#!/bin/bash
#
# Create Debian Edu root CA key and certificate as well as multi-purpose
# server (web, mail, cups, wpad, sitesummary, ldap, backup) key and certificate.

set -e

# usage
if [ "$1" = "-h" ] || [ "$1" = "--help" ] ; then
cat <<EOF

Usage information:
Call $0 with param '--force-overwrite' to generate new keys
and certificates. (User home directories will also be updated.)
Used configuration files: /usr/share-debian-edu-config/*.cnf

EOF
    exit 0
fi

TMP=$(mktemp -d)
SSL_CA_CONF="/usr/share/debian-edu-config/sslCA.cnf"
V3_CA_CONF="/usr/share/debian-edu-config/v3CA.cnf"
SSL_CONF="/usr/share/debian-edu-config/ssl.cnf"
V3_CONF="/usr/share/debian-edu-config/v3.cnf"
CERT_DIR="/etc/ssl/certs"
KEY_DIR="/etc/ssl/private"
CA_CERT="$CERT_DIR/Debian-Edu_rootCA.crt"
CA_KEY="$KEY_DIR/Debian-Edu_rootCA.key"
SERVER_CERT="$CERT_DIR/debian-edu-server.crt"
SERVER_KEY="$KEY_DIR/debian-edu-server.key"

generate() {
    # Generate Debian Edu root CA private key.
    openssl genrsa -out $CA_KEY 2048
    # Request rootCA certificate.
    openssl req -x509 -new -nodes -key $CA_KEY -days 3650 -out $CA_CERT -config $SSL_CA_CONF
    # Request web server key.
    openssl req -new -nodes -out $TMP/server.csr -newkey rsa:2048 -keyout $SERVER_KEY -config $SSL_CA_CONF
    # Request web server certificate.
    openssl x509 -req -in $TMP/server.csr -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $SERVER_CERT -days 3650 -extfile $V3_CONF
    # Adjust owner and rights.
    chown root.ssl-cert /etc/ssl/private/Debian-Edu_rootCA.key
    chown root.ssl-cert /etc/ssl/private/debian-edu-server.key
    chmod 644 /etc/ssl/certs/debian-edu-server.crt
    chmod 644 /etc/ssl/certs/Debian-Edu_rootCA.crt
    chmod 640 /etc/ssl/private/debian-edu-server.key
    chmod 640 /etc/ssl/private/Debian-Edu_rootCA.key
    logger -t create-debian-edu-certs "rootCA and server certs generated"
    # Create bundle certificate
    cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/ssl/certs/debian-edu-bundle.crt
    cat /etc/ssl/certs/debian-edu-server.crt >> /etc/ssl/certs/debian-edu-bundle.crt
    logger -t create-debian-edu-certs "rootCA/server bundle cert generated"

    # Enable Debian-exim to read key file.
    usermod -a -G ssl-cert Debian-exim
    # On a plain main server xrdp isn't installed by default.
    if id xrdp 1>/dev/null 2>&1 ; then
        usermod -a -G ssl-cert xrdp
    fi
    # Enable slapd to read key file.
    usermod -a -G ssl-cert openldap

    # Add local trust for the created certificates.
    cp /etc/ssl/certs/Debian-Edu_rootCA.crt /usr/local/share/ca-certificates/
    cp /etc/ssl/certs/debian-edu-server.crt /usr/local/share/ca-certificates/
    cp /etc/ssl/certs/debian-edu-bundle.crt /usr/local/share/ca-certificates/
    /usr/sbin/update-ca-certificates
    logger -t create-debian-edu-certs "Added local trust for our certificates."

    # Make Debian-Edu_rootCA.{crt,pem} and debian-edu-server.{crt,pem} (bundled)
    # available via web-server.
    cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www
    cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www
    cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/debian-edu/www
    chmod 644 /etc/debian-edu/www/debian-edu-bundle.*
    chmod 644 /etc/debian-edu/www/Debian-Edu_rootCA.crt
    logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www."
}

update_nssdb() {
    # Update dbm and sql certificate and key databases in homedirs.
    echo "Now updating the nssdb files for all user accounts..."
    /usr/share/debian-edu-config/tools/update-cert-dbs
    echo "The nssdb files for all user accounts have been updated"
}

if [ "$1" = "--force-overwrite" ] ; then
    generate
    echo "Reloading / restarting related services; this will take some time..."
    service slapd restart
    service apache2 restart
    service exim4 restart
    service dovecot restart
    service nslcd stop
    service nslcd start
    update_nssdb
else
    if [ ! -f $CA_CERT ] || [ ! -f $CA_KEY ]; then
        generate
        update_nssdb
    else
        echo "Certificates and keys already exist, nothing to do!"
        echo "Call $0 with param '--force-overwrite' if new ones should be generated."
    fi
fi
