#!/bin/sh

set -e

ACTION=$1; shift

REALM=$(cat /etc/local-ORG/realm)

# resolve hostnames of service installed and registered with Redpill
servicehosts() {
	SERVICE=$1; shift
	for binary in "$@"; do
		> /dev/null which -- "$binary" || exit
	done
	cat "/etc/local-REDPILL/$REALM/${SERVICE}host" \
	  "/etc/local-REDPILL/$REALM/${SERVICE}althosts" \
	  2> /dev/null \
	  | perl -0777 -pe 's/\s*\#.*//gm;s/^\s+//;s/\s+$//;s/\s+/|/g'
}
MAILHOSTS=$(servicehosts mail postconf)
CHATHOSTS=$(servicehosts chat ejabberdctl)

cert_fix() {
	DOMAIN="$1"; KEYFILE="$2"; FULLCHAINFILE="$4"
	case "$DOMAIN" in
	  "$MAILHOSTS")
		set -x
		cat "$FULLCHAINFILE" > "/etc/dovecot/$DOMAIN.pem"
		sg dovecot -c "umask 027; cat '$KEYFILE' > '/etc/dovecot/private/$DOMAIN.pem'"
		#service dovecot force-reload
		;;
	  "$CHATHOSTS")
		set -x
		sg ejabberd -c "umask 027; cat '$KEYFILE' '$FULLCHAINFILE' > '/etc/ejabberd/$DOMAIN.pem'"
		#service ejabberd force-reload
		;;
	esac
}

# TODO: Set file changedate to OCSP expiry expiry, and skip if 48h+ away
cert_staple() {
	CERTFILE="$3"; CHAINFILE="$5"
	> /dev/null which -- ocsptool || return
	CERTDIR=$(dirname "$CERTFILE")
	set -x
	ocsptool --ask --load-issuer "$CHAINFILE" --load-cert "$CERTFILE" --outfile "$CERTDIR"/ocsp.der
}

case "$ACTION" in
  deploy_challenge) ;;
  clean_challenge) ;;
  deploy_cert)
	cert_fix "$@"
	#cert_staple "$@"
	;;
  unchanged_cert)
	#cert_fix "$@"
	#cert_staple "$@"
	;;
  *)
	>&2 echo "ERROR: unsupported action \"$ACTION\""
	exit 1
	;;
esac