install_cert()
    else:
        print("⏭️  Pominięto instalację, certyfikat nie został zmieniony.")


def install_cert():
    print("Instalacja certyfikatu...")
    os.makedirs(CERT_DIR, exist_ok=True)
    cmd = (
        f"{INSTALL_DIR}/acme.sh --install-cert "
        f"-d {DOMAIN} "
        f"--key-file {CERT_KEY_PATH} "
        f"--fullchain-file {CERT_FULLCHAIN_PATH} "
        f"--reloadcmd \"systemctl restart {SYSTEMD_SERVICE}\""
    )
    run_command(cmd)

def main():
    if len(sys.argv) < 2:
        print("Użycie: python getcert.py [issue|renew] [force]")
        sys.exit(1)

    set_env()
    action = sys.argv[1]
    force = len(sys.argv) > 2 and sys.argv[2] == "force"

    if action == "issue":
        issue_cert()
    elif action == "renew":
        renew_cert(force)
    else:
        print("Nieznane polecenie. Użyj: issue lub renew")
        sys.exit(1)

if __name__ == "__main__":
    main()