#!/usr/bin/env bash
# Generate Pi-Kit TLS CA + server cert if missing (idempotent).

set -euo pipefail

CERT_DIR="/etc/pikit/certs"
WEB_ASSETS="/var/www/pikit-web/assets"
CA_CRT="$CERT_DIR/pikit-ca.crt"
CA_KEY="$CERT_DIR/pikit-ca.key"
CA_SRL="$CERT_DIR/pikit-ca.srl"
SRV_KEY="$CERT_DIR/pikit.local.key"
SRV_CRT="$CERT_DIR/pikit.local.crt"
SRV_CSR="$CERT_DIR/pikit.local.csr"
CERT_GROUP="pikit-cert"

log() {
  printf '[pikit-certgen] %s\n' "$*"
}

write_ca_hash() {
  if [ -s "$WEB_ASSETS/pikit-ca.crt" ]; then
    if command -v sha256sum >/dev/null 2>&1; then
      sha256sum "$WEB_ASSETS/pikit-ca.crt" | awk '{print $1}' > "$WEB_ASSETS/pikit-ca.sha256"
    elif command -v openssl >/dev/null 2>&1; then
      openssl dgst -sha256 "$WEB_ASSETS/pikit-ca.crt" | awk '{print $2}' > "$WEB_ASSETS/pikit-ca.sha256"
    fi
    if [ -s "$WEB_ASSETS/pikit-ca.sha256" ]; then
      chmod 644 "$WEB_ASSETS/pikit-ca.sha256"
    fi
  fi
}

ensure_group() {
  if ! getent group "$CERT_GROUP" >/dev/null 2>&1; then
    groupadd "$CERT_GROUP" || true
  fi
  for u in www-data dietpi-dashboard-frontend; do
    if id -u "$u" >/dev/null 2>&1; then
      usermod -a -G "$CERT_GROUP" "$u" || true
    fi
  done
}

fix_perms() {
  ensure_group
  if [ -d "$CERT_DIR" ]; then
    chgrp "$CERT_GROUP" "$CERT_DIR" || true
    chmod 750 "$CERT_DIR" || true
  fi
  for f in "$CA_CRT" "$CA_KEY" "$SRV_CRT" "$SRV_KEY"; do
    if [ -e "$f" ]; then
      chgrp "$CERT_GROUP" "$f" || true
    fi
  done
  [ -e "$CA_KEY" ] && chmod 640 "$CA_KEY"
  [ -e "$SRV_KEY" ] && chmod 640 "$SRV_KEY"
  [ -e "$CA_CRT" ] && chmod 644 "$CA_CRT"
  [ -e "$SRV_CRT" ] && chmod 644 "$SRV_CRT"
}

if [ -s "$CA_CRT" ] && [ -s "$CA_KEY" ] && [ -s "$SRV_KEY" ] && [ -s "$SRV_CRT" ]; then
  mkdir -p "$WEB_ASSETS"
  if [ ! -s "$WEB_ASSETS/pikit-ca.crt" ]; then
    cp "$CA_CRT" "$WEB_ASSETS/pikit-ca.crt"
    chmod 644 "$WEB_ASSETS/pikit-ca.crt"
    log "Copied CA to web assets."
  fi
  write_ca_hash
  fix_perms
  log "TLS certs already present; skipping generation."
  exit 0
fi

if ! command -v openssl >/dev/null 2>&1; then
  log "openssl not installed; cannot generate certs."
  exit 1
fi

log "Generating TLS certs..."
mkdir -p "$CERT_DIR" "$WEB_ASSETS"
ensure_group
chgrp "$CERT_GROUP" "$CERT_DIR" || true
chmod 750 "$CERT_DIR"

rm -f "$CA_KEY" "$CA_CRT" "$CA_SRL" "$SRV_KEY" "$SRV_CRT" "$SRV_CSR" || true

openssl genrsa -out "$CA_KEY" 2048
openssl req -x509 -new -nodes -key "$CA_KEY" -sha256 -days 3650 \
  -out "$CA_CRT" -subj "/CN=Pi-Kit CA"

openssl genrsa -out "$SRV_KEY" 2048
openssl req -new -key "$SRV_KEY" -out "$SRV_CSR" -subj "/CN=pikit.local"

SAN_CFG=$(mktemp)
cat > "$SAN_CFG" <<'CFG'
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = pikit.local
DNS.2 = pikit
CFG

openssl x509 -req -in "$SRV_CSR" -CA "$CA_CRT" -CAkey "$CA_KEY" \
  -CAcreateserial -out "$SRV_CRT" -days 825 -sha256 -extfile "$SAN_CFG"

rm -f "$SAN_CFG" "$SRV_CSR"
fix_perms

cp "$CA_CRT" "$WEB_ASSETS/pikit-ca.crt"
chmod 644 "$WEB_ASSETS/pikit-ca.crt"
write_ca_hash

log "TLS certs generated."