#!/usr/bin/env sh
set -eu

# Request Let's Encrypt certificates for DOMAINS.
# Existing valid certificates are kept by certbot because of --keep-until-expiring.

ROOT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")/.." && pwd)"

cd "$ROOT_DIR"

if [ -z "${DOMAINS:-}" ]; then
    echo "错误：必须设置 DOMAINS。" >&2
    exit 1
fi

if [ -z "${CERT_EMAIL:-}" ]; then
    echo "错误：必须设置 CERT_EMAIL。" >&2
    exit 1
fi

. "$ROOT_DIR/scripts/lib-compose.sh"

echo "使用 certbot 申请正式证书..."
for domain in $DOMAINS; do
    echo "申请正式证书：$domain"
    compose run --rm --entrypoint certbot certbot \
        certonly --webroot -w /var/www -d "$domain" \
        --email "$CERT_EMAIL" --agree-tos --non-interactive --keep-until-expiring
done

echo "证书申请步骤完成。"