#!/usr/bin/env bash
set -euf -o pipefail

# ************** USAGE **************
#
# Example usage (with this hook file saved in /root/):
#
#   sudo su -
#   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
#     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
#
# This hook requires configuration, continue reading.
#
# ************** CONFIGURATION **************
#
# GANDI_API_KEY: Your Gandi Live API key
#
# PROVIDER_UPDATE_DELAY:
#   How many seconds to wait after updating your DNS records. This may be required,
#   depending on how slow your DNS host is to begin serving new DNS records after updating
#   them via the API. 30 seconds is a safe default, but some providers can be very slow
#   (e.g. Linode).
#
#   Defaults to 30 seconds.
#
ACCESS_TOKEN="<%= @access_token %>"
PROVIDER_UPDATE_DELAY=10
VALIDATION_DOMAIN="${2:-}"

regex='.*\.(.*\..*)'

if [[ $CERTBOT_DOMAIN =~ $regex ]]
then
  DOMAIN="${BASH_REMATCH[1]}"
else
  DOMAIN="${CERTBOT_DOMAIN}"
fi

if [[ -n "$VALIDATION_DOMAIN" ]]
then
  if [[ $VALIDATION_DOMAIN =~ $regex ]]
  then
    ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
  else
    echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
    exit 1
  fi
  ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
else
  ACME_BASE_DOMAIN="${DOMAIN}"
  ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
fi

# To be invoked via Certbot's --manual-auth-hook
function auth {
  curl -s -D- \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
       -d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
            \"rrset_type\": \"TXT\",
            \"rrset_ttl\": 300,
            \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"

  sleep ${PROVIDER_UPDATE_DELAY}
}

# To be invoked via Certbot's --manual-cleanup-hook
function cleanup {
  curl -s -X DELETE \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer ${ACCESS_TOKEN}" \
       "https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
}

HANDLER=$1; shift;
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
  $HANDLER "$@"
fi