resource_name :tls_cert_for
provides :tls_cert_for

property :domain, [String, Array], name_property: true
property :auth, [String, NilClass], default: nil

default_action :create

action :create do
  include_recipe 'kosmos-base::letsencrypt'

  domains = Array(new_resource.domain)

  case new_resource.auth
  when "gandi_dns"
    gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')

    hook_path = "/root/gandi_dns_certbot_hook.sh"
    template hook_path do
      cookbook "kosmos-base"
      variables gandi_api_key: gandi_api_data_bag_item["key"]
      mode 0770
    end

    # Generate a Let's Encrypt cert (only if no cert has been generated before).
    # The systemd timer will take care of renewing
    execute "letsencrypt cert for #{domains.join(', ')}" do
      command <<-CMD
      certbot certonly --manual -n \
        --preferred-challenges dns \
        --manual-public-ip-logging-ok \
        --agree-tos \
        --manual-auth-hook '#{hook_path} auth' \
        --manual-cleanup-hook '#{hook_path} cleanup' \
        --deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty \
        --email ops@kosmos.org \
        #{domains.map {|d| "-d #{d}" }.join(" ")}
      CMD
      not_if do
        ::File.exist?("/etc/letsencrypt/live/#{domains.first}/fullchain.pem")
      end
    end
  else
    # regular http auth
  end
end