#!/usr/bin/env bash
set -euo pipefail

# Run as root from host. This script pipes certificate material through the
# `code` user into the Prosody container via podman exec.

DOMAIN="${DOMAIN:-zm.is}"
STACK_ID="${GIA_STACK_ID:-${STACK_ID:-}}"
STACK_ID="$(echo "$STACK_ID" | tr -cs 'a-zA-Z0-9._-' '-' | sed 's/^-*//; s/-*$//')"

if [[ -n "$STACK_ID" ]]; then
  PROSODY_CONTAINER_DEFAULT="prosody_gia_${STACK_ID}"
else
  PROSODY_CONTAINER_DEFAULT="prosody_gia"
fi
PROSODY_CONTAINER="${PROSODY_CONTAINER:-$PROSODY_CONTAINER_DEFAULT}"

FULLCHAIN_PATH="${FULLCHAIN_PATH:-/root/.acme.sh/${DOMAIN}/fullchain.cer}"
KEY_PATH="${KEY_PATH:-/root/.acme.sh/${DOMAIN}/${DOMAIN}.key}"
CERT_PATH_IN_CONTAINER="${CERT_PATH_IN_CONTAINER:-/etc/prosody/certs/cert.pem}"

if [[ "$(id -u)" -ne 0 ]]; then
  echo "This script must run as root." >&2
  exit 1
fi

if [[ ! -r "$FULLCHAIN_PATH" ]]; then
  echo "Missing or unreadable fullchain: $FULLCHAIN_PATH" >&2
  exit 1
fi

if [[ ! -r "$KEY_PATH" ]]; then
  echo "Missing or unreadable key: $KEY_PATH" >&2
  exit 1
fi

cat "$FULLCHAIN_PATH" "$KEY_PATH" \
  | sed '/^$/d' \
  | su -s /bin/sh code -c "podman exec -i $PROSODY_CONTAINER sh -lc 'cat > $CERT_PATH_IN_CONTAINER'"

su -s /bin/sh code -c "podman exec $PROSODY_CONTAINER sh -lc 'chown prosody:prosody $CERT_PATH_IN_CONTAINER && chmod 0600 $CERT_PATH_IN_CONTAINER && prosodyctl reload'"

echo "Prosody certificate updated and reloaded in container: $PROSODY_CONTAINER"