#
# Create SSL certificates using Letsencrypt
#

bundle agent certbot
{
vars:
	"webroot" string => "$(wr)";
	"renew" string => "$(rn)";

	freebsd::
		"certbot_dir" string => "/usr/local/etc/letsencrypt";
		"exe" string => "/usr/local/bin/certbot";
		"pkgs" slist => {"py39-certbot"};
	debian::
		"certbot_dir" string => "/etc/letsencrypt";
		"exe" string => "/usr/bin/certbot";
		"pkgs" slist => {"certbot"};
	centos::
		"certbot_dir" string => "/etc/letsencrypt";
		"exe" string => "/usr/bin/certbot";
		"pkgs" slist => {"epel-release","certbot"};
	fedora::
		"certbot_dir" string => "/etc/letsencrypt";
		"exe" string => "/usr/bin/certbot";
		"pkgs" slist => {"certbot"};


defaults:
	 "wr" string => "standalone";
	 "rn" string => "";

reports:

}

bundle agent install_certbot
{

methods:
	"any" usebundle => wmde_install_packages( @(certbot.pkgs),"certbot"),
		handle => "certbot_installed";
files:
	freebsd::
		"/etc/cron.d/certbot"
			create => "true",
			copy_from => local_dcp("$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/certbot-cron.mustache");
	
#			content => '# 
# Managed by CFEngine
#
#SHELL=/bin/sh
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

#0 */12 * * * root certbot -q renew --no-random-sleep-on-renew

#';
}

bundle agent certbot_cert(site,webroot)
{

vars:


	"domain" string => "$(site[domain])";
	"keytype" string => "rsa";
	
	"ds" slist => {"$(site[domain])"};

	"domains" slist => sort(mergedata(@(ds),getvalues(@(site[aliases]))));
	"domains_txt" string => string_mustache("{{#-top-}}{{.}} {{/-top-}}",@(domains));


	"site_json" string => storejson(@(site));
	"args" string => string_mustache(
			"--key-type $(keytype) --cert-name {{domain}} -d {{domain}} {{#aliases}} -d {{.}} {{/aliases}}",
			@(site)
			);

	"webroot_arg" string => ifelse( strcmp("$(webroot)","standalone"), 
			"--standalone",
                        "--webroot -w $(webroot)");

	"cert_test_cmd" string => "$(def.wmde_lib)/scripts/get-domains-from-cert.sh $(certbot.certbot_dir)/live/$(site[domain])/cert.pem";
	
	"current_domains_txt" string => execresult("/bin/sh $(cert_test_cmd)","useshell"),
		if => isvariable ("site[domain]");

files:
#	"$(sys.workdir)/data/agent/certbot/$(site[domain])-cert-created"
#		create => "true",
#		content => "$(args)",
#		classes => if_repaired(certbot_repaired);

classes:
#	"no_cert_file"
#	comment => "run certbot because no cert dir exists",
#	not => fileexists("$(certbot.certbot_dir)/live/$(site[domain])");

#	"run_certbot"
#	or => {no_cert_file, certbot_repaired};

	"run_certbot" 
	expression => not (strcmp("$(current_domains_txt) ","$(domains_txt)"));

defaults:
	"webroot" string => "standalone";
	"domain" string => "$(site[domain])";

methods:
	"any" usebundle => install_certbot;

commands:
	run_certbot::
		"$(certbot.exe)"
		depends_on => {"certbot_installed"},
		handle => "certbot_dry_run_ok",
		args => "certonly --dry-run --agree-tos -n $(webroot_arg) --expand --email $(site[email]) $(args)";

	run_certbot::
		"$(certbot.exe)"
		depends_on => {"certbot_installed","certbot_dry_run_ok"},
		args => "certonly --agree-tos -n $(webroot_arg) --expand --email $(site[email]) $(args)";

reports:
}