#!/usr/bin/env sh

# This script generates an openSSL key pair which can be used to expose a
# Docker API over the internet.


# Defaults
days=365


# Displays how to use the program
function usage() {
    cat << EOF
This script generates OpenSSL certificate pairs which can be used to expose a
Docker API.

Usage: $0 [-h] [-d DAYS] HOST IP [CERTDIR]

    HOST     hostname of the machine to expose
    IP       public IP of the machine to expose
    CERTDIR  directory where the certificates will reside on the machine. If
             specified, a startup_options.conf file is created for you, which
             can then be copied over to the host.

    -h       show this message
    -d       how many days the certificate will be valid; defaults to 365
EOF
    exit 1
}


while getopts ':hd:' c; do
    case $c in
        h ) usage ;;
        d ) days="$OPTARG" ;;
    esac
done
shift $((OPTIND - 1))

host="$1"
ip="$2"
certdir="$3"

# Check for correct amount of arguments
[ $# -lt 2 ] && [ $# -gt 3 ] && usage


# =====SERVER-SIDE=====
# Generate CA key
openssl genrsa \
    -aes256 \
    -out ca-key.pem \
    4096
openssl req \
    -new \
    -x509 \
    -days "$days" \
    -key ca-key.pem \
    -sha256 \
    -out ca.pem

# Generate server key
openssl genrsa \
    -out server-key.pem \
    4096
openssl req \
    -subj "/CN=$host" \
    -sha256 \
    -new \
    -key server-key.pem \
    -out server.csr

# Create extfile.cnf
echo subjectAltName = "DNS:$host,IP:$ip,IP:127.0.0.1" > extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf

# Generate server-side certificate
openssl x509 \
    -req \
    -days 365 \
    -sha256 \
    -in server.csr \
    -CA ca.pem \
    -CAkey ca-key.pem \
    -CAcreateserial \
    -out server-cert.pem \
    -extfile extfile.cnf


# =====CLIENT-SIDE=====
# Generate key & csr
openssl genrsa \
    -out key.pem \
    4096
openssl req \
    -subj '/CN=client' \
    -new \
    -key key.pem \
    -out client.csr

# Create extfile-client.cnf
echo extendedKeyUsage = clientAuth > extfile-client.cnf

# Generate certificate
openssl x509 \
    -req \
    -days 365 \
    -sha256 \
    -in client.csr \
    -CA ca.pem \
    -CAkey ca-key.pem \
    -CAcreateserial \
    -out cert.pem \
    -extfile extfile-client.cnf

# Create startup_options.conf
if [ -n "$certdir" ]; then
    cat > startup_options.conf << EOF
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert='$certdir/ca.pem' --tlscert='$certdir/server-cert.pem' --tlskey='$certdir/server-key.pem' -H fd:// -H tcp://0.0.0.0:2376
EOF

    echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to '$certdir' on the machine."
    echo "'startup_options.conf' should be placed in '/etc/systemd/docker.service.d/startup_options.conf'."

else
    echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to the chosen directory on the machine."
    echo "Create a 'startup_options.conf' file as specified."

fi

echo "Now, you can restart the Docker daemon using:"
echo "  systemctl daemon-reload"
echo "  systemctl restart docker.service"