#!/usr/bin/env bash

ui_host=oolon.kosherinata.internal
ws_host=frootmig.kosherinata.internal
app_fqdn=blekin.kosherinata.internal

fedora_trusted_root_path=/etc/pki/ca-trust/source/anchors/root-internal.pem
fedora_intermediate_path=/etc/pki/ca-trust/source/anchors/intermediate-internal.pem


#ssh ${ui_host} sudo mkdir -p /etc/nginx/tls/${app_fqdn}
app_cert_is_valid=false
app_cert_remote_path=/etc/nginx/tls/cert/${app_fqdn}.pem
app_key_remote_path=/etc/nginx/tls/key/${app_fqdn}.pem
app_cert_local_path=/tmp/${app_fqdn}.pem

if rsync \
    --archive \
    --compress \
    --rsync-path 'sudo rsync' \
    ${ui_host}:${app_cert_remote_path} \
    ${app_cert_local_path} 2> /dev/null; then
    if openssl verify \
        -trusted ${fedora_trusted_root_path} \
        -untrusted ${fedora_intermediate_path} \
        ${app_cert_local_path}; then
        echo "verified ${app_fqdn} cert from ${ui_host}"
        app_cert_is_valid=true
    else
        echo "failed to verify ${app_fqdn} cert from ${ui_host}"
        exit 1
    fi
else
    echo "observed missing ${app_fqdn} cert on ${ui_host}"
fi
if [ "${app_cert_is_valid}" = "true" ]; then
    echo "observed valid cert for ${app_fqdn} on ${ui_host}"
else
    if rsync \
        --archive \
        --compress \
        --rsync-path 'sudo rsync' \
        --chmod 600 \
        --chown root:root \
        ~/.step/secrets/provisioner \
        ${ui_host}:/tmp/provisioner; then
        echo "provisioner secret synced to ${ui_host}"
    else
        echo "failed to sync provisioner secret to ${ui_host}"
        exit 1
    fi
    if ssh ${ui_host} sudo step ca certificate \
        --force \
        --provisioner lair \
        --provisioner-password-file /tmp/provisioner \
        --ca-url https://ca.internal \
        --root /etc/pki/ca-trust/source/anchors/root-internal.pem \
        --san ${app_fqdn} \
        ${app_fqdn} \
        ${app_cert_remote_path} \
        ${app_key_remote_path}; then
        echo "acquired ${app_fqdn} cert on ${ui_host}"
    else
        echo "failed to acquire ${app_fqdn} cert on ${ui_host}"
    fi
    ssh ${ui_host} sudo rm -f /tmp/provisioner
fi

if rsync \
    --archive \
    --compress \
    --rsync-path 'sudo rsync' \
    --chown root:root \
    ~/git/grenade/blekin/asset/nginx/${app_fqdn}.conf \
    ${ui_host}:/etc/nginx/sites-available/${app_fqdn}.conf; then
    echo "${app_fqdn}.conf synced to ${ui_host}"
else
    echo "failed to sync ${app_fqdn}.conf to ${ui_host}"
fi
if ssh ${ui_host} sudo ln -sf /etc/nginx/sites-available/${app_fqdn}.conf /etc/nginx/sites-enabled/${app_fqdn}.conf; then
    echo "${app_fqdn} enabled on ${ui_host}"
else
    echo "failed to enable ${app_fqdn} on ${ui_host}"
fi
if ssh ${ui_host} 'sudo nginx -t && sudo systemctl reload nginx.service'; then
    echo "nginx reloaded on ${ui_host}"
else
    echo "failed to reload nginx on ${ui_host}"
fi


# sudo useradd --system --create-home --home-dir /var/lib/blekin --user-group blekin