#!/bin/bash

# Colors
GREEN='\033[0;32m'
RED='\033[0;31m'
NC='\033[0m' # No Color

print_status() {
    local item="$1"
    local status="$2"
    local error_msg="$3"
    if [ "$status" -eq 0 ]; then
        echo -e "${item}: ${GREEN}OK${NC}"
    else
        echo -e "${item}: ${RED}FAIL${NC}"
        if [ -n "$error_msg" ]; then
            echo -e "  ${RED}Error:${NC} $error_msg"
        fi
        EXIT_CODE=1
    fi
}

EXIT_CODE=0

CERTS_DIR="/var/lib/tls"
SERVER_CERT="$CERTS_DIR/cert.pem"
SERVER_KEY="$CERTS_DIR/key.pem"
TIMER_NAME="cert-renewer.timer"

# 1. Check Certificates Existence
if [ -f "$SERVER_CERT" ] && [ -f "$SERVER_KEY" ]; then
    print_status "Certificate Files" 0
else
    print_status "Certificate Files" 1 "Missing $SERVER_CERT or $SERVER_KEY"
fi

# 2. Check Certificate Validity (Is it valid NOW?)
if [ -f "$SERVER_CERT" ] && command -v openssl &> /dev/null; then
    # Check if valid for at least 60 seconds
    if openssl x509 -checkend 60 -noout -in "$SERVER_CERT" &> /dev/null; then
        print_status "Certificate Validity" 0
    else
        print_status "Certificate Validity" 1 "Certificate at $SERVER_CERT is expired or expiring within 60s"
    fi
fi

# 3. Check Timer Status
if systemctl is-active "$TIMER_NAME" &> /dev/null; then
    print_status "Renewal Timer" 0
else
    # Check if unit exists
    if systemctl list-unit-files "$TIMER_NAME" &> /dev/null; then
        print_status "Renewal Timer" 1 "Systemd timer '$TIMER_NAME' is installed but not active"
    else
        # Check if source file exists
        TIMER_FILE="/etc/systemd/system/$TIMER_NAME"
        if [ -f "$TIMER_FILE" ]; then
            print_status "Renewal Timer" 1 "Systemd timer '$TIMER_NAME' is not installed (found source at $TIMER_FILE)"
        else
            print_status "Renewal Timer" 1 "Systemd timer '$TIMER_NAME' is missing entirely (expected at $TIMER_FILE)"
        fi
    fi
fi

exit $EXIT_CODE