#!/bin/sh

set -e

ACTION=$1; shift

REALM=$(cat /etc/local-ORG/realm) || true

# resolve hostnames of service installed and registered with Redpill
servicehosts() {
	SERVICE=$1; shift
	for binary in "$@"; do
		> /dev/null which -- "$binary" || exit
	done
	cat "/etc/local-REDPILL/$REALM/${SERVICE}host" \
	  "/etc/local-REDPILL/$REALM/${SERVICE}althosts" \
	  2> /dev/null \
	  | perl -0777 -pe 's/\s*\#.*//gm;s/^\s+//;s/\s+$//;s/\s+/|/g'
}
MAILHOSTS=$(servicehosts mail postconf) || true
CHATHOSTS=$(servicehosts chat ejabberdctl) || true
MUMBLEHOSTS=$(servicehosts mumble murmurd) || true

cert_fix() {
	DOMAIN="$1"; KEYFILE="$2"; CERTFILE="$3"; FULLCHAINFILE="$4"
	case "$DOMAIN" in
	  "$MAILHOSTS")
		set -x
		cat "$FULLCHAINFILE" > "/etc/dovecot/$DOMAIN.pem"
		sg dovecot -c "umask 027; cat '$KEYFILE' > '/etc/dovecot/private/$DOMAIN.pem'"
		service dovecot force-reload
		;;
	  "$CHATHOSTS")
		set -x
		sg ejabberd -c "umask 027; cat '$KEYFILE' '$FULLCHAINFILE' > '/etc/ejabberd/$DOMAIN.pem'"
		service ejabberd force-reload
		;;
	  "$MUMBLEHOSTS")
		set -x
		sg mumble-server -c "umask 027; cat '$KEYFILE' > '/etc/mumble-server-$DOMAIN.key'"
		sg mumble-server -c "umask 027; cat '$CERTFILE' > '/etc/mumble-server-$DOMAIN.pem'"
		service mumble-server force-reload
		;;
	esac
}

# TODO: Set file changedate to OCSP expiry expiry, and skip if 48h+ away
cert_staple() {
	CERTFILE="$3"; CHAINFILE="$5"
	> /dev/null which -- ocsptool || return
	CERTDIR=$(dirname "$CERTFILE")
	set -x
	ocsptool --ask --load-issuer "$CHAINFILE" --load-cert "$CERTFILE" --outfile "$CERTDIR"/ocsp.der
}

case "$ACTION" in
  deploy_challenge) ;;
  clean_challenge) ;;
  deploy_cert)
	cert_fix "$@"
	#cert_staple "$@"
	;;
  unchanged_cert)
	#cert_fix "$@"
	#cert_staple "$@"
	;;
esac