#!/bin/bash

# Generate self-signed certificate for PostgreSQL proxy
# Usage: ./generate-cert.sh [hostname1] [hostname2] ...

HOSTNAMES=("dev.db.deinserver.co" "tst.db.deinserver.co" "prd.db.deinserver.co")

# Add additional hostnames from command line arguments
if [ $# -gt 0 ]; then
    HOSTNAMES=("$@")
fi

# Create certs directory if it doesn't exist
mkdir -p certs

# Build subject alternative names (SAN)
SAN=""
for hostname in "${HOSTNAMES[@]}"; do
    if [ -n "$SAN" ]; then
        SAN="${SAN},DNS:${hostname}"
    else
        SAN="DNS:${hostname}"
    fi
done

echo "Generating self-signed certificate for: ${HOSTNAMES[*]}"
echo "SAN: ${SAN}"

# Generate private key
openssl genrsa -out certs/server.key 2048

# Generate certificate signing request
openssl req -new -key certs/server.key -out certs/server.csr -subj "/CN=${HOSTNAMES[0]}" -addext "subjectAltName=${SAN}"

# Generate self-signed certificate (valid for 10 years)
openssl x509 -req -days 3650 -in certs/server.csr -signkey certs/server.key -out certs/server.crt -extensions v3_req -extfile <(
cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[v3_req]
subjectAltName = @alt_names

[alt_names]
EOF
for i in "${!HOSTNAMES[@]}"; do
    echo "DNS.$((i+1)) = ${HOSTNAMES[$i]}"
done
)

# Clean up CSR
rm certs/server.csr

echo "Certificate generated successfully!"
echo "Certificate: certs/server.crt"
echo "Private key: certs/server.key"
echo ""
echo "Add to your config.yaml:"
echo "tls:"
echo "  enabled: true"
echo "  cert_file: /path/to/certs/server.crt"
echo "  key_file: /path/to/certs/server.key"