#!/bin/bash

set -e

# Ensure script is run as root
if [[ "$EUID" -ne 0 ]]; then
  echo "Please run as root"
  exit 1
fi

echo "=== Let's Encrypt + Cloudflare setup ==="

# Ask for domain
read -p "Enter the FQDN (e.g. example.com or sub.example.com): " DOMAIN

if [[ -z "$DOMAIN" ]]; then
  echo "Domain cannot be empty"
  exit 1
fi

# Ask for email (NEW)
read -p "Enter email address for Let's Encrypt notifications: " EMAIL

if [[ -z "$EMAIL" ]]; then
  echo "Email cannot be empty"
  exit 1
fi

# Ask for Cloudflare API token/key
read -p "Enter your Cloudflare API Token/Key: " CF_API_KEY

if [[ -z "$CF_API_KEY" ]]; then
  echo "API key cannot be empty"
  exit 1
fi

echo "Installing dependencies..."
apt update
apt install -y python3 python3-dev python3-venv libaugeas-dev gcc

echo "Setting up virtual environment..."
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
/opt/certbot/bin/pip install certbot
/opt/certbot/bin/pip install certbot-dns-cloudflare

# Symlink certbot
ln -sf /opt/certbot/bin/certbot /usr/bin/certbot

echo "Creating Cloudflare credentials file..."
mkdir -p /root/certbot-cloudflare/

cat <<EOF > /root/certbot-cloudflare/cloudflare.ini
dns_cloudflare_api_token = $CF_API_KEY
EOF

# Secure the credentials file
chmod 600 /root/certbot-cloudflare/cloudflare.ini

echo "Requesting certificate for $DOMAIN ..."
certbot certonly \
  --non-interactive \
  --agree-tos \
  --no-eff-email \
  --email "$EMAIL" \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/certbot-cloudflare/cloudflare.ini \
  -d "$DOMAIN"

echo "Done! Certificate setup completed for $DOMAIN"