#!/bin/bash

# variables
LABEL="DATA"
TLD="example.com"
HOST="isl"
ORGNAME="ISL Online example"

# start
set -e

[ -e /01firstboot ] && exit 0
[ -e /02firstboot ] || exit 0

# Certificate
if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
    # angepaßtes Zertifikat vorhanden (kein example)
    if [ ! -L /etc/ssl/cert-renew.sh ]; then
        rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
        mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
    else
        rm -f "/etc/ssl/cert-renew.sh"
    fi
    ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
else
    echo 'Create example certificate...'
    mkdir -p "/$LABEL/CERTS/KEYS/"
    mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
    echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
    openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
    cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
    touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
fi

rm -rf /etc/ssl/nginx
mkdir -p /etc/ssl
ln -sf "/$LABEL/etc/ssl/nginx" "/etc/ssl/nginx"

/etc/ssl/cert-renew.sh

systemctl restart confproxy

rm /02firstboot