#!/bin/bash
# ========================================================================== #
#                                                                            #
#    KVMD - The main PiKVM daemon.                                           #
#                                                                            #
#    Copyright (C) 2018-2024  Maxim Devaev <mdevaev@gmail.com>               #
#                                                                            #
#    This program is free software: you can redistribute it and/or modify    #
#    it under the terms of the GNU General Public License as published by    #
#    the Free Software Foundation, either version 3 of the License, or       #
#    (at your option) any later version.                                     #
#                                                                            #
#    This program is distributed in the hope that it will be useful,         #
#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
#    GNU General Public License for more details.                            #
#                                                                            #
#    You should have received a copy of the GNU General Public License       #
#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
#                                                                            #
# ========================================================================== #


set -e
export LC_ALL=C

if [ "$(whoami)" != root ]; then
	echo "Only root can do that"
	exit 1
fi

user=kvmd-certbot
web=/run/kvmd-certbot/webroot
cur=/var/lib/kvmd/pst/data/certbot/runroot
new=/var/lib/kvmd/pst/data/certbot/runroot.new
tmp=/tmp/kvmd-certbot/runroot

cur_opts=("--config-dir=$cur/config" "--work-dir=$cur/work" "--logs-dir=$cur/logs")


function cleanup() {
	rm -rf "$tmp"
}

function create_tmp() {
	mkdir "$tmp" # Acts as a lock
	chown "$user:" "$tmp"
	trap cleanup EXIT
}

function ensure_runroot() {
	kvmd-pstrun -- bash -c "
		set -ex
		mkdir -p '$cur'
		chown -R '$user:' '$cur/..'
	"
}

function restart_if_running() {
	if systemctl is-active --quiet "$2"; then
		echo "=> systemctl $1 $2"
		systemctl "$1" "$2" || true
	fi
}

function restart_if_running_nginx() {
	restart_if_running reload kvmd-nginx
}

function restart_if_running_cloud() {
	restart_if_running reload kvmd-nginx
}

function restart_if_running_vnc() {
	restart_if_running restart kvmd-vnc
}

case "$1" in
	-h|--help|help)
		create_tmp
		sudo --preserve-env -u "$user" certbot "$@" "${cur_opts[@]}"
	;;

	--)
		shift
		create_tmp
		ensure_runroot
		sudo --preserve-env -u "$user" kvmd-pstrun -- certbot "$@" "${cur_opts[@]}"
	;;

	certonly|certonly_webroot)
		webroot_opts=()
		if [ "$1" == certonly_webroot ]; then
			webroot_opts=(--webroot "--webroot-path=$web")
		fi
		shift
		create_tmp
		ensure_runroot
		sudo --preserve-env -u "$user" kvmd-pstrun -- certbot certonly "$@" "${cur_opts[@]}" \
			"${webroot_opts[@]}" \
			--deploy-hook="/usr/bin/bash -c '
				set -ex
				chmod 755 '$cur/config/'{archive,live}
				chmod 640 \"\$RENEWED_LINEAGE/privkey.pem\"
			'"
	;;

	renew)
		shift
		create_tmp
		cp -a "$cur"/. "$tmp"
		chown -R "$user:" "$tmp"
		sed -s -i -e "s| = $cur/| = $tmp/|g" "$tmp/config/renewal/"*
		sudo --preserve-env -u "$user" certbot renew "$@" \
			--config-dir="$tmp/config" \
			--work-dir="$tmp/work" \
			--logs-dir="$tmp/logs" \
			--deploy-hook="/usr/bin/touch '$tmp/updated'" || true
		if [ -f "$tmp/updated" ]; then
			sudo --preserve-env -u "$user" kvmd-pstrun -- bash -c "
				set -ex
				rm -rf '$new'
				cp -a '$tmp'/. '$new'
				rm '$new/updated'
				chmod 755 '$new/config/'{archive,live}
				chmod 640 '$new'/config/archive/*/privkey*.pem
				sed -s -i -e 's| = $tmp/| = $cur/|g' '$new/config/renewal/'*
				rm -rf '$new/logs/'*.log.* '$new/config/'{csr,keys}
				sync
				kvmd-helper-swapfiles '$new' '$cur'
				rm -rf '$new'
			"
			restart_if_running_nginx
			restart_if_running_vnc
		fi
	;;

	install_nginx|install_vnc|install_cloud)
		target="${1/install_/}"
		if [ -z "$2" ]; then
			echo "Usage: kvmd-certbot $1 <domain>"
			exit 1
		fi
		set -x
		rm -f "/etc/kvmd/$target/ssl/server."{crt,key}
		ln -s "$cur/config/live/$2/fullchain.pem" "/etc/kvmd/$target/ssl/server.crt"
		ln -s "$cur/config/live/$2/privkey.pem" "/etc/kvmd/$target/ssl/server.key"
		"restart_if_running_$target"
	;;

	*)
		echo "This command is not implemented by kvmd-certbot."
		echo "To pass it into certbot under PST context use '--'."
		echo "For example: kvmd-certbot -- $*"
		exit 1
	;;
esac
