#
# Cookbook:: kosmos-ejabberd
# Recipe:: letsencrypt
#
# Copyright:: 2019, Kosmos, All Rights Reserved.
#

include_recipe "kosmos-base::letsencrypt"

domain = "kosmos.org"
domain_and_subdomains = [domain, "chat.#{domain}" "xmpp.#{domain}"]

ejabberd_post_hook = <<-EOF
#!/usr/bin/env bash

set -e

# Copy the ejabberd certificate and restart the server if it has been renewed
# This is necessary because the ejabberd user doesn't have access to the
# letsencrypt live folder
for domain in $RENEWED_DOMAINS; do
  case $domain in
  # Do not copy over when renewing other kosmos.org domains
  #{domain})
    cat "${RENEWED_LINEAGE}/privkey.pem" "${RENEWED_LINEAGE}/fullchain.pem" > /opt/ejabberd/conf/#{domain}.pem
    chown ejabberd:ejabberd /opt/ejabberd/conf/#{domain}.pem
    chmod 600 /opt/ejabberd/conf/#{domain}.pem
    /opt/ejabberd-#{node["kosmos-ejabberd"]["version"]}/bin/ejabberdctl reload_config
    ;;
  esac
done
EOF

file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
  content ejabberd_post_hook
  mode 0755
  owner "root"
  group "root"
end

domain_and_subdomains_switch = domain_and_subdomains.map { |d| "-d #{d}" }.join(" ")

# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for kosmos xmpp" do
  command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@#{domain} #{domain_and_subdomains_switch} -n"
  not_if do
    File.exist?("/opt/ejabberd/conf/#{domain}.pem")
  end
end