#!/usr/bin/env bash
# Created: 20170304 - Updated: 20250407
# Copyright (C) 1995-2025 Mark Constable <markc@renta.net> (AGPL-3.0)
# Depends on nginx and DNS already resolving to requested domains

# TODO: change to acme.sh as a foundation instead of dehydrated
# TODO: add [all|domain] args and change name to "updatessl"

[[ $1 =~ -h ]] && echo "Usage: allssl [--force]" && exit 1

[[ $DEBUG ]] && set -x

LECFG=/etc/dehydrated
C_SSL=/etc/ssl
AHOST=$(hostname -f | tr 'A-Z' 'a-z')

[[ -n $1 && $1 == 'force' ]] && FORCE="--force" || FORCE=""

[[ ! -d $LECFG ]] && echo "ERROR: install dehydrated!" && exit 1

cd $LECFG

git pull

ALL=$(/bin/ls -1 $C_SSL/*/fullchain.pem)

for i in $ALL; do
    ALTCN=$(openssl x509 -noout -text -in $i | awk -F' DNS:' '/DNS:/ {print $2$3$4$5$6}')
    VHOST=$(basename $(dirname $i))
    WPATH=/home/u/$AHOST/var/www/html
    VACME=$WPATH/.well-known/acme-challenge

    if [[ ! -d $VACME ]]; then
        mkdir -p $VACME
        chown $(stat -c "%u:%g" $WPATH) -R $WPATH/.well-known
    fi

    echo "WELLKNOWN=$VACME" >config

    D=""
    for A in ${ALTCN//,/ }; do [[ $A != $VHOST ]] && D="$D -d $A"; done

    ./dehydrated -c -d $VHOST $D $FORCE

    sleep 2
done

[[ -d /etc/nginx ]] && ~/.sh/bin/serva reload web
[[ -d /etc/postfix ]] && ~/.sh/bin/serva reload mail

[[ $DEBUG ]] && set -x