#!/bin/sh
set -eu

# Generate a self-signed TLS certificate for mc-proxy L7 routes.
# Usage: generate-self-signed.sh <hostname> [output-dir]
#
# Example:
#   generate-self-signed.sh metacrypt.svc.mcp.metacircular.net /srv/mc-proxy/certs
#
# Produces:
#   <output-dir>/<sanitized-hostname>.pem  (certificate)
#   <output-dir>/<sanitized-hostname>.key  (private key)

if [ $# -lt 1 ]; then
    echo "Usage: $0 <hostname> [output-dir]" >&2
    exit 1
fi

HOSTNAME="$1"
OUTPUT_DIR="${2:-/srv/mc-proxy/certs}"
DAYS=365

# Sanitize hostname for filename (replace dots with hyphens, drop leading wildcard).
BASENAME=$(echo "$HOSTNAME" | sed 's/^\*\.//; s/\./-/g')
CERT="${OUTPUT_DIR}/${BASENAME}.pem"
KEY="${OUTPUT_DIR}/${BASENAME}.key"

mkdir -p "$OUTPUT_DIR"

openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
    -nodes -days "$DAYS" \
    -keyout "$KEY" -out "$CERT" \
    -subj "/CN=${HOSTNAME}" \
    -addext "subjectAltName=DNS:${HOSTNAME}"

chmod 600 "$KEY"
chmod 644 "$CERT"

echo "Generated self-signed certificate (${DAYS} days):"
echo "  cert: ${CERT}"
echo "  key:  ${KEY}"
echo ""
echo "Verify: openssl x509 -in ${CERT} -noout -text | grep -A1 'Subject Alternative'"