#!/bin/sh


help () {
    echo "
    usage: $(basename $0) [--unsafe-passwords] <topdomain>

    Init standalone installation for Puavo development.

    --unsafe-passwords Set unsafe passwords for development.

    This script does following:
        - Create certificates using the given topdomain and copies them to
          /etc/ssl/certs for slapd.
        - Set fqdn to point localhost
        - Configure LDAP client
        - Configure rng-tools-debian
    "
}


set -eu

use_unsafe_passwords=false
if [ "${1:-}" = "--unsafe-passwords" ]; then
    use_unsafe_passwords=true
    shift
fi

[ "${1:-}" = "--help" -o "${1:-}" = "-h" ] && help && exit
[ "${1:-}" = "" ] && help && exit 1

topdomain="$1"

unsafe_password="password"
hostname=$(hostname)
puavo_certificates_dir=/etc/puavo-ca/certificates
system_certdir=/etc/ssl/certs

mkdir -p /etc/puavo/kerberos

echo "Writing topdomain with kerberos to /etc/puavo"
echo "$topdomain" > /etc/puavo/topdomain
echo "$topdomain" | tr '[:lower:]' '[:upper:]' > /etc/puavo/kerberos/toprealm


if $use_unsafe_passwords; then
    mkdir -p /etc/puavo/ldap
    echo "uid=admin,o=puavo" > /etc/puavo/ldap/dn
    echo "$unsafe_password" >  /etc/puavo/ldap/password
    echo $( hostname -f ) > /etc/puavo/ldap/master

    mkdir -p /etc/puavo/ds/puavo
    echo "uid=puavo,o=puavo" > /etc/puavo/ds/puavo/dn
    echo "$unsafe_password" > /etc/puavo/ds/puavo/password

    mkdir -p /etc/puavo/ds/slave
    echo "uid=slave,o=puavo" > /etc/puavo/ds/slave/dn
    echo "$unsafe_password" > /etc/puavo/ds/slave/password

    mkdir -p /etc/puavo/ds/kadmin
    echo "uid=kadmin,o=puavo" > /etc/puavo/ds/kadmin/dn
    echo "$unsafe_password" > /etc/puavo/ds/kadmin/password

    mkdir -p /etc/puavo/ds/monitor
    echo "uid=monitor,o=puavo" > /etc/puavo/ds/monitor/dn
    echo "$unsafe_password" > /etc/puavo/ds/monitor/password

    mkdir -p /etc/puavo/ds/kdc
    echo "uid=kdc,o=puavo" > /etc/puavo/ds/kdc/dn
    echo "$unsafe_password" > /etc/puavo/ds/kdc/password

    mkdir -p /etc/puavo/ds/pw-mgmt
    echo "uid=pw-mgmt,o=puavo" > /etc/puavo/ds/pw-mgmt/dn
    echo "$unsafe_password" > /etc/puavo/ds/pw-mgmt/password

    mkdir -p /etc/puavo/ds/statistics
    echo "uid=statistics,o=puavo" > /etc/puavo/ds/statistics/dn
    echo "$unsafe_password" > /etc/puavo/ds/statistics/password

    mkdir -p /etc/puavo/ds/cert-mgmt
    echo "uid=cert-mgmt,o=puavo" > /etc/puavo/ds/cert-mgmt/dn
    echo "$unsafe_password" > /etc/puavo/ds/cert-mgmt/password

    mkdir -p /etc/puavo/ds/email-mgmt
    echo "uid=email-mgmt,o=puavo" > /etc/puavo/ds/email-mgmt/dn
    echo "$unsafe_password" > /etc/puavo/ds/email-mgmt/password

    mkdir -p /etc/puavo/ds/examomatic
    echo "uid=examomatic,o=puavo" > /etc/puavo/ds/examomatic/dn
    echo "$unsafe_password" > /etc/puavo/ds/examomatic/password

    mkdir -p /etc/puavo/ds/mfa-mgmt
    echo "uid=mfa-mgmt,o=puavo" > /etc/puavo/ds/mfa-mgmt/dn
    echo "$unsafe_password" > /etc/puavo/ds/mfa-mgmt/password
fi

for certchain_dir in ${puavo_certificates_dir}/*; do
  if [ -d "$certchain_dir" ]; then
    echo 'A certificate chain already exists, aborting...' >&2
    exit 1
  fi
done

echo 'Making a new certificate chain'
puavo-make-new-ca-chain 20191001
echo 'Making another certificate chain'
puavo-make-new-ca-chain
for certchain_dir in ${puavo_certificates_dir}/*; do
  cat <<'EOF' > "${certchain_dir}/organisations/LIST"
example
hogwarts
EOF

  echo "$hostname" > "${certchain_dir}/servers/SERVERLIST"

  cd "$certchain_dir"

  if $use_unsafe_passwords; then
    make ROOT_PASS=$unsafe_password SERVER_PASS=$unsafe_password
  else
    make
  fi

  echo "Certificates generated at ${certchain_dir}. Copying them for slapd..."
  install -v -m 640 -g openldap \
         "${certchain_dir}/servers/${hostname}.${topdomain}.key" \
         "${system_certdir}/slapd-server.key"
  install -v -m 644 -g openldap \
          "${certchain_dir}/servers/${hostname}.${topdomain}.crt" \
	  "${system_certdir}/slapd-server.crt"
  install -v -m 644 -g openldap \
          "${certchain_dir}/servers/ca.servers.${topdomain}-bundle.pem" \
	  "${system_certdir}/slapd-ca.crt"
  install -v -m 644 -g openldap \
          "${certchain_dir}/rootca/ca.${topdomain}.crt" \
	  "${system_certdir}/ca.${topdomain}.crt"

  cat <<EOF > /etc/puavo-ca-rails/puavo.yml
certdirpath: ${puavo_certificates_dir}
default_certchain_version: ${certchain_dir##*/}
ldap_server:
EOF
done

echo "Setting up rng-tools-debian for puavo-ds"
# Often entropy for randomness is lacking on virtual machines which might cause
# puavo-add-new-organisation to timeout. This can be worked around with
# rng-tools-debian
echo "HRNGDEVICE=/dev/urandom" > /etc/default/rng-tools-debian
/etc/init.d/rng-tools-debian restart

# Write fqdn
cat > /etc/hosts <<EOF
127.0.0.1 $hostname.$topdomain $hostname localhost
EOF


echo "Writing LDAP client config /etc/ldap/ldap.conf"
cat >/etc/ldap/ldap.conf <<EOF
SASL_MECH   GSSAPI
TLS_CACERT  ${system_certdir}/ca.${topdomain}.crt
TLS_REQCERT demand
EOF

echo "Initializing slapd"
if $use_unsafe_passwords; then
  puavo-init-ldap --AUTO-YES --save-admin-password
else
  puavo-init-ldap --save-admin-password
fi

# This initializes the puavo-ca production database.
puavo-ca-rails-migrate

# This initializes the puavo-ca test database.
cd /var/app/puavo-ca-rails
sudo -u puavo RAILS_ENV=test bundle exec rake db:migrate
service puavo-ca-rails restart

echo "Standalone init ok!"

