#!/bin/bash

# Script: /usr/local/bin/renew-mail-certs.sh

# Set up logging
LOG_FILE="/var/log/letsencrypt/renewal.log"
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')

# Ensure log directory exists
mkdir -p "$(dirname "$LOG_FILE")"

log() {
    echo "$TIMESTAMP - $1" >> "$LOG_FILE"
    echo "$1"
}

# Function to check if a service is active
check_service() {
    if systemctl is-active --quiet "$1"; then
        return 0
    else
        return 1
    fi
}

# Function to restart a service safely
restart_service() {
    local service=$1
    log "Attempting to restart $service..."
    
    if ! check_service "$service"; then
        log "WARNING: $service was not running before restart attempt"
    fi
    
    if systemctl restart "$service"; then
        if check_service "$service"; then
            log "$service restarted successfully"
            return 0
        else
            log "ERROR: $service failed to start after restart"
            return 1
        fi
    else
        log "ERROR: Failed to restart $service"
        return 1
    fi
}

# Main execution
log "Starting certificate renewal process"

# Attempt to renew certificates using RFC2136 (BIND9) DNS challenge
if CERTBOT_LOG_LEVEL=debug certbot renew --force-renewal --preferred-challenges dns --authenticator dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns-rfc2136.ini -v; then
    log "Certificates were renewed successfully. Restarting services..."
    
    # Restart Postfix
    if ! restart_service postfix; then
        log "CRITICAL: Postfix restart failed"
    fi

    # Restart Dovecot
    if ! restart_service dovecot; then
        log "CRITICAL: Dovecot restart failed"
    fi
    
    log "Service restart completed"
else
    log "ERROR: Certificate renewal failed"
    exit 1
fi

log "Certificate renewal process completed"