#!/bin/bash

# Copyright (C) 2023-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

unset http_proxy
unset https_proxy

DOMAIN="intern"
HOSTNAME="$(hostname -f)"
PUPPET_SERVER="puppetserver.intern"
TJENER_SERVER="tjener.intern"

PUPPET_CLIENT_CN="${1}"
if [ -z "${PUPPET_CLIENT_CN}" ]; then
	echo "usage: $(basename $0) <computer>"
	exit -2
fi

if [ "${HOSTNAME}" != "${PUPPET_SERVER}" ] && [ "${HOSTNAME}" != "${TJENER_SERVER}" ]; then
	echo "$(basename $0): Error: This script may only be run on 'tjener.intern' or 'puppetserver.intern'."
	exit -1
fi

if ! echo ${PUPPET_CLIENT_CN} | grep -qE "\."; then
	PUPPET_CLIENT_CN="${PUPPET_CLIENT_CN}.${DOMAIN}"
elif ! echo ${PUPPET_CLIENT_CN} | grep -qE "^[-_a-z0-9]+\.${DOMAIN}\$"; then
	echo "$(basename $0): Error: Hostname '${PUPPET_CLIENT_CN}' is not in domain .${DOMAIN}."
	exit -3
fi

if [ -z "$(dig ${PUPPET_CLIENT_CN} +short | head -n1)" ]; then
	echo "$(basename $0): Error: Hostname '${PUPPET_CLIENT_CN}' unknown. Mistyped the hostname?"
	exit -4
fi

### Puppet 5.x et al. (until Debian 11)

# strip domain name
hostname_short="$(echo ${PUPPET_CLIENT_CN} | cut -d '.' -f1)"

## lookup host and see if it exists in LDAP:
ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'`

if [ -n "${ldapsystem}" ]; then

	source /etc/os-release

	if [ "${ID}" = "debian" ] && \
	   ([ "${VERSION_CODENAME}" == "stretch" ] || \
	    [ "${VERSION_CODENAME}" == "buster" ] || \
	    [ "${VERSION_CODENAME}" == "bullseye" ]); then

		# yes, we should clean this host CRT/KEY, but the puppet 5.x way
		puppet cert clean "${PUPPET_CLIENT_CN}"

	else

		# yes, we should clean this host CRT/KEY, but the puppet 7++ way
		puppetserver ca clean --certname "${PUPPET_CLIENT_CN}"

	fi

fi