#!/bin/sh
#
# Generate a new private server key for the Monotone Server, if needed
#
# Author: Thomas Moschny <thomas.moschny@gmx.de>
#
set -eu

MONOTONE_CONFDIR="${MONOTONE_CONFDIR:-/etc/monotone}"
MONOTONE_KEYDIR="${MONOTONE_KEYDIR:-/etc/monotone/private-keys}"
MONOTONE_DBFILE="${MONOTONE_DBFILE:-/var/lib/monotone/server.mtn}"
MONOTONE_PPFILE="${MONOTONE_PPFILE:-/etc/monotone/passphrase.lua}"

MONOTONE_KEYID="${MONOTONE_KEYID:-monotone@$(hostname -f)}"
MONOTONE_HOME="${MONOTONE_HOME:-/var/lib/monotone}"

cd "${MONOTONE_HOME}"

# check for existing keys
for key in "${MONOTONE_KEYDIR}/${MONOTONE_KEYID}"* ; do
  if [ -e "${key}" ] ; then
    echo $"Found private key $key"
    exit
  fi
done

# check for existing rc file
if [ -s "${MONOTONE_PPFILE}" ] ; then
  echo >&2 $"Not overwriting passphrase file ${MONOTONE_PPFILE}"
  exit 1
fi

# no key found, let's generate one
echo $"Generating key for server ${MONOTONE_KEYID}"

# generate random passphrase
passphrase="$(dd 2>/dev/null if=/dev/urandom bs=1 count=16 | hexdump -ve '/1 "%02x"')"

# generate keypair, needs to be run as root
{ echo "${passphrase}"; echo "${passphrase}" ; } |
mtn --confdir="${MONOTONE_CONFDIR}" --db="${MONOTONE_DBFILE}" \
  --keydir="${MONOTONE_KEYDIR}" --force-duplicate-key \
  genkey "${MONOTONE_KEYID}"

# fix permissions
for key in "${MONOTONE_KEYDIR}/${MONOTONE_KEYID}"* ; do
  if [ -e "${key}" ] ; then
    chgrp monotone "${key}"
    chmod 0640 "${key}"
    break
  fi
  echo >&2 $"No key found, key generation failed?"
  exit 1
done

# generate rc file
install -o root -g monotone -m 0440 /dev/null "${MONOTONE_PPFILE}"
cat > "${MONOTONE_PPFILE}" <<EOF
function get_passphrase(keyid)
  return "${passphrase}"
end
EOF