#!/bin/bash -e
# Regenerate self-signed TLS/SSL cert & key

[[ -n "$_TURNKEY_INIT" ]] && exit 0

[[ -e $INITHOOKS_CONF ]] && . "$INITHOOKS_CONF"

_hook=$(basename "$0")

fatal() { echo "FATAL: [$_hook] $*" 1>&2 ; exit 1 ; }
info() { echo "INFO: [$_hook] $*" ; }

# Check for 'turnkey-make-ssl-cert' - should be provided by
# turnkey-ssl package.
turnkey_make_ssl_cert=$(which turnkey-make-ssl-cert) \
    || fatal "turnkey-make-ssl-cert executable not found."

# As of v17.0 a predefined 4096 bits default dhparams file is provided. Please
# see https://github.com/turnkeylinux/tracker/issues/1653 for more info.
info "Generating SSL/TLS cert & key."
$turnkey_make_ssl_cert --default --force

# Restart relevant services
SERVICES=(nginx apache2 lighttpd tomcat10 tomcat11)

info "Restarting relevant services."
for service in "${SERVICES[@]}"; do
    # only restart services that are running
    if systemctl is-active --quiet "${service}.service"; then
        info "$service running; restarting..."
        systemctl restart --quiet "$service"
    fi
done

# final tidy up
update-ca-certificates

exit 0
