#!/bin/bash
# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2021 grommunio GmbH

SSL_BUNDLE_T="/etc/grommunio-common/ssl/server-bundle.pem"
SSL_KEY_T="/etc/grommunio-common/ssl/server.key"

selfcert()
{
	echo "Using CN=${FQDN}, SAN=DNS:${FQDN},DNS:autodiscover.${DOMAIN}" >>"${LOGFILE}" 2>&1

	SELFCERT_MSG="\
(Scroll this dialog with the 'j' and 'k' keys)

The certificate validity period starts at $(date).
If any of the clocks of this host, or the client, is inaccurate, the certificate may be flagged for that.

When creating the profile, Outlook will present a dialog similar to:

   ┌──
     X  The security certificate was issued by a
        company you have not chosen to trust.
    ok  The security certificate date is valid
    ok  The security certificate has a valid name

    Do you want to proceed? [Yes/No/View Certificate]
                                                    ──┘

On that dialog, you must choose \"View Certificate\" and explicitly install the self-signed certificate to use it succesfully."

	dialog --no-mouse --colors --cr-wrap --clear \
		--backtitle "grommunio Setup" \
		--title "TLS certificate (self-signed)" \
		--yes-label "Continue" \
		--no-label "Cancel" \
		--yesno "${SELFCERT_MSG}" 0 0
	dialog_exit $?

	openssl req -x509 -new -nodes -out "${SSL_BUNDLE_T}" -keyout "${SSL_KEY_T}" \
		-subj "/CN=${FQDN}" -addext "subjectAltName = DNS:${FQDN}, DNS:autodiscover.${DOMAIN}" >>"${LOGFILE}" 2>&1

	cp -f "${SSL_BUNDLE_T}" "/etc/pki/trust/anchors/"
	update-ca-certificates
}

fullca()
{
	export SSL_COUNTRY SSL_STATE SSL_LOCALITY SSL_ORG SSL_OU SSL_EMAIL SSL_PASS SSL_DAYS
	export FQDN DOMAIN SSL_BUNDLE_T SSL_KEY_T
	if ! "$DATADIR/common/fullca.sh" >>"${LOGFILE}" 2>&1; then
		echo "Certificate generation was not successful. Check "${LOGFILE}"."
		return 1
	fi
	return 0
	cp -f "${SSL_BUNDLE_T}" "/etc/pki/trust/anchors/"
	update-ca-certificates
}

owncert()
{
	if [ -z "${SSL_BUNDLE}" ] || [ -z "${SSL_KEY}" ] ; then
		echo "TLS certificate and/or key not provided."
		return 1
	fi
	cp -f "${SSL_BUNDLE}" "${SSL_BUNDLE_T}"
	cp -f "${SSL_KEY}" "${SSL_KEY_T}"
	cp -f "${SSL_BUNDLE_T}" "/etc/pki/trust/anchors/"
	update-ca-certificates
	return 0
}

letsencrypt()
{
	progress 0
	zypper install -y python3-certbot python3-certbot-nginx nginx >>"${LOGFILE}" 2>&1
	progress 60
	{
		firewall-cmd --add-port=80/tcp --zone=public --permanent
		firewall-cmd --add-service=https --zone=public --permanent
		firewall-cmd --reload
	} >>"${LOGFILE}" 2>&1

	[ -e "/etc/nginx/conf.d/grommunio.conf" ] && mv "/etc/nginx/conf.d/grommunio.conf" "/etc/nginx/conf.d/grommunio.conf.grommunio-setup"

	systemctl stop nginx >>"${LOGFILE}" 2>&1
	progress 75
	certbot certonly -n --standalone --agree-tos \
		--preferred-challenges http \
		--cert-name="${FQDN}" \
		-d "${SSL_DOMAINS}" \
		-m "${SSL_EMAIL}" >>"${LOGFILE}" 2>&1

	if [ "$?" != "0" ]; then
		dialog --no-mouse --colors --cr-wrap --clear --backtitle "grommunio Setup" \
		       --title "TLS certificate (Let's Encrypt)" \
		       --yes-label "OK" --no-label "Exit" --defaultno \
		       --yesno "It seems the Let's Encrypt certificate could not be generated correctly. Verify the generation of the certificate under /var/log/letsencrypt and re-run.\nThe command used to generate the certificates:\n\ncertbot certonly -n --standalone --agree-tos --preferred-challenges http --cert-name=\"${FQDN}\" -d \"${SSL_DOMAINS}\" -m \"${SSL_EMAIL}\"\n\nAlternatively, re-run grommunio-setup to run through the process again." 0 0
		dialog_exit $?
	fi

	progress 95

	[ -e "/etc/nginx/conf.d/grommunio.conf.grommunio-setup" ] && mv "/etc/nginx/conf.d/grommunio.conf.grommunio-setup" "/etc/nginx/conf.d/grommunio.conf"

	cat "/etc/letsencrypt/live/${FQDN}/cert.pem" "/etc/letsencrypt/live/${FQDN}/fullchain.pem" > "${SSL_BUNDLE_T}"
	cp -f "/etc/letsencrypt/live/${FQDN}/privkey.pem" "${SSL_KEY_T}"

	{
		systemctl enable grommunio-certbot-renew.timer
		systemctl start grommunio-certbot-renew.timer
	} >>"${LOGFILE}" 2>&1
}
