#!/usr/bin/env nix
#! nix shell nixpkgs#openssl nixpkgs#gnutls nixpkgs#dash --command dash

# For a public or production server, purchase a cert from a known CA, and skip
# the next step.

# For development, testing and personal server management, create a CA key and
# cert, and use that to generate a server key and cert.  Creates:
#   ca.key.pem
#   ca.cert.pem
#   server.key.pem
#   server.cert.pem

GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs"
BASEDIR="$(dirname "$0")"
cd "$BASEDIR" || {
    echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
    exit 1
}

ca=false
crl=false
clients=false

for arg in "$@"; do
    case "$arg" in
    "--ca")
        ca=true
        ;;
    "--crl")
        crl=true
        ;;
    "--clients")
        clients=true
        ;;
    esac
done

# `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the
# second-to last line
set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem

mkdir --parents "$GENERATION_LOCATION"
cp "$@" ./ca.cert.pem "$GENERATION_LOCATION"
cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2

gpg --decrypt ca.key.pem.gpg >ca.key.pem

[ "$ca" = true ] && ./generate.ca
cat ./isrgrootx1.pem >>./ca.cert.pem

# Generate a certificate revocation list (CRL).  The initial CRL is empty, but
# can grow over time.  Creates:
#   server.crl.pem

[ "$crl" = true ] && ./generate.crl

# The above is sufficient to operate a server. You now need to run a client cert creation
# process per client; Add the required client names and uncomment
# ./generate.client <client_name>
#
#
# Creates:
#   <client_name>.key.pem
#   <client_name>.cert.pem
#
[ "$clients" = true ] && ./generate.client soispha
[ "$clients" = true ] && ./generate.client android-mobile
[ "$clients" = true ] && ./generate.client android-tab

rm "$@" "./ca.key.pem"
echo "(INFO) Look for the keys at: $GENERATION_LOCATION"

# vim: ft=sh