#!/bin/bash
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"

case $1 in
  # for first run, accept host key
  -1)
    opt=(-e 'ssh -oStrictHostKeyChecking=no')
    ;;
esac

f=/a/bin/bash_unpublished/source-state
if [[ -e $f ]]; then
  source $f
fi

case $HOSTNAME in
  $MAIL_HOST|bk)
    local_mx=mail.iankelling.org
    # ||: is to allow for temporary connection issues.
    rsync "${opt[@]}" -ogtL --chown=root:Debian-exim --chmod=640 \
          root@li.iankelling.org:/etc/letsencrypt/live/mail.iankelling.org/{fullchain.pem,privkey.pem} /etc/exim4 ||:
    if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
      echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
      exit 1
    fi
    ;;&
esac

# note: exim spec, 5.3 command line option -bd says that all files except
# .include "are reread each time they are used."


exit 0