#!/bin/bash
set -e

echo "This is the WendzelNNTPd script for generating SSL certificates."
echo

targetdir=@confdir@/ssl
datadir=@package_datadir@

function usage {
    echo ""
    echo "Creates certificates for WendzelNNTPd (selfsigned or via LetsEncrypt)"
    echo ""
    echo "usage: create_certificate --environment local | letsencrypt --email string --domain string"
    echo ""
    echo "  --environment string    context for generating certificates ('local' and 'letsencrypt' are allowed values)"
    echo "  --email string          only needed if 'letsencrypt' is used"
    echo "                          (example: test@test.de)"
    echo "  --domain string         only needed if 'letsencrypt' is used; specify domain under which your server is reachable"
    echo "                          (example: test.de)"
    echo "  --targetdir string      specify the directory where the created certificates are placed into"
    echo "                          (default: @confdir@/ssl)"
    echo ""
}

while [ $# -gt 0 ]; do
    if [[ $1 == "--help" ]]; then
        usage
        exit
    fi

    if [[ $1 == "--"* ]]; then
        v="${1/--/}"
        declare "$v"="$2"
        shift
    fi
    shift
done

if [ $(id -u) -ne 0 ]; then
    echo "Run this script with root privileges!"
    exit 1
fi

mkdir -p ${targetdir}

if [[ -z $environment || "$environment" = "local" ]]; then
    echo "Environment is set to 'local'. Certificates for 'local' use are generated now..."
    echo 

    openssl req \
        -x509 \
        -new \
        -newkey rsa:2048 \
        -days 3650 \
        -nodes \
        -extensions v3_ca \
        -config "${datadir}/openssl.cnf" \
        -keyout "${targetdir}/ca-key.pem" \
        -out "${targetdir}/ca.crt"

    openssl genrsa -out "${targetdir}/server.key" 2048
    openssl req \
        -new -key "${targetdir}/server.key" \
        -out "${targetdir}/server.csr" \
        -config "${datadir}/openssl.cnf"

    openssl x509 \
        -req \
        -days 365 \
        -in "${targetdir}/server.csr" \
        -CA "${targetdir}/ca.crt" \
        -CAkey "${targetdir}/ca-key.pem" \
        -CAcreateserial \
        -extensions v3_req \
        -extfile "${datadir}/openssl.cnf" \
        -out "${targetdir}/server.crt"

    echo "Finished ..."
    echo "You can find the certificate at: ${targetdir}/server.crt, key: ${targetdir}/server.key, CA certificate: ${targetdir}/ca.crt"
    echo
elif [ "$environment" = "letsencrypt" ]; then
    echo "Environment is set to local. Certificates are generated now via LetsEncrypt certbot..."
    echo "Check if certbot is installed..."
    certbot --version  || exit

    if [ -z $email ]; then
        echo "You have to add an email with --email parameter"
        exit
    fi

    if [ -z $domain ]; then
        echo "You have to add the domain where running this script with --domain parameter"
        exit
    fi

    echo "Generating certificates..."
    certbot certonly --standalone -n --agree-tos --email $email --domains $domain --cert-name wendzelnntpd

    ln -sf /etc/letsencrypt/live/wendzelnntpd/fullchain.pem ${targetdir}/server.crt
    ln -sf /etc/letsencrypt/live/wendzelnntpd/privkey.pem ${targetdir}/server.key
    ln -sf /etc/letsencrypt/live/wendzelnntpd/chain.pem ${targetdir}/ca.crt

    echo "Finished ..."
    echo "You can find certificate at: ${targetdir}/server.crt, key: ${targetdir}/server.key, CA certificate: ${targetdir}/ca.crt"
    echo
else
    echo "Unknown environment for script generation provided..."
    echo "Stopping script."
    echo
fi
