#!/bin/bash
# Certbot post-renewal hook for HAProxy
# Managed by Ansible - DO NOT EDIT MANUALLY
#
# This script:
# 1. Combines fullchain.pem + privkey.pem into HAProxy format
# 2. Sets correct permissions
# 3. Reloads HAProxy via systemd
# 4. Updates certificate metrics for Prometheus

set -euo pipefail

# RENEWED_LINEAGE is set by certbot --deploy-hook or passed explicitly by deploy.yml
CERT_DIR="${RENEWED_LINEAGE:?RENEWED_LINEAGE must be set}"
CERT_NAME=$(basename "${CERT_DIR}")
HAPROXY_CERT="{{ haproxy_cert_path }}"
HAPROXY_DIR="{{ haproxy_directory }}"

echo "[$(date '+%Y-%m-%d %H:%M:%S')] Starting renewal hook for ${CERT_NAME}"

# Check if certificate files exist
if [[ ! -f "${CERT_DIR}/fullchain.pem" ]] || [[ ! -f "${CERT_DIR}/privkey.pem" ]]; then
    echo "ERROR: Certificate files not found in ${CERT_DIR}"
    exit 1
fi

# Combine certificate and private key for HAProxy
# HAProxy requires both in a single PEM file
cat "${CERT_DIR}/fullchain.pem" "${CERT_DIR}/privkey.pem" > "${HAPROXY_CERT}.tmp"

# Atomic move to avoid HAProxy reading partial file
mv "${HAPROXY_CERT}.tmp" "${HAPROXY_CERT}"

# Set permissions
chown {{ certbot_user }}:{{ haproxy_group }} "${HAPROXY_CERT}"
chmod 640 "${HAPROXY_CERT}"

echo "[$(date '+%Y-%m-%d %H:%M:%S')] Certificate combined and written to ${HAPROXY_CERT}"

# Reload HAProxy if running
if systemctl is-active --quiet haproxy; then
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Reloading HAProxy..."
    systemctl reload haproxy
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] HAProxy reloaded"
else
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] HAProxy not running, skipping reload"
fi

# Update certificate metrics
{{ certbot_directory }}/hooks/cert-metrics.sh

echo "[$(date '+%Y-%m-%d %H:%M:%S')] Renewal hook completed successfully"