#!/bin/bash

if [ `whoami` != 'root' ]; then
    sudo $0 $@
    exit
fi

domain="$1"

certbot certonly -d ${domain} -d "*.${domain}" --manual --force-interactive --reuse-key
cat /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/privkey.pem > /etc/letsencrypt/live/${domain}/certkey.pem

# PKCS12 for Emby
echo | openssl pkcs12 -password stdin -export -out /etc/letsencrypt/live/${domain}/ssl.pfx -inkey /etc/letsencrypt/live/${domain}/privkey.pem -in /etc/letsencrypt/live/${domain}/cert.pem -certfile /etc/letsencrypt/live/${domain}/fullchain.pem
cat /etc/letsencrypt/live/${domain}/ssl.pfx > /var/lib/emby/ssl/yggdrasil.pfx

systemctl restart webserver
systemctl restart yggdrasil

echo
echo "Don't forget to send \`/raw reloadmodule m_ssl_openssl.so\` to a NetAdmin session on AniNIX/IRC"
echo Add these to the TLSA records for the domain

bash ./tlsa-generation.bash