#!/bin/bash
#
# Import certs into nodes.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see
# <http://www.gnu.org/licenses/>.

# Load
source $APP_BASE/lib/hydra/functions || exit 1
hydra_config_load

# Parameters
NODES="$*"
PRIVATE="/etc/ssl/private"
SERVICES="apache2 postfix dovecot nginx lighttpd mumble"

# Build node list
if [ -z "$NODES" ]; then
  NODES="`hydra $HYDRA nodes`"
fi

# Check if there are certs at all
if [ ! -d "$HYDRA_FOLDER/keyring/keys/ssl" ]; then
  echo "Please create some certs first :)"
  exit 1
fi

# Deploy
for node in $NODES; do
  hostname="`hydra_get_fqdn_from_nodename $node`"

  echo "-----------------------------------------------------"
  echo "Importing certs and keys into $hostname:/etc/ssl...  "
  echo "-----------------------------------------------------"

  echo "Creating folder structure at $hostname:/etc/ssl..."
  $HYDRA_CONNECT $hostname <<EOF
  sudo mkdir -p            /etc/ssl/private
  sudo mkdir -p            /etc/ssl/certs
  sudo chown root:ssl-cert /etc/ssl/private
  sudo chown root:ssl-cert /etc/ssl/certs
  sudo chmod 750           /etc/ssl/private
  sudo chmod 755           /etc/ssl/certs
EOF

  keyringer $HYDRA ls -1 ssl/ | grep crt | while read cert; do
    cert="`basename $cert .asc`"
    priv="`basename $cert .crt`.pem"
    prefix="`basename $cert .crt`"
    domain="`facter domain`"

    $HYDRA_CONNECT $hostname <<EOF
      sudo touch               /etc/ssl/certs/$cert
      sudo chown root:ssl-cert /etc/ssl/certs/$cert
      sudo chmod 644           /etc/ssl/certs/$cert
      sudo touch               /etc/ssl/private/$priv
      sudo chown root:ssl-cert /etc/ssl/private/$priv
      sudo chmod 640           /etc/ssl/private/$priv
EOF

    echo "Importing $cert from keyringer to $hostname:/etc/ssl/certs..."
    keyringer $HYDRA decrypt ssl/$cert | \
      $HYDRA_CONNECT $hostname "cat - | sudo tee /etc/ssl/certs/$cert > /dev/null"
 
    echo "Importing $priv from keyringer to $hostname:/etc/ssl/private..."
    keyringer $HYDRA decrypt ssl/$priv | \
      $HYDRA_CONNECT $hostname "cat - | sudo tee /etc/ssl/private/$priv > /dev/null"

    # Post-processing
    $HYDRA_CONNECT $hostname <<EOF
      # Symlinks for the main cert and key
      if [ "$prefix" = "$domain" ] && [ ! -e "/etc/ssl/certs/cert.crt" ]; then
        cd /etc/ssl/certs   && sudo ln -sf $cert cert.crt
        cd /etc/ssl/private && sudo ln -sf $priv cert.pem
      fi

      # Concatenated cert
      sudo touch                      $PRIVATE/$prefix-concat.pem
      sudo chown root.ssl-cert        $PRIVATE/$prefix-concat.pem
      sudo chmod 640                  $PRIVATE/$prefix-concat.pem
      sudo cp    /etc/ssl/certs/$cert $PRIVATE/$prefix-concat.pem
      sudo cat   $PRIVATE/$priv | sudo tee -a  $PRIVATE/$prefix-concat.pem > /dev/null

      # Restart services
      for service in $SERVICES; do
        if systemctl list-units | grep active | grep -q \$service'.service'; then
          sudo service \$service restart
        fi
      done
EOF

  done
done