#!/bin/bash
# MAT-107: Generate self-signed SSL cert for memory-db and configure postgres
set -euo pipefail

SSL_DIR="/opt/matrix-ai-agent/memory-db-ssl"
mkdir -p "$SSL_DIR"

# Generate self-signed cert (valid 10 years)
openssl req -new -x509 -days 3650 -nodes \
    -subj "/CN=memory-db" \
    -keyout "$SSL_DIR/server.key" \
    -out "$SSL_DIR/server.crt" \
    2>/dev/null

# Postgres requires specific permissions
chmod 600 "$SSL_DIR/server.key"
chmod 644 "$SSL_DIR/server.crt"
# Postgres runs as uid 999 in the pgvector container
chown 999:999 "$SSL_DIR/server.key" "$SSL_DIR/server.crt"

echo "SSL certs generated in $SSL_DIR"