#!/bin/bash
# ============================================================
# 05_ssl.sh
# Gets free SSL certificate from Let's Encrypt
# Run as root AFTER 03_nginx.sh
# IMPORTANT: DNS A record me.goteku.com → 103.41.206.254 must
# already be set before running this!
# ============================================================
set -e

DOMAIN="me.goteku.com"
EMAIL="dsentosa@gmail.com"   # change to your real email for cert expiry notices

echo "=== Requesting SSL certificate for ${DOMAIN} ==="
certbot --nginx -d ${DOMAIN} --non-interactive --agree-tos -m ${EMAIL}

echo "=== Reloading Nginx with SSL ==="
systemctl reload nginx

echo ""
echo "✅ SSL enabled! Site is now live at https://${DOMAIN}"
echo "   Certificate auto-renews via certbot timer."