#!/bin/bash

if [ -r '#ETCDIR#/generate-and-upload-self-signed-keys.conf' ]; then
  . '#ETCDIR#/generate-and-upload-self-signed-keys.conf'
fi

key_dir='#ETCDIR#/nginx/keys'

cd /

hosts=$(
  find '#ETCDIR#/nginx/' \
    -name keys -prune , \
    -name sites-available -prune , \
    \( -type f -o -type l \) \
    -exec sed -n '
      s/^\s*//
      /^server_name\s.*;/ p
      /^server_name[^;]*$/,/;/ p
    ' {} \; 2>/dev/null \
  | tr '\n' ' ' \
  | sed '
    s/\s\+/ /g
    s/;\s*/;\n/g
    '"$(
      printf 's/\\s%s\\(;\\|\\s\)//\n' "${ignore_hosts[@]}"
    )"'
  ' \
  | sed -n '
    s/^server_name //
    T
    s/;$//
    T
    p
  ' \
  | sort -u
)

host_key_files=$(
  printf '%s\n' "${hosts}" \
  | cut -d' ' -f1
)

if [ "$(whoami)" = 'root' ]; then
  updated_something=false
  for host_key_file in ${host_key_files}; do
    if [ -f "${key_dir}/${host_key_file}.key.pem.new" ] \
    && [ -f "${key_dir}/${host_key_file}.cert.pem.new" ]; then
      mv "${key_dir}/${host_key_file}.key.pem"{.new,}
      mv "${key_dir}/${host_key_file}.cert.pem"{.new,}
      updated_something=true
    fi
  done
  if ${updated_something}; then
    systemctl try-restart nginx
  fi

  su http -s /bin/bash -c "$0"
fi

if [ "$(whoami)" != 'http' ]; then
  exit
fi

printf '%s\n' "${hosts}" \
| while read -r host other_hosts; do
  openssl req -x509 -newkey rsa:4096 \
    -keyout "${key_dir}/${host}.key.pem.new" \
    -out "${key_dir}/${host}.cert.pem.new" \
    -days 365 -nodes -subj '/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net/CN='"${host}" -sha256 \
    -config <(
      cat '#ETCDIR#/ssl/openssl.cnf'
      if [ -n "${other_hosts}" ]; then
        printf '\n[SAN]\nsubjectAltName'
        printf ',DNS:%s' \
          "${host}" \
          ${other_hosts} \
        | sed 's/^,/=/'
      fi
    )
done

rsync --ignore-missing-args \
  $(
    printf -- "${key_dir}"'/%s.cert.pem\n' ${host_key_files}
    printf -- "${key_dir}"'/%s.cert.pem.new\n' ${host_key_files}
  ) \
  "${remote_host}:${remote_dir}/"

(
  cd "${key_dir}"
  {
    printf '%s.cert.pem\n' ${host_key_files}
    printf '%s.cert.pem.new\n' ${host_key_files}
  } \
  | while read -r key; do
    [ -f "${key}" ] || continue
    printf '%s %s\n' "$(
      date -u --iso-8601=seconds -d@$(stat -c%Y "${key}") \
      | cut -d+ -f1
    )" "$(
      sha512sum "${key}" \
      | sed 's/\s\+/ /'
    )"
  done
) \
| ssh "${remote_host}" '
  cd "'"${remote_dir}"'"
  while read -r time sum file; do
    rm -f ????-??-??T??\:??\:??".${file}"
    mv "${file}" "${time}.${file}"
    sed -i '"'"'
      / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
    '"'"' sha512sums
    printf '"'"'%s  %s\n'"'"' "${sum}" "${time}.${file}" \
    >> sha512sums
  done
'