// keyhost — Tesla partner public-key static file server.
//
// Serves the partner public key at https://<host>:443/.well-known/appspecific/com.tesla.3p.public-key.pem
// so Tesla can fetch it during partner-domain registration and later validation.
//
// Hostname-specific: this binary serves telemetry.6shetty9.com only. The same
// key is ALSO served by GitHub Pages at 6shetty9.github.io for the existing
// partner registration; this droplet-side instance exists specifically to
// support a separate partner registration for telemetry.6shetty9.com (which
// GitHub Pages cannot host the key for, since GitHub Pages only serves
// 6shetty9.github.io, not the telemetry subdomain).
//
// Cert renewal gotcha: Go's http.ListenAndServeTLS reads cert files once at
// startup. When Let's Encrypt renews the telemetry.6shetty9.com cert (every
// ~90 days), this service must be restarted to pick up the new cert files.
// A `certbot renew --post-hook 'systemctl restart keyhost'` config would
// automate this; not wired up as of initial deploy (Jun 6 2026).

package main

import (
	"log"
	"net/http"
)

const (
	certFile = "/etc/letsencrypt/live/telemetry.6shetty9.com/fullchain.pem"
	keyFile  = "/etc/letsencrypt/live/telemetry.6shetty9.com/privkey.pem"
	docRoot  = "/root/keyhost"
	listen   = ":443"
)

func main() {
	fs := http.FileServer(http.Dir(docRoot))
	http.Handle("/", fs)
	log.Printf("Serving keyhost on %s (root=%s, cert=%s)", listen, docRoot, certFile)
	if err := http.ListenAndServeTLS(listen, certFile, keyFile, nil); err != nil {
		log.Fatal(err)
	}
}
