#!/usr/bin/bash


#
# Export the certificates and keys from 'acme.json'
#


###
#
# Options Section
#
###

set -e
set -u
set -o pipefail


###
#
# Variables Section
#
###

source '/etc/traefik/acme/acme.env'
ACME_STORAGE="${ACME_STORAGE:='/var/lib/traefik/acme'}"
ACME_DATABASE="${ACME_DATABASE:='/var/lib/traefik/acme.json'}"


###
#
# Runtime Environment
#
###

if [[ "${EUID}" -ne '0' && "${USER}" != 'traefik' ]]; then
  /usr/bin/echo -e 'Error: Permission Denied'
  exit 1
fi

if [[ -d "${ACME_STORAGE}" ]]; then
  /usr/bin/rm --force --recursive "${ACME_STORAGE}"
fi

/usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}"

for RESOLVER in $(/usr/bin/jq --raw-output --exit-status 'keys[]' "${ACME_DATABASE}"); do
  ACCOUNT=$(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --exit-status '.[$resolver].Account.PrivateKey' "${ACME_DATABASE}")
  /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/.${RESOLVER}"
  /usr/bin/echo -e "-----BEGIN RSA PRIVATE KEY-----\n${ACCOUNT}\n-----END RSA PRIVATE KEY-----" | \
    /usr/bin/openssl 'rsa' -inform 'pem' -out "${ACME_STORAGE}/.${RESOLVER}/account.key" &> '/dev/null'
  /usr/bin/chmod '0400' "${ACME_STORAGE}/.${RESOLVER}/account.key"
  /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/.${RESOLVER}/account.key"
  for DOMAIN in $(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --exit-status '.[$resolver].Certificates[].domain.main' "${ACME_DATABASE}"); do
    CERTIFICATE=$(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --arg domain "${DOMAIN}" --exit-status '.[$resolver].Certificates[] | select (.domain.main == $domain ) | .certificate' "${ACME_DATABASE}")
    KEY=$(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --arg domain "${DOMAIN}" --exit-status '.[$resolver].Certificates[] | select (.domain.main == $domain ) | .key' "${ACME_DATABASE}")
    /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/${DOMAIN}"
    case "${RESOLVER}" in
      *rsa*)
        /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/${DOMAIN}/rsa"
	      /usr/bin/echo "${CERTIFICATE}" | \
          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/rsa/root.crt"
        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/rsa/root.crt"
        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/rsa/root.crt"
	      /usr/bin/echo "${KEY}" | \
          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/rsa/root.key"
        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/rsa/root.key"
        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/rsa/root.key"
      ;;
      *ecdsa*)
        /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/${DOMAIN}/ecc"
	      /usr/bin/echo "${CERTIFICATE}" | \
          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/ecc/root.crt"
        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/ecc/root.crt"
        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/ecc/root.crt"
	      /usr/bin/echo "${KEY}" | \
          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/ecc/root.key"
        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/ecc/root.key"
        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/ecc/root.key"
      ;;
    esac
  done
done