#!/bin/sh
tmp=$(mktemp -d)
trap 'rm -rf -- "$tmp"' EXIT

# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
openssl req -x509 -nodes \
    -newkey RSA:2048 \
    -keyout "$tmp/ca.key" \
    -days 365 \
    -out "$tmp/ca.cert" \
    -subj '/CN=hd_root'

rm secrets/tlskey.age
openssl req -nodes \
    -newkey rsa:2048 \
    -keyout - \
    -out "$tmp/server.csr" \
    -subj '/CN=lan' \
    | agenix -e secrets/tlskey.age

cat > "$tmp/extfile" << EOF
subjectAltName=DNS:roam.lan,DNS:*.roam.lan,DNS:git.lan
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
EOF

openssl x509 -req \
    -CA "$tmp/ca.cert" \
    -CAkey "$tmp/ca.key" \
    -in "$tmp/server.csr" \
    -out pki/server.cert \
    -days 365 \
    -CAcreateserial \
    -extfile "$tmp/extfile"

mv "$tmp/ca.cert" pki/ca.cert