#!/bin/bash

LE_CERTS_DIR="{{ letsencrypt_acme_sh_certificates_install_path }}"
LE_LOG_DIR=/var/log/letsencrypt
LE_LOGFILE="$LE_LOG_DIR/keycloak.log"
KEYCLOAK_CERTS_DIR="{{ keycloak_conf_directory }}"
KEYCLOAK_KEYFILE="{{ keycloak_conf_directory }}/server.key.pem"
keycloak_CERTFILE="{{ keycloak_conf_directory }}/server.crt.pem"
DATE=$( date )
RETVAL=

[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> "$LE_LOGFILE"

logger "acme-keycloak-hook: Check if the certificate has been renewed"
cmp ${LE_CERTS_DIR}/privkey  ${KEYCLOAK_KEYFILE}
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
    logger "acme-keycloak-hook: No new cerficate."
    echo "acme-keycloak-hook: No new cerficate." >> $LE_LOGFILE
    exit 0
else
    logger "acme-keycloak-hook: Copying the key file"
    echo "Copy the certificate files" >> $LE_LOGFILE
    /bin/cp -f ${LE_CERTS_DIR}/privkey  ${KEYCLOAK_KEYFILE}
    /bin/cp -f ${LE_CERTS_DIR}/fullchain  ${KEYCLOAK_CERTFILE}
fi

chmod 440 ${KEYCLOAK_KEYFILE} ${KEYCLOAK_CERTFILE}
chown root ${KEYCLOAK_KEYFILE} ${KEYCLOAK_CERTFILE}
chgrp keycloak ${KEYCLOAK_KEYFILE} ${KEYCLOAK_CERTFILE}

logger "acme-keycloak-hook: Restart the {{ keycloak_service_name }} service after a certificate renewal"
systemctl restart {{ keycloak_service_name }} >> $LE_LOGFILE 2>&1
echo "acme-keycloak-hook: Restart the {{ keycloak_service_name }} service" >> $LE_LOGFILE

logger "acme-keycloak-hook: Done"
echo "acme-keycloak-hook: Done." >> $LE_LOGFILE

exit 0