#!/bin/bash

SUBDOMAIN="$1"
CERT_PASS="$2"

if [ -z "$SUBDOMAIN" ] || [ -z "$CERT_PASS" ]; then
  echo "Uso: $0 <subdominio> <contraseña-certificados>"
  exit 1
fi

rm -rf CA
mkdir -p CA
cd CA

cat >openssl.cnf <<EOF
[ca]
default_ca = CA_default

[CA_default]
dir                    = $PWD
EOF

cat >>openssl.cnf <<'EOF'
certs                  = $dir/certs
new_certs_dir          = $dir/newcerts
database               = $dir/index.txt
serial                 = $dir/serial
default_md             = sha256
policy                 = policy_loose
copy_extensions        = copy

private_key            = $dir/private/ca.key.pem
certificate            = $dir/certs/ca.crt.pem

[policy_loose]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

[req]
default_bits           = 2048
distinguished_name     = req_distinguished_name
default_md             = sha256

[req_distinguished_name]
countryName            = Country Name (2 letter code)
EOF

mkdir -p certs csr newcerts private
chmod 0700 private
touch index.txt
echo 1000 >serial

function gen_cert() {
    NAME="$1"
    DOMAIN="$NAME.$SUBDOMAIN"
    PASS="$CERT_PASS"
    CA_PASS_FILE="./ca-pass"

    FILE_PRIVKEY_PASS="./$NAME-pass"
    KEY_FILE="private/$DOMAIN.key.pem"
    KEY_NOPASS_FILE="private/$DOMAIN.key.nopass.pem"
    SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$DOMAIN"
    ADDEXT="subjectAltName=DNS:$DOMAIN"
    CSR="csr/$DOMAIN.csr.pem"
    CERT_FILE="certs/$DOMAIN.crt.pem"

    echo "$PASS" >"$FILE_PRIVKEY_PASS"
    chmod 0600 "$FILE_PRIVKEY_PASS"

    openssl genrsa -aes256 -out "$KEY_FILE" -passout file:"$FILE_PRIVKEY_PASS" 2048
    openssl rsa -in "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -out "$KEY_NOPASS_FILE" >/dev/null 2>&1
    openssl req -config openssl.cnf -key "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -new -sha256 -subj "$SUBJ" -addext "$ADDEXT" -out "$CSR"
    openssl ca -config openssl.cnf -batch -passin file:"$CA_PASS_FILE" -days 375 -notext -md sha256 -in "$CSR" -out "$CERT_FILE" >/dev/null 2>&1
    echo "Dominio generado: $DOMAIN"
}

## Generar CA
CA_PASS_FILE="./ca-pass"
echo "$CERT_PASS" >"$CA_PASS_FILE"
chmod 0600 "$CA_PASS_FILE"
openssl genrsa -aes256 -out private/ca.key.pem -passout file:"$CA_PASS_FILE" 4096
openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj "/C=ES/ST=Madrid/L=Madrid/CN=ca.$SUBDOMAIN" -out certs/ca.crt.pem


## Componentes a generar certificados
# COMPONENTES y su correspondencia:
# "os"        → OpenSearch (certificado para /etc/opensearch/)
# "osdb"      → OpenSearch Dashboards (certificado para /etc/opensearch-dashboards/)
# "jrem"      → systemd-journal-remote (certificado para /etc/systemd/)
# "prom"      → Prometheus (certificado para /etc/prometheus/)
# "graf"      → Grafana (certificado para /etc/grafana/)
# "jb"        → Journalbeat del cliente (certificado para /etc/journalbeat/)
# "agent-fb"  → Filebeat del cliente ogagent (certificado para /etc/filebeat/)
# "server"    → Servidor ogcore/ogboot/intermedio (uso genérico del certificado)

COMPONENTES=("os" "osdb" "jrem" "jb" "prom" "graf" "server" "agent-fb")

for comp in "${COMPONENTES[@]}"; do
    gen_cert "oglog-$comp"
    echo "address=/oglog-$comp.$SUBDOMAIN/127.0.0.1" >> /tmp/dnsmasq.oglog.conf
done

cd ..