#!/bin/bash

. ${TOOLKIT}-functions.sh

ssldir="/etc/ssl"
perms="root:root 444"


info="  SSL certname %-20s: %s\n"

installfile="install-certs"

le_tag="LetsEncrypt"
le_live_dir="/etc/letsencrypt/live"
le_renew_dir="/etc/letsencrypt/renewal"

echo "# /etc/ssl/install-certs - certbot certificate installation - $(uname -n)
#
# ::do_not_edit::
# ::maintainer::
#
# updated on $(date)
#
# installs (copy) main certbot certificates, generated by letsencrypt
# to final destinations

#    uses kusa-db cert.* definitions
#
:dir $ssldir/certs	root:root 755
:dir $ssldir/private	root:ssl-cert 710

:default_owner	root:root
:default_mode	444

" >$installfile


errors=false
lets_encrypt_present=false
certbot_maindomain=
certbot_livedir=

# first of all, check if we need certbot data for letsencrypt
#
getconfirm cert.is_certbot && {

	certbot_maindomain=$(jtconf certbot.maindomain) || {
		echo "ERROR: you requested 'certbot' certificate" >&2
		echo "  but not have installed/configure srv-ssl-certbot module" >&2
		exit 1
	}
	# 2021-10-24 lc
	# - fix: uses always the last version, if more than one is present
	#certbot_livedir="/etc/letsencrypt/live/$certbot_maindomain"
	certbot_livedir=$(ls -d $le_live_dir/${certbot_maindomain}-???? 2>/dev/null || :)

	if [ "X$certbot_livedir" != "X" ] 
	then
		certbot_livedir=$(echo "$certbot_livedir" | tail -1)
		certbot_latest=$(basename "$certbot_livedir")
		echo 
		echo "  $le_tag: latest config is $certbot_latest"
		echo "  $le_tag: livedir='$certbot_livedir'"
		echo

		# purge renewal directory (certbot miss to do this)
		#
		for conf in $( (cd "$le_renew_dir"; \
			ls ${certbot_maindomain}.conf ${certbot_maindomain}-*.conf \
			2>/dev/null || :) )
		do
			[ "X$conf" = "X$certbot_latest.conf" ] || {
				echo "  $le_tag: purge $le_renew_dir/$conf"
				rm "$le_renew_dir/$conf"
			}
		done
		echo
	else
		certbot_livedir="$le_live_dir/$certbot_maindomain"
		echo -e "\n  $le_tag: livedir is $certbot_livedir\n"
	fi
}

# SSL certificate
#
certname=$(jtconf cert.filename 2>/dev/null) || continue

cert_type="self-signed"
getconfirm cert.is_public	&& cert_type="public"
getconfirm cert.is_certbot	&& cert_type="certbot"


case $cert_type in
  public)
	# using a public signed certificate
	#
	printf "$info" $certname "pubblic released certificate"

	files="$ssldir/certs/$certname.pem $ssldir/private/$certname.key"
	getconfirm cert.has_chain && files="$files $ssldir/certs/$certname.crt"

	# the SSL certificates are valid ones provided from thirdy part and
	# must be used AS-IS -- just check that they are in the correct places
	#
	for file in $files
	do
		[ -f $file ] || {
			echo "[$MODNAME] ERROR: SSL PUBBLIC certfile '$file' not found"
			errors=true
		}
	done
	;;

  certbot)
	# using certbot (letsencrypt)
	#
	printf "$info" $certname  "certbot ($le_tag) certificate"
	lets_encrypt_present=true

	echo "# install file for $le_tag certificate" >>$installfile
	echo "#" >>$installfile

	##if [ "$unit" = "mail" ]
	##then
		### dovecot needs fullchain as certificate
		echo "$certbot_livedir/fullchain.pem	$ssldir/certs/$certname.pem root:root 444" >>$installfile
		echo "$certbot_livedir/chain.pem	$ssldir/certs/$certname.crt root:root 444" >>$installfile
		echo "$certbot_livedir/privkey.pem	$ssldir/private/$certname.key root:root 444" >>$installfile
	##else
		##echo "$certbot_livedir/cert.pem		$ssldir/certs/$certname.pem root:root 444" >>$installfile
		##echo "$certbot_livedir/chain.pem	$ssldir/certs/$certname.crt root:root 444" >>$installfile
		##echo "$certbot_livedir/privkey.pem	$ssldir/private/$certname.key root:root 444" >>$installfile
		##echo "$certbot_livedir/fullchain.pem	$ssldir/certs/$certname-full.key root:root 444" >>$installfile
	##fi
	echo >>$installfile

	[ -f $ssldir/certs/$certname.pem ] || {
		putwarning "SSL (CERTBOT)" \
			"can't find '$ssldir/certs/$certname.pem' file," \
			"maybe that srv-ssl-certbot module was not yet configured;" \
			"you need to launch 'new-certbot.sh' in /etc/ssl directory, then" \
			"run kusa on srv-ssl module again after this"
	}
	;;

  self-signed)
	printf "$info" $certname "autosigned certificate"

	# the SSL certificate is self-signed, and must be created using
	# kusa db definitions
	#
	# trick: save and resets SOMETHING_CHANGED flag, to see if we need
	# to rebuild certificates, too
	#
	save_changed=$SOMETHING_CHANGED
	SOMETHING_CHANGED=false

	installfile cert-template.cnf $ssldir/$certname.cnf root:root 644 || exit $?

	[ -f $ssldir/certs/$certname.pem ] || SOMETHING_CHANGED=true
	[ -f $ssldir/private/$certname.key ] || SOMETHING_CHANGED=true
 
	if $SOMETHING_CHANGED
	then
		(
			cd $ssldir
			rm -f certs/$certname.pem private/$certname.key
			./mkcert.sh $certname || exit $?
		)
	else
		SOMETHING_CHANGED=$save_changed
	fi
	;;

esac	# $cert_type

$errors && exit 1

if $lets_encrypt_present
then
	installfile $installfile $ssldir/ root:root 644
	(cd $ssldir; jtinstall --input $installfile) || {
		echo -e "\n(errors ignored, assumes that srv-ssl-certbot module isn't yet ran)\n"
	}
	installfile README-letsencrypt.txt $ssldir/ root:root 440
else
	uninstallfiles --remove $ssldir/$installfile $ssldir/README-letsencrypt.txt
fi


$SOMETHING_CHANGED && {
	for service in apache2 dovecot postfix
	do
		[ -f /etc/init.d/$service ] && {
			sh /etc/init.d/$service reload || :
		}
	done
}

exit 0
