#!/bin/bash

# Deploy let's encrypt certs

# Files and dirs
TIMESTAMP="${1}"
CERT="fullchain-${TIMESTAMP}.pem"
KEY="privkey-${TIMESTAMP}.pem"
SRCDIR="/var/lib/dehydrated/certs/sput.nl"
# Set later
CURIMAPDHASH=""
CURTIMESTAMP=""
DSTDIR=""
NEWIMAPDHASH=""


copy_files() {
	cp "${SRCDIR}/${CERT}" "${DSTDIR}/"
	cp "${SRCDIR}/${KEY}"  "${DSTDIR}/"
	cd "${DSTDIR}/"
	ln -sf "${CERT}" fullchain.pem
	ln -sf "${KEY}"  privkey.pem
}


# Basic checks
if [ -z "${TIMESTAMP}" ]
then
	echo "No timestamp specified"
	echo "New cert not installed"
	exit 1
fi

if ! [ -d "${SRCDIR}/" ]
then
	echo "Directory ${SRCDIR}/ does not exist"
	echo "New cert not installed"
	exit 1
fi

if ! [ -f "${SRCDIR}/${CERT}" ]
then
	echo "Certificate ${CERT} does not exist"
	echo "New cert not installed"
	exit 1
fi

if ! [ -f "${SRCDIR}/${KEY}" ]
then
	echo "Private key ${KEY} does not exist"
	echo "New cert not installed"
	exit 1
fi

# Current timestamp
if [ -f "/var/local/lib/certs/current-timestamp" ]
then
	CURTIMESTAMP=$( cat "/var/local/lib/certs/current-timestamp" )
	if [ "${CURTIMESTAMP}" == "${TIMESTAMP}" ]
	then
		echo "Timestamp did not change"
		echo "New cert not installed"
		exit 1
	fi
else
	echo "Current timestamp file not found"
fi

# Current imapd cert hash
if [ -f "/var/local/lib/certs/current-hash" ]
then
	CURIMAPDHASH=$( cat "/var/local/lib/certs/current-hash" )
else
	echo "Current imapd cert hash file not found"
fi

# Apache
DSTDIR="/etc/apache2/ssl"
if [ -d "${DSTDIR}/" ]
then
	copy_files
	sleep 1
	# SysV;
	/etc/init.d/apache2 reload
	# Systemd;
	# systemctl reload apache2
else
	echo "Directory ${DSTDIR}/ does not exist"
	echo "New Apache cert not installed"
fi

# Asterisk
DSTDIR="/etc/asterisk"
if [ -d "${DSTDIR}/" ]
then
	copy_files
	chmod 640 "${CERT}"
	chmod 640 "${KEY}"
	chown root:asterisk "${CERT}"
	chown root:asterisk "${KEY}"
	sleep 1
	# SysV;
	/etc/init.d/asterisk reload
	# Systemd;
	# systemctl reload asterisk
else
	echo "Directory ${DSTDIR}/ does not exist"
	echo "New Asterisk cert not installed"
fi

# Exim
DSTDIR="/etc/exim4"
if [ -d "${DSTDIR}/" ]
then
	copy_files
	chmod 640 "${CERT}"
	chmod 640 "${KEY}"
	chown root:Debian-exim "${CERT}"
	chown root:Debian-exim "${KEY}"
	sleep 1
	# SysV;
	/etc/init.d/exim4 reload
	# Systemd;
	# systemctl reload exim4
else
	echo "Directory ${DSTDIR}/ does not exist"
	echo "New Exim cert not installed"
fi

# Imapd
DSTDIR="/etc/ssl/certs"
if [ -d "${DSTDIR}/" ]
then
	IMAPDCERT="imapd-${TIMESTAMP}.pem"
	> "${DSTDIR}/${IMAPDCERT}"
	chmod 640 "${DSTDIR}/${IMAPDCERT}"
	cp "${SRCDIR}/${KEY}" "${DSTDIR}/${IMAPDCERT}"
	cat "${SRCDIR}/${CERT}" >> "${DSTDIR}/${IMAPDCERT}"
	cd "${DSTDIR}/"
	ln -sf "${IMAPDCERT}" "imapd.pem"
	NEWIMAPDHASH="$( openssl x509 -noout -hash < imapd.pem ).0"
	if [ -L "${CURIMAPDHASH}" ] && [ "${NEWIMAPDHASH}" == "${CURIMAPDHASH}" ]
	then
		echo "Imapd cert hash not changed"
	else
		ln -sf imapd.pem "${NEWIMAPDHASH}"
	fi
else
	echo "Directory ${DSTDIR}/ does not exist"
	echo "New Imapd cert not installed"
fi

# Store timestamp and hash
echo "${TIMESTAMP}" > "/var/local/lib/certs/new-timestamp"
if [ -n "${NEWIMAPDHASH}" ]
then
	echo "${NEWIMAPDHASH}" > "/var/local/lib/certs/new-hash"
fi

sleep 1
/usr/local/sbin/remove-old-certs.sh