#!/bin/bash
# Check SSL certificate expiry
set -euo pipefail

SEND_NTFY="/usr/local/bin/send-ntfy.sh"

# Check PVE web interface cert
if [ -f "/etc/pve/pve-root-ca.pem" ]; then
    EXPIRY=$(openssl x509 -enddate -noout -in /etc/pve/pve-root-ca.pem 2>/dev/null | cut -d= -f2)
    EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s 2>/dev/null || echo "0")
    NOW=$(date +%s)
    DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW) / 86400 ))
    
    if [ "$DAYS_LEFT" -lt 15 ]; then
        $SEND_NTFY critical "SSL Certificate Expiring" "🔴 CRITICAL: PVE SSL certificate expires in $DAYS_LEFT days!" "skull,lock,warning"
    elif [ "$DAYS_LEFT" -lt 30 ]; then
        $SEND_NTFY warning "SSL Certificate Expiring Soon" "🟡 WARNING: PVE SSL certificate expires in $DAYS_LEFT days" "warning,lock"
    fi
    
    logger -t ssl-monitor "PVE cert expires in $DAYS_LEFT days"
fi