#!/bin/bash
# ============================================
# SSL Certificate Check
# Prueft Ablaufdatum fuer alle Domains
# ============================================
# Aufruf:  bash ssl-check.sh
# Cron:    0 9 * * 1  bash /opt/scripts/ssl-check.sh
# Quelle:  sgit.space/downloads
# ============================================

set -euo pipefail

# --- Domains pruefen (anpassen!) ---
DOMAINS=(
    "example.com"
    "app.example.com"
    "mail.example.com"
)

# Warnschwellen in Tagen
WARN_CRITICAL=7
WARN_SOON=21
WARN_NOTICE=30

# Telegram (optional)
TELEGRAM_ENABLED=false
# TELEGRAM_BOT_TOKEN="your-token"
# TELEGRAM_CHAT_ID="your-chat-id"

# --- Farben ---
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
NC='\033[0m'

WARNINGS=0
CRITICAL=0
RESULTS=""

echo -e "\n===== SSL Certificate Check ====="
echo -e "Datum: $(date '+%Y-%m-%d %H:%M')\n"
printf "%-35s %-12s %-20s %s\n" "Domain" "Tage" "Ablauf" "Status"
printf "%-35s %-12s %-20s %s\n" "---" "---" "---" "---"

for DOMAIN in "${DOMAINS[@]}"; do
    # Zertifikat abrufen
    EXPIRY_DATE=$(echo | timeout 5 openssl s_client -servername "$DOMAIN" -connect "${DOMAIN}:443" 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)

    if [ -z "$EXPIRY_DATE" ]; then
        printf "%-35s %-12s %-20s %s\n" "$DOMAIN" "-" "-" "FEHLER: Kein Cert"
        WARNINGS=$((WARNINGS + 1))
        RESULTS="${RESULTS}\n$DOMAIN: Kein Zertifikat erreichbar"
        continue
    fi

    # Tage bis Ablauf
    EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s 2>/dev/null)
    NOW_EPOCH=$(date +%s)
    DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))
    EXPIRY_SHORT=$(date -d "$EXPIRY_DATE" '+%Y-%m-%d' 2>/dev/null)

    # Status bestimmen
    if [ "$DAYS_LEFT" -le 0 ]; then
        STATUS="${RED}ABGELAUFEN${NC}"
        CRITICAL=$((CRITICAL + 1))
        RESULTS="${RESULTS}\nKRITISCH: $DOMAIN abgelaufen!"
    elif [ "$DAYS_LEFT" -le "$WARN_CRITICAL" ]; then
        STATUS="${RED}KRITISCH${NC}"
        CRITICAL=$((CRITICAL + 1))
        RESULTS="${RESULTS}\nKRITISCH: $DOMAIN in ${DAYS_LEFT} Tagen"
    elif [ "$DAYS_LEFT" -le "$WARN_SOON" ]; then
        STATUS="${YELLOW}BALD${NC}"
        WARNINGS=$((WARNINGS + 1))
        RESULTS="${RESULTS}\nWARNUNG: $DOMAIN in ${DAYS_LEFT} Tagen"
    elif [ "$DAYS_LEFT" -le "$WARN_NOTICE" ]; then
        STATUS="${CYAN}HINWEIS${NC}"
    else
        STATUS="${GREEN}OK${NC}"
    fi

    printf "%-35s %-12s %-20s " "$DOMAIN" "${DAYS_LEFT} Tage" "$EXPIRY_SHORT"
    echo -e "$STATUS"
done

# Zusammenfassung
echo ""
echo "===== Ergebnis ====="
echo -e "Domains: ${#DOMAINS[@]} | Kritisch: $CRITICAL | Warnungen: $WARNINGS"

if [ "$CRITICAL" -gt 0 ] || [ "$WARNINGS" -gt 0 ]; then
    if [ "$TELEGRAM_ENABLED" = true ]; then
        MSG="<b>SSL Certificate Check</b>
Kritisch: $CRITICAL | Warnungen: $WARNINGS
$(echo -e "$RESULTS")"
        curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
            -d chat_id="${TELEGRAM_CHAT_ID}" -d text="$MSG" -d parse_mode="HTML" > /dev/null 2>&1 || true
    fi
fi

[ "$CRITICAL" -gt 0 ] && exit 2
[ "$WARNINGS" -gt 0 ] && exit 1
exit 0