#!/bin/sh

# Open Infrastructure: service-tools

# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
#
# SPDX-License-Identifier: GPL-3.0+
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

set -e

HOOK="$(basename "${0}")"
HOOK_ACTION="$(echo "${HOOK}" | awk -F. '{ print $1 }')"

# set nsupdate action
case "${HOOK}" in
	clean_challenge.*)
		HOOK_ACTION="delete"
		;;

	deploy_challenge.*)
		HOOK_ACTION="add"
		;;

	*)
		echo "'${HOOK}': no such hook action '${HOOK_ACTION}'" >&2
		echo "'${HOOK}': use 'clean_challenge.' or 'deploy_challenge.' as prefix in your symlink" >&2
		exit 1
		;;
esac

# alternatives handling for dig
if command -v kdig > /dev/null 2>&1
then
	# knot-dnsutils
	DIG="kdig +noidn"
elif command -v dig > /dev/null 2>&1
then
	# bind-dnsutils
	DIG="dig +noidnout"
else
	echo "'${HOOK}': need dig from bind-dnsutils or knot-dnsutils" >&2
	exit 1
fi

# alternatives handling for nsupdate
if command -v knsupdate > /dev/null 2>&1
then
	# knot-dnsutils
	NSUPDATE="knsupdate"
elif command -v nsupdate > /dev/null 2>&1
then
	# bind-dnsutils
	NSUPDATE="nsupdate"
else
	echo "'${HOOK}': need nsupdate from bind-dnsutils or knot-dnsutils" >&2
	exit 1
fi

# config
for FILE in /etc/default/dehydrated-nsupdate /etc/default/dehydrated-nsupdate.d/*
do
	if [ -e "${FILE}" ]
	then
		. "${FILE}"
	fi
done

# find txt record to update
CNAME="$(${DIG} +nocomments +noquestion "_acme-challenge.${DOMAIN}" 2>&1 | grep -v '^;' | awk '/CNAME/ { print $5 }' | tail -n1)"

if [ -n "${CNAME}" ]
then
	TXT_RECORD="${CNAME}"
else
	TXT_RECORD="_acme-challenge.${DOMAIN}"
fi

ZONE="${TXT_RECORD}"

# find all nameservers to update
while true
do
	NAMESERVERS="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $5 }')"

	if [ -n "${NAMESERVERS}" ]
	then
		ZONE="$(${DIG} +nocomments +noquestion NS "${ZONE}" 2>&1 | grep -v '^;' | awk '/NS/ { print $1 }' | tail -n1)"
		break
	else
		ZONE="$(echo "${ZONE}" | cut -d '.' -f 2-)"
	fi
done

NAMESERVERS_IPV6=""
NAMESERVERS_IPV4=""

for NAMESERVER in ${NAMESERVERS}
do
	if [ -n "$(${DIG} +nocomments +noquestion +short AAAA "${NAMESERVER}")" ]
	then
		NAMESERVERS_IPV6="${NAMESERVERS_IPV6} ${NAMESERVER}"
	fi

	if [ -n "$(${DIG} +nocomments +noquestion +short A "${NAMESERVER}")" ]
	then
		NAMESERVERS_IPV4="${NAMESERVERS_IPV4} ${NAMESERVER}"
	fi
done

# filter nameservers by available IP protocol
NAMESERVERS=""

if hostname -I | grep -qs ':'
then
	NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV6}"
fi

if hostname -I | grep -qs '\.'
then
	NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV4}"
fi

NAMESERVERS="$(echo "${NAMESERVERS}" | sed -e 's| |\n|g' | sort -u -V)"

# update nameservers
if [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ]
then
	NSUPDATE_OPTIONS="-k ${TSIG_KEYFILE}"
fi

for NAMESERVER in ${NAMESERVERS}
do
	echo -n "   + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..."

# shellcheck disable=SC2086
echo "server ${NAMESERVER}
zone ${ZONE}
ttl 0
update ${HOOK_ACTION} ${TXT_RECORD} 0 TXT ${TOKEN_VALUE}
send" | "${NSUPDATE}" ${NSUPDATE_OPTIONS}

	echo " done."
done