#!/usr/bin/env sh
set -eu

# Create temporary self-signed certificates for domains whose certificate files
# are missing. Existing real certificates are never overwritten.

ROOT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")/.." && pwd)"
CERT_ROOT="${CERT_ROOT:-./certs/live}"

cd "$ROOT_DIR"

if [ -z "${DOMAINS:-}" ]; then
    echo "Error: DOMAINS is required." >&2
    exit 1
fi

if ! command -v openssl >/dev/null 2>&1; then
    echo "Error: openssl is required." >&2
    exit 1
fi

for domain in $DOMAINS; do
    cert_dir="$CERT_ROOT/$domain"
    cert_file="$cert_dir/fullchain.pem"
    key_file="$cert_dir/privkey.pem"
    marker_file="$cert_dir/.dummy-init-certs"
    tmp_cert_file="$cert_file.tmp"
    tmp_key_file="$key_file.tmp"

    mkdir -p "$cert_dir"

    if [ -f "$cert_file" ] && [ -f "$key_file" ]; then
        if [ -f "$marker_file" ]; then
            echo "Reusing existing dummy certificate: $domain" >&2
            echo "$domain"
            continue
        fi

        echo "Skipping existing real certificate: $domain" >&2
        continue
    fi

    if [ -f "$cert_file" ] || [ -f "$key_file" ]; then
        if [ -f "$marker_file" ]; then
            echo "Cleaning incomplete dummy certificate: $domain" >&2
            rm -f "$cert_file" "$key_file" "$marker_file" "$tmp_cert_file" "$tmp_key_file"
        else
            echo "Error: incomplete certificate files exist for $domain: $cert_dir" >&2
            exit 1
        fi
    fi

    if [ ! -f "$cert_file" ] && [ ! -f "$key_file" ]; then
        rm -f "$tmp_cert_file" "$tmp_key_file"
        : > "$marker_file"

        echo "Creating dummy certificate: $domain" >&2
        if ! openssl req -x509 -nodes -newkey rsa:2048 -days 1 \
            -keyout "$tmp_key_file" \
            -out "$tmp_cert_file" \
            -subj "/CN=$domain"; then
            rm -f "$tmp_cert_file" "$tmp_key_file" "$marker_file"
            exit 1
        fi

        mv -f "$tmp_key_file" "$key_file"
        mv -f "$tmp_cert_file" "$cert_file"
        echo "$domain"
    fi
done