set -e 

force=$1

function safe_copy () {
    if [ ! -f /etc/yunohost/installed ]; then
        sudo cp $1 $2
    else
        if [ $force ]; then
            sudo yunohost service safecopy \
              -s ssl $1 $2 --force
        else
            sudo yunohost service safecopy \
              -s ssl $1 $2
        fi
    fi
}

cd /usr/share/yunohost/templates/ssl
ssl_dir=/usr/share/yunohost/yunohost-config/ssl/yunoCA

sudo mkdir -p /etc/yunohost/certs/yunohost.org
sudo mkdir -p $ssl_dir/{ca,certs,crl,newcerts}

safe_copy openssl.cnf $ssl_dir/openssl.cnf

[ -f $ssl_dir/serial ] \
  || (echo "00" | sudo tee $ssl_dir/serial)

[ -f $ssl_dir/index.txt ] \
  || sudo touch $ssl_dir/index.txt

if [ ! -f /etc/yunohost/certs/yunohost.org/ca.pem ]; then
    sudo openssl req -x509 -new -config $ssl_dir/openssl.cnf \
      -days 3650 -out $ssl_dir/ca/cacert.pem \
      -keyout $ssl_dir/ca/cakey.pem -nodes -batch
    sudo cp $ssl_dir/ca/cacert.pem \
      /etc/yunohost/certs/yunohost.org/ca.pem
    sudo ln -sf /etc/yunohost/certs/yunohost.org/ca.pem \
      /etc/ssl/certs/ca-yunohost_crt.pem
    sudo update-ca-certificates
fi

if [ ! -f /etc/yunohost/certs/yunohost.org/crt.pem ]; then
    sudo openssl req -new -config $ssl_dir/openssl.cnf \
      -days 730 -out $ssl_dir/certs/yunohost_csr.pem \
      -keyout $ssl_dir/certs/yunohost_key.pem -nodes -batch 
    sudo openssl ca -config $ssl_dir/openssl.cnf \
      -days 730 -in $ssl_dir/certs/yunohost_csr.pem \
      -out $ssl_dir/certs/yunohost_crt.pem -batch

    last_cert=$(ls $ssl_dir/newcerts/*.pem | sort -V | tail -n 1)
    sudo chmod 640 $ssl_dir/certs/yunohost_key.pem
    sudo chmod 640 $last_cert

    sudo cp $ssl_dir/certs/yunohost_key.pem \
      /etc/yunohost/certs/yunohost.org/key.pem
    sudo cp $last_cert \
      /etc/yunohost/certs/yunohost.org/crt.pem
    sudo ln -sf /etc/yunohost/certs/yunohost.org/crt.pem \
      /etc/ssl/certs/yunohost_crt.pem
    sudo ln -sf /etc/yunohost/certs/yunohost.org/key.pem \
      /etc/ssl/private/yunohost_key.pem
fi