#!/usr/bin/env bash

if [[ -z "$1" ]] || [[ "$1" == '--help' ]]
then
    echo "Usage: $0 <wildcard-domain>"
    exit 1
fi

set -e

domain=$1
certalias="_.$1"

tmpdir=$(mktemp -d)
trap 'cd /; rm -Rf "$tmpdir"' EXIT

export BW_REPO_PATH="${BW_REPO_PATH:-$PWD}"

cd -- "$tmpdir"
git clone https://github.com/dehydrated-io/dehydrated.git
cd dehydrated
git checkout "$(git describe --tags --abbrev=0)"

cat >config <<EOF
BASEDIR=$tmpdir
KEYSIZE=4096
HOOK=$tmpdir/dehydrated/hook
RENEW_DAYS=90
CHALLENGETYPE=dns-01
EOF

cat >hook <<"EOF"
#!/usr/bin/env bash

if [[ "$1" == 'deploy_challenge' ]]
then
    domain=$2
    token_value=$4

    echo
    echo You must now provide this DNS record:
    echo "$(tput bold)_acme-challenge.$domain. IN TXT $token_value$(tput sgr0)"
    echo
    echo "Hit ENTER once it's available."
    read
fi
EOF
chmod +x hook

cat <<EOF

You will soon be asked to create several DNS records.
$(tput bold)Please create all of them. The second one does NOT replace
the first one.$(tput sgr0)

EOF

./dehydrated --register --accept-terms -f config
./dehydrated -c -d "$domain" --alias "$certalias" -d "*.$domain" -f config

cd -- "$tmpdir"/certs/"$certalias"

echo
echo Copying final files:
echo
bw_repo=$(bw debug -c 'print(repo.path)')
cp -v cert.pem "$bw_repo"/data/ssl/"$certalias".crt.pem
cp -v chain.pem "$bw_repo"/data/ssl/"$certalias".crt_intermediate.pem

echo "Encrypting private key via bw ..."
bw debug -c "repo.vault.encrypt_file('$tmpdir/certs/$certalias/privkey.pem', 'ssl/$certalias.key.pem.vault')"

echo
echo "Certificate and key created."