#!/usr/bin/env bash

# Get cluster subdirectory name

cd $(dirname $0)

CLUSTER="$1"
if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
	echo "Usage: $0 <cluster name>"
	echo "The cluster name must be the name of a subdirectory of cluster/"
	exit 1
fi
shift 1

# Do actual stuff

if [ -z "$1" ]; then
	NIXHOSTLIST=$(ls cluster/$CLUSTER/node | grep -v '\.site\.')
else
	NIXHOSTLIST="$@"
fi

TMP_PATH=/tmp/tmp-deploy-$(date +%s)
SSH_CONFIG=cluster/$CLUSTER/ssh_config
YEAR=$(date +%Y)

for NIXHOST in $NIXHOSTLIST; do
	NIXHOST=${NIXHOST%.*}

	if [ -z "$SSH_USER" ]; then
		SSH_DEST=$NIXHOST
	else
		SSH_DEST=$SSH_USER@$NIXHOST
	fi

	echo "==== DOING $NIXHOST ===="

	echo "Sending NixOS config files"

	ssh -F $SSH_CONFIG $SSH_DEST mkdir -p $TMP_PATH $TMP_PATH/pki
	cat configuration.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
	cat nix/deuxfleurs.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deuxfleurs.nix > /dev/null
	cat cluster/$CLUSTER/cluster.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/cluster.nix > /dev/null
	cat cluster/$CLUSTER/node/$NIXHOST.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
	cat cluster/$CLUSTER/node/$NIXHOST.site.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/site.nix > /dev/null

	echo "Sending secret files"
	for SECRET in rclone.conf \
		pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \
		pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
		test -f cluster/$CLUSTER/secrets/$SECRET && (cat cluster/$CLUSTER/secrets/$SECRET | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
	done

	echo "Rebuilding NixOS"

	ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deploy.sh > /dev/null <<EOF
set -ex

cd $TMP_PATH
mv deuxfleurs.nix configuration.nix cluster.nix node.nix site.nix /etc/nixos

test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)

mkdir -p /var/lib/nomad/pki /var/lib/consul/pki

if [ -f pki/consul-ca.crt ]; then
	cp pki/consul* /var/lib/nomad/pki
	mv pki/consul* /var/lib/consul/pki
	chown -R consul:root /var/lib/consul/pki
fi

if [ -f pki/nomad-ca.crt ]; then
	mv pki/nomad* /var/lib/nomad/pki
fi

nixos-rebuild switch

# Save up-to-date Consul client certificates in Consul itself
export CONSUL_HTTP_ADDR=https://localhost:8501
export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt
consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt
consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key
EOF

	ssh -t -F $SSH_CONFIG $SSH_DEST sudo sh $TMP_PATH/deploy.sh
	ssh -F $SSH_CONFIG $SSH_DEST rm -rv '/tmp/tmp-deploy-*'
done