#!/bin/bash


#TODO Move this into the init script and ensure it only runs when something is wrong with configuraiton

# This should be run on the host with PuppetDB
PATH=/opt/puppet/bin:$PATH
set -e

fqdn=`facter fqdn`
password=`export LC_ALL=C; dd if=/dev/urandom count=20 2> /dev/null | tr -cd '[:alnum:]' | head -c 25`
tmpdir=`mktemp -t -d tmp.puppetdbXXXXX`
mycert=`puppet agent --configprint  hostcert`
myca=`puppet agent --configprint localcacert`
privkey=`puppet agent --configprint hostprivkey`

if [ -d "/etc/puppetlabs/puppetdb" ] ; then
  confdir="/etc/puppetlabs/puppetdb"
else
  confdir="/etc/puppetdb"
fi

rm -rf $tmpdir
mkdir -p $tmpdir
cp $myca $tmpdir
cp $privkey $tmpdir/privkey.pem
cp $mycert $tmpdir/pubkey.pem

cd $tmpdir
keytool -import -alias "PuppetDB CA" -keystore truststore.jks -storepass "$password" -trustcacerts  -file ca.pem -noprompt
cat privkey.pem pubkey.pem > temp.pem
echo "$password" | openssl pkcs12 -export -in temp.pem -out puppetdb.p12 -name $fqdn  -passout fd:0
keytool -importkeystore  -destkeystore keystore.jks -srckeystore puppetdb.p12 -srcstoretype PKCS12 -alias $fqdn   -deststorepass "$password" -srcstorepass "$password"

rm -rf $confdir/ssl
mkdir -p $confdir/ssl
cp -pr  *jks $confdir/ssl
echo $password > ${confdir}/ssl/puppetdb_keystore_pw.txt
chmod 600 ${confdir}/ssl/*
chmod 700 ${confdir}/ssl
rm -rf $tmpdir
