#!/bin/sh

set -e

NAME="$(cat /etc/hostname)"
DEHYDRATED_PATH="/srv/${NAME}/dehydrated/certs/${NAME}"
SLAPD_CERT_PATH="/etc/crypto/tls"
CA_CHAIN_NAME="cachain"

mkdir -p "${SLAPD_CERT_PATH}"
unset CHANGE

if ! cmp -s "${DEHYDRATED_PATH}/${CA_CHAIN_NAME}.pem" "${SLAPD_CERT_PATH}/${NAME}-${CA_CHAIN_NAME}.pem"
then
	/usr/bin/cp "${DEHYDRATED_PATH}/${CA_CHAIN_NAME}.pem" "${SLAPD_CERT_PATH}/${NAME}-${CA_CHAIN_NAME}.pem"
	CHANGE=true
fi

if ! cmp -s "${DEHYDRATED_PATH}/cert.pem" "${SLAPD_CERT_PATH}/${NAME}.pem"
then
	/usr/bin/cp "${DEHYDRATED_PATH}/cert.pem" "${SLAPD_CERT_PATH}/${NAME}.pem"
	CHANGE=true
fi

if ! cmp -s "${DEHYDRATED_PATH}/privkey.pem" "${SLAPD_CERT_PATH}/${NAME}.key"
then
	/usr/bin/cp "${DEHYDRATED_PATH}/privkey.pem" "${SLAPD_CERT_PATH}/${NAME}.key"
	CHANGE=true
fi

if ! cmp -s "${DEHYDRATED_PATH}/fullchain.pem" "${SLAPD_CERT_PATH}/${NAME}-fullchain.pem"
then
	/usr/bin/cp "${DEHYDRATED_PATH}/fullchain.pem" "${SLAPD_CERT_PATH}/${NAME}-fullchain.pem"
	CHANGE=true
fi

if [ ! -z ${CHANGE} ]
then
	chmod 0640 /etc/crypto/tls/${NAME}*
	chgrp ssl-cert /etc/crypto/tls/${NAME}*
	systemctl restart slapd.service
fi