#!/usr/bin/env python3
"""
Fix: Cloudflare Flexible SSL + certbot --redirect = infinite loop.
Solution: Keep the SSL cert but remove the HTTP->HTTPS redirect.
Instead, let both HTTP and HTTPS serve content.
Certbot modified the config to redirect 80->443, creating a loop with Cloudflare Flexible.
"""

conf = """server {
    listen 80;
    listen [::]:80;

    root /var/www/tasmim.me;
    index index.html;
    server_name tasmim.me;

    location /.well-known/acme-challenge/ {
        root /var/www/tasmim.me;
        try_files $uri =404;
    }

    location / {
        try_files $uri $uri/ /index.html;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    root /var/www/tasmim.me;
    index index.html;
    server_name tasmim.me;

    ssl_certificate /etc/letsencrypt/live/tasmim.me/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tasmim.me/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        try_files $uri $uri/ /index.html;
    }
}
"""

with open("/etc/nginx/sites-available/default", "w") as f:
    f.write(conf)

print("Config written - dual HTTP+HTTPS, no redirect")

import subprocess
result = subprocess.run(["nginx", "-t"], capture_output=True, text=True)
print(result.stderr.strip())
if result.returncode == 0:
    subprocess.run(["systemctl", "reload", "nginx"])
    print("NGINX OK")
else:
    print("CONFIG ERROR")