#!/command/with-contenv bash
# shellcheck shell=bash

#Creating needed folders and files if they don't already exist
if [ ! -d /config/.secrets ]
then
    mkdir /config/.secrets
fi

if [ ! -d /config/letsencrypt ]
then
    mkdir /config/letsencrypt
fi

if [ ! -d /config/letsencrypt/keys ]
then
    mkdir /config/letsencrypt/keys
fi

if [ ! -d /config/logs ]
then
    mkdir /config/logs
fi

if [ ! -f /config/logs/renew.log ]
then
    touch /config/logs/renew.log
fi

if [ ! -f /config/.crontab.txt ]
then
    touch /config/.crontab.txt
fi

#Cleanup renew list and create it fresh, ready for commands to be run and added
echo "#!/command/with-contenv bash" > /config/renew-list.sh
echo "" >> /config/.renew-list.sh

function single_domain {

    if [ ! -z $CUSTOM_CA ]
    then

        echo "Using a custom CA for issuing certificates"

        if [ ! -d /config/custom_ca ]
        then
            mkdir /config/custom_ca
            echo "Please place your custom CA file into /config/custom_ca and restart the container"
            exit 1
        fi

        if [ -z "$(ls -A /config/custom_ca)" ]
        then
            echo "The CUSTOM_CA option is populated, but the /config/custom_ca dir is empty. Please place your root certificate in this directory and restart the container"
            exit 1
        fi

        if [ -z $CUSTOM_CA_SERVER ]
        then
            echo "CUSTOM_CA_SERVER has not been defined. It is required for using a custom CA to issue a certificate"
            exit 1
        fi

        #REQUESTS_CA_BUNDLE=/config/custom_ca/$CUSTOM_CA

        CUSTOM_CA_PATH=/config/custom_ca/$CUSTOM_CA
        CUSTOM_CA_SERVER_OPT="--server $CUSTOM_CA_SERVER"

        if [ $STAGING ]
        then

            echo "Staging is not supported when using a custom CA, so overriding. To remove this alert, set staging to false."

            STAGING=false

        fi

    fi

    BASE_COMMAND=(certbot certonly --non-interactive --config-dir /config/letsencrypt --work-dir /config/.tmp --logs-dir /config/logs --key-path /config/letsencrypt/keys --expand --agree-tos $CUSTOM_CA_SERVER_OPT --email $EMAIL -d $DOMAINS)

    ## Run with Cloudflare plugin
    if [ $PLUGIN == "cloudflare" ]
    then

        echo "Using Cloudflare plugin"

        if [ ! -f /config/.secrets/cloudflare.ini ]
        then
            touch /config/.secrets/cloudflare.ini
        fi

        if [ -n "$CLOUDFLARE_TOKEN" ]
        then
            echo "Cloudflare token is present"

            echo "dns_cloudflare_api_token = $CLOUDFLARE_TOKEN" > /config/.secrets/cloudflare.ini

        fi

        if [ ! -s /config/.secrets/cloudflare.ini ]
        then
            echo "cloudflare.ini is empty - please add your Cloudflare credentials or API key before continuing. This can be done as an ENV var, or by editing the file directly"

            exit 1
        fi

        #Securing cloudflare.ini to supress warnings
        chmod 600 /config/.secrets/cloudflare.ini

        echo "Creating certificates, or attempting to renew if they already exist"

        if [ $STAGING = true ] 
        then
            echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
            ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging
            # Add to renewal list
            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini --staging" >> /config/renew-list.sh
            echo "Creation/renewal attempt complete"
        elif [ $STAGING = false ]
        then
            echo "Using production endpoint"
            ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini
            # Add to renewal list
            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --dns-cloudflare --dns-cloudflare-propagation-seconds $PROPOGATION_TIME --dns-cloudflare-credentials /config/.secrets/cloudflare.ini" >> /config/renew-list.sh
            echo "Creation/renewal attempt complete"
        else
            echo "Unrecognised option for STAGING variable - check your configuration"

            exit 1
        fi

    ## Run with Standalone plugin
    elif [ $PLUGIN == "standalone" ]
    then

        echo "Using HTTP verification via built-in web-server - please ensure port 80 is exposed."

        if [ $STAGING = true ]
        then
            echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
            REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging
            # Add to renewal list
            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone --staging" >> /config/renew-list.sh
            echo "Creation/renewal attempt complete"
        elif [ $STAGING = false ]
        then
            echo "Using production endpoint"
            REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone
            # Add to renewal list
            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --standalone" >> /config/renew-list.sh
            echo "Creation/renewal attempt complete"
        else
            echo "Unrecognised option for STAGING variable - check your configuration"

            exit 1
        fi

    ## Run with webroot plugin
    elif [ $PLUGIN == "webroot" ]
    then

        echo "Using HTTP verification via webroot - please ensure you have mounted a webroot at /config/webroot from a web-server reachable via the domain you are issuing a certificate for."

        if [ $STAGING = true ]
        then
            echo "Using staging endpoint - THIS SHOULD BE USED FOR TESTING ONLY"
            REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging
            # Add to renewal list
            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot --staging" >> /config/renew-list.sh
            echo "Creation/renewal attempt complete"
        elif [ $STAGING = false ]
        then
            echo "Using production endpoint"
            REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot
            # Add to renewal list
            echo "REQUESTS_CA_BUNDLE=$CUSTOM_CA_PATH ${BASE_COMMAND[@]} --webroot --webroot-path /config/webroot" >> /config/renew-list.sh
            echo "Creation/renewal attempt complete"
        else
            echo "Unrecognised option for STAGING variable - check your configuration"

            exit 1
        fi

    else

        echo "Unrecognised option for PLUGIN variable - check your configuration"

    fi

    if [ $GENERATE_DHPARAM = true ] && [ ! -s /config/letsencrypt/keys/ssl-dhparams.pem ]
    then
        echo "Generating Diffie-Hellman keys, saved to /config/letsencrypt/keys"
        openssl dhparam -out /config/letsencrypt/keys/ssl-dhparams.pem 4096
    fi

    echo "$INTERVAL /certbot-renew.sh >> /config/logs/renew.log" > /config/.crontab.txt

    echo "Starting automatic renewal job. Schedule is $INTERVAL"
    crontab /config/.crontab.txt

}

if [ $CERT_COUNT == 1 ] 
then
    single_domain
fi