#!/bin/bash
# SSL 证书修复和 Nginx 配置脚本
# 修复 SSL 证书路径问题并配置新的子域名

echo "========================================"
echo "修复 SSL 证书和 Nginx 配置"
echo "========================================"

# 1. 检查 SSL 证书状态
echo "[1/5] 检查 SSL 证书状态..."
ls -la /etc/letsencrypt/live/ 2>/dev/null || echo "证书目录不存在"

# 2. 重新获取证书
echo "[2/5] 重新获取 SSL 证书..."
certbot certonly --webroot -w /var/www/html -d tksea.top -d www.tksea.top -d api.tksea.top -d gitea.tksea.top -d sub.tksea.top --non-interactive --agree-tos --email admin@tksea.top || certbot --nginx -d tksea.top -d www.tksea.top -d api.tksea.top -d gitea.tksea.top -d sub.tksea.top --non-interactive --agree-tos --email admin@tksea.top

# 3. 验证证书
echo "[3/5] 验证证书..."
certbot certificates

# 4. 配置 Nginx
echo "[4/5] 配置 Nginx..."
cat > /etc/nginx/sites-available/tksea << 'EOF'
# HTTP 重定向到 HTTPS
server {
    listen 80;
    server_name tksea.top www.tksea.top api.tksea.top gitea.tksea.top sub.tksea.top;
    location /.well-known/acme-challenge/ { root /var/www/html; }
    location / { return 301 https://$host$request_uri; }
}

# HTTPS - 主域名 (Gitea)
server {
    listen 443 ssl http2;
    server_name tksea.top www.tksea.top;
    ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    add_header Strict-Transport-Security "max-age=63072000" always;
    
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# HTTPS - api 子域名 (Sub2API)
server {
    listen 443 ssl http2;
    server_name api.tksea.top;
    ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    add_header Strict-Transport-Security "max-age=63072000" always;
    underscores_in_headers on;
    
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# HTTPS - gitea 子域名 (Gitea)
server {
    listen 443 ssl http2;
    server_name gitea.tksea.top;
    ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    add_header Strict-Transport-Security "max-age=63072000" always;
    
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# HTTPS - sub 子域名 (Sub2API)
server {
    listen 443 ssl http2;
    server_name sub.tksea.top;
    ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    add_header Strict-Transport-Security "max-age=63072000" always;
    underscores_in_headers on;
    
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
EOF

# 5. 测试并重载 Nginx
echo "[5/5] 测试并重载 Nginx..."
nginx -t && systemctl reload nginx

echo ""
echo "========================================"
echo "修复完成!"
echo "========================================"
echo ""
echo "现在可以访问:"
echo "  - https://tksea.top (Gitea)"
echo "  - https://gitea.tksea.top (Gitea)"
echo "  - https://api.tksea.top (Sub2API)"
echo "  - https://sub.tksea.top (Sub2API)"
echo ""
echo "检查服务状态:"
echo "  docker ps"
echo "  systemctl status nginx"
echo "========================================"