#!/bin/sh

# vim: syntax=sh

set -euo pipefail

TMP=$(mktemp -d)

INITIAL_SETUP=false
if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.pki.path | regexp.Replace "^/" "" ]]/"].type')" != "pki" ]; then
  INITIAL_SETUP=true
fi

if [ "${INITIAL_SETUP}" = "true" ]; then
  # Enable the secret engine
  echo "Mounting new PKI secret engine at [[ .vault.pki.path ]]"
  vault secrets enable -path=[[ .vault.pki.path ]] pki
else
  echo "Secret engine already mounted at [[ .vault.pki.path ]]"
fi

# Configure max-lease-ttl
echo "Tune PKI secret engine"
[[- if has .vault.pki "ttl" ]]
vault secrets tune -max-lease-ttl=[[ .vault.pki.ttl ]] [[ .vault.pki.path ]]
[[- end ]]

# Configure PKI URLs
echo "Configure URL endpoints"
vault write [[ .vault.pki.path ]]/config/urls \
  issuing_certificates="${VAULT_ADDR}/v1/[[ .vault.pki.path | regexp.Replace "^/" "" ]]/ca" \
  crl_distribution_points="${VAULT_ADDR}/v1/[[ .vault.pki.path | regexp.Replace "^/" "" ]]/crl" \
  ocsp_servers="${VAULT_ADDR}/v1/[[ .vault.pki.path | regexp.Replace "^/" "" ]]/ocsp"

vault write [[ .vault.pki.path ]]/config/cluster \
  path="${VAULT_ADDR}/v1[[ .vault.pki.path ]]"

vault write [[ .vault.pki.path ]]/config/crl \
  auto_rebuild=true \
  enable_delta=true

# Configure tidy
echo "Configure auto tidy for the PKI"
vault write [[ .vault.pki.path ]]/config/auto-tidy \
  enabled=true \
  tidy_cert_store=true \
  tidy_expired_issuers=true \
  tidy_revocation_queue=true \
  tidy_revoked_cert_issuer_associations=true \
  tidy_revoked_certs=true \
  tidy_acme=true \
  tidy_cross_cluster_revoked_certs=true \
  tidy_move_legacy_ca_bundle=true \
  maintain_stored_certificate_counts=true

if [ "${INITIAL_SETUP}" = "true" ]; then
  # Generate an internal CA
  echo "Generating an internal CA"
  vault write -format=json [[ .vault.pki.path ]]/intermediate/generate/internal \
    common_name="[[ if has .vault.pki "common_name" ]][[ .vault.pki.common_name ]][[ else ]][[ path.Base .vault.pki.path ]] Certificate Authority[[ end ]]" \
[[- if has .vault.pki "ttl" ]]
    ttl="[[ .vault.pki.ttl ]]" \
[[- end ]]
    organization="[[ .vault.pki.organization ]]" \
    ou="[[ .vault.pki.ou ]]" \
    locality="[[ .vault.pki.locality ]]" \
    key_type=[[ .vault.pki.key_type ]] \
    key_bits=[[ .vault.pki.key_bits ]] \
      | jq -r '.data.csr' > ${TMP}/[[ path.Base .vault.pki.path ]].csr

[[ if has .vault.pki "issuer" ]]

  # Sign this PKI with a root PKI
  echo "Signing the new CA with the authority from [[ .vault.pki.issuer ]]"
  vault write -format=json [[ .vault.pki.issuer ]]/root/sign-intermediate \
      csr=@${TMP}/[[ path.Base .vault.pki.path ]].csr \
      format=pem_bundle \
      ttl="[[ .vault.pki.ttl ]]" \
        | jq -r '.data.certificate' > ${TMP}/[[ path.Base .vault.pki.path ]].crt

  # Update the intermediate CA with the signed one
  echo "Update the new CA with the signed version"
  vault write [[ .vault.pki.path ]]/intermediate/set-signed \
    certificate=@${TMP}/[[ path.Base .vault.pki.path ]].crt

[[ end ]]
fi

# Remove temp files
echo "Cleaning temp files"
rm -rf ${TMP}