#!/bin/sh
# Generates a self-signed TLS certificate on first container start so the
# frontend can be served over HTTPS out of the box.
set -e

CERT_DIR=/etc/nginx/certs
CERT_FILE="$CERT_DIR/cert.pem"
KEY_FILE="$CERT_DIR/key.pem"

mkdir -p "$CERT_DIR"

if [ -f "$CERT_FILE" ] && [ -f "$KEY_FILE" ]; then
  echo "[ssl] existing certificate found, skipping generation"
  exit 0
fi

echo "[ssl] generating self-signed certificate for localhost"
openssl req -x509 -nodes -newkey rsa:2048 \
  -days 3650 \
  -keyout "$KEY_FILE" \
  -out "$CERT_FILE" \
  -subj "/CN=localhost" \
  -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"

echo "[ssl] certificate written to $CERT_DIR"