#!/usr/bin/env bash
set -euo pipefail

WARN_DAYS=14
CRIT_DAYS=7

### --- detect mode ---------------------------------------------------------
if [[ "${1:-}" == "--detect" ]]; then
    command -v nginx >/dev/null 2>&1 || exit 1

    if systemctl list-unit-files nginx.service >/dev/null 2>&1; then
        systemctl is-enabled nginx.service >/dev/null 2>&1 || exit 1
        exit 0
    fi

    exit 1
fi

### --- runtime -------------------------------------------------------------
now=$(date +%s)

echo "<<<local>>>"

nginx -T 2>/dev/null \
 | awk '$1 == "ssl_certificate" { gsub(";", "", $2); print $2 }' \
 | sort -u \
 | while read -r cert; do
     [[ -f "$cert" ]] || continue

     end=$(openssl x509 -enddate -noout -in "$cert" 2>/dev/null | cut -d= -f2)
     [[ -n "$end" ]] || continue

     end_ts=$(date -d "$end" +%s)
     days=$(( (end_ts - now) / 86400 ))

     cn=$(openssl x509 -noout -subject -nameopt RFC2253 -in "$cert" 2>/dev/null | sed -n 's/.*CN=\([^,]*\).*/\1/p')

     if (( days < CRIT_DAYS )); then
       state=2; txt="CRIT"
     elif (( days < WARN_DAYS )); then
       state=1; txt="WARN"
     else
       state=0; txt="OK"
     fi

     echo "$state \"Cert $cn ($cert)\" days_left=${days};${WARN_DAYS};${CRIT_DAYS};0 $txt - CN=$cn, expires in $days days"
 done
