#!/usr/bin/bash
[ ${BASH_VERSION%%.*} -ge 4 ] || exit 1

LANG=en_US.UTF-8
export LANG

set -e

FQDN=$(hostname --long)
if [ -f /etc/sysconfig/restic-server ]; then
  . /etc/sysconfig/restic-server
fi


SSLNAME=restic-server
SSLCERT=${SSLCERT:-/etc/pki/tls/certs/${SSLNAME}.crt}
SSLKEY=${SSLKEY:-/etc/pki/tls/private/${SSLNAME}.key}

if [ -f ${SSLCERT} -a -f ${SSLKEY} ]; then
  exit 0
fi

if [ -f ${SSLCERT} -a ! -f ${SSLKEY} ]; then
  echo "Missing certificate key ${SSLKEY}!"
  exit 1
fi

if [ ! -f ${SSLCERT} -a -f ${SSLKEY} ]; then
  echo "Missing certificate ${SSLCERT}, but key is present!"
  exit 1
fi

if [ ! "${SSLCERT##*/}" = "${SSLNAME}.crt" -a ! "${SSLKEY}" = "${SSLNAME}.key" ]; then
  # Non-default configuration, do nothing.
  exit 0
fi

SSLGROUP=resticsrv
for i in /etc/systemd/system/restic-server.service.d/override.conf /usr/lib/systemd/system/restic-server.service ; do
  if [ -f $i ]; then
    check=$(awk -F= '/^Group=/''{ print $2 }' ${i})
    if [ -n "$check" ]; then
      SSLGROUP=$check
      break
    fi
  fi
done

sscg -q                            \
  --cert-file      ${SSLCERT}   \
  --cert-key-file  ${SSLKEY}    \
  --ca-file        ${SSLCERT}   \
  --lifetime       365          \
  --hostname       ${FQDN}      \
  --email          root@${FQDN} \
  && chmod 0640 ${SSLKEY} \
  && chown root:${SSLGROUP} ${SSLKEY}
