#!/usr/bin/env bash
set -euo pipefail

# 用法：
# CERTBOT_CMD=/usr/bin/certbot NGINX_RELOAD_CMD="systemctl reload nginx" ./scripts/ops/renew_cert.sh

CERTBOT_CMD="${CERTBOT_CMD:-certbot}"
NGINX_RELOAD_CMD="${NGINX_RELOAD_CMD:-systemctl reload nginx}"
OPS_ALERT_WEBHOOK="${OPS_ALERT_WEBHOOK:-}"
ALERT_TITLE="${ALERT_TITLE:-[wx_service] HTTPS 证书续期失败}"

send_alert() {
  local message="$1"
  if [[ -z "${OPS_ALERT_WEBHOOK}" ]]; then
    echo "ALERT: ${message}" >&2
    return
  fi

  curl -fsS -X POST "${OPS_ALERT_WEBHOOK}" \
    -H "Content-Type: application/json" \
    -d "{\"title\":\"${ALERT_TITLE}\",\"message\":\"${message}\"}" >/dev/null || true
}

if ! "${CERTBOT_CMD}" renew --quiet; then
  send_alert "certbot renew 执行失败，请立即检查生产证书状态。"
  exit 1
fi

if ! bash -lc "${NGINX_RELOAD_CMD}"; then
  send_alert "证书续期后 Nginx reload 失败，请检查服务状态。"
  exit 1
fi

echo "certificate renew completed"