#!/bin/sh
# acme user's setup script
set -ex
cd "$HOME"

if ! [ -e "sign.sec" ] ; then
	rm -f sign.pub || echo ""
	signify -G -n -p sign.pub -s sign.sec
fi
cat sign.pub

if ! [ -e "age.key" ] ; then
	age-keygen -o age.key
fi

if [ -n "$AGE_RECIPIENTS" ] ; then
	echo "$AGE_RECIPIENTS" > recipients.txt
fi

awk '/public key/{print $4}' age.key >> recipients.txt

if [ -z "$ACME_EMAIL" ] ; then
	echo "ACME_EMAIL must be set"
	exit 1
fi

if [ -z "$ACME_DELEGATION_DOMAIN" ] ; then
	echo "ACME_DELEGATION_DOMAIN must be set"
	exit 1
fi

if [ -z "$DOMAINS" ] ; then
	echo "DOMAINS must be set"
	exit 1
fi

cp /usr/bin/acme.sh ./

sh ./acme.sh  --install \
	--home "$HOME/acme_home" \
	--config-home "$HOME/acme_conf" \
	--cert-home  "$HOME/certs" \
	--accountemail  "$ACME_EMAIL" \
	--accountkey "$HOME/acme_account.key" \
	--accountconf "$HOME/acme_account.conf" \
	--no-cron


#shellcheck disable=SC1091
. "$HOME/acme_home/acme.sh.env"

acme.sh --upgrade

for domain in $DOMAINS ; do
	#shellcheck disable=SC2086
	if ! [ -f "certs/$domain/$domain.cer" ] ; then
		acme.sh $ACMESH_FLAGS \
			--issue \
			--dns dns_aws \
			--challenge-alias "$ACME_DELEGATION_DOMAIN" \
			-d "$domain" -d "*.${domain}"
	fi

	cd "certs/$domain"
	sha256sum "${domain}.cer" "${domain}.key" \
		> "/var/www/acme/${domain}.sha256sum"

	age -e -a -R "$HOME"/recipients.txt  "${domain}.key" \
		> "/var/www/acme/${domain}.key.enc"

	cp "${domain}.cer" /var/www/acme/
	cp "fullchain.cer" /var/www/acme/"${domain}".fullchain

	cd /var/www/acme

	sha256sum "${domain}.fullchain" >> "${domain}.sha256sum"

	sha256sum "${domain}.key.enc" >> "${domain}.sha256sum"

	rm -f "${domain}.sha256sum.sig" || echo ""

	signify -S -m "${domain}.sha256sum" -s "$HOME/sign.sec" \
		-x "${domain}.sha256sum.sig"

	cd "$HOME"
done

cp sign.pub /var/www/acme/