#!/bin/sh

export SERVER_SSL_KEY=${SERVER_SSL_KEY:-ssl/server.key}
export SERVER_SSL_CRT=${SERVER_SSL_CRT:-ssl/server.crt}
SERVER_SSL_CSR=ssl/service.csr
SERVER_SSL_CA_KEY=ssl/service_ca.key
SERVER_SSL_CA_CRT=ssl/service_ca.crt
OLLAMA_KEY=/root/.ollama/id_ed25519

if [ ! -f "$OLLAMA_KEY" ]; then
    ssh-keygen -t ed25519 -N "" -f $OLLAMA_KEY
    chmod 600 $OLLAMA_KEY
    echo "Ollama signing key generated and saved to $OLLAMA_KEY"
fi

if [ -f "$SERVER_SSL_KEY" ] && [ -f "$SERVER_SSL_CRT" ]; then
    echo "service ssl crt and key already exist"
elif [ "$SERVER_USE_SSL" = "true" ]; then
    echo "Gen service ssl key and crt"
    openssl genrsa -out ${SERVER_SSL_CA_KEY} 4096
    openssl req \
        -new -x509 -days 3650 \
        -key ${SERVER_SSL_CA_KEY} \
        -subj "/C=US/ST=NY/L=NY/O=PentAGI/OU=Project/CN=PentAGI CA" \
        -out ${SERVER_SSL_CA_CRT}
    openssl req \
        -newkey rsa:4096 \
        -sha256 \
        -nodes \
        -keyout ${SERVER_SSL_KEY} \
        -subj "/C=US/ST=NY/L=NY/O=PentAGI/OU=Project/CN=localhost" \
        -out ${SERVER_SSL_CSR}

    echo "subjectAltName=DNS:pentagi.local" > extfile.tmp
    echo "keyUsage=critical,digitalSignature,keyAgreement" >> extfile.tmp

    openssl x509 -req \
        -days 730 \
        -extfile extfile.tmp \
        -in ${SERVER_SSL_CSR} \
        -CA ${SERVER_SSL_CA_CRT} -CAkey ${SERVER_SSL_CA_KEY} -CAcreateserial \
        -out ${SERVER_SSL_CRT}

    rm extfile.tmp

    cat ${SERVER_SSL_CA_CRT} >> ${SERVER_SSL_CRT}

    chmod g+r ${SERVER_SSL_KEY}

    # Remove CA private key and CSR after signing -- they are no longer
    # needed at runtime and leaving them on disk increases the attack
    # surface if the container filesystem is compromised.
    rm -f ${SERVER_SSL_CA_KEY} ${SERVER_SSL_CSR} ssl/service_ca.srl
fi

exec "$@"