#!/usr/bin/env bash
# Generate a self-signed SSL certificate for local/staging HAProxy.
# For production, use Let's Encrypt or your CA.
# Usage: ./scripts/generate-ssl-cert.sh [domain]

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
SSL_DIR="$REPO_ROOT/config/ssl"
DOMAIN="${1:-veza.local}"

mkdir -p "$SSL_DIR"
cd "$SSL_DIR"

echo "Generating self-signed certificate for $DOMAIN..."
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout key.pem -out cert.pem \
  -subj "/CN=$DOMAIN"

cat cert.pem key.pem > veza.pem
echo "Created config/ssl/veza.pem"
echo "Add key.pem and cert.pem to .gitignore if not already excluded."