#!/bin/sh
set -e

# Check cert matches domain, else clear and renew
if [ -d "/data/caddy/certificates" ]; then
    CERT_CN=$(echo | openssl s_client -connect ${DOMAIN}:443 2>/dev/null | openssl x509 -noout -subject 2>/dev/null | grep -o "CN=.*" | cut -d= -f2 || true)
    if [ -n "$CERT_CN" ] && [ "$CERT_CN" != "$DOMAIN" ]; then
        echo "Cert mismatch: $CERT_CN != $DOMAIN, clearing certs"
        rm -rf /data/caddy/certificates/
    fi
fi

# Generate cgitrc from template
envsubst < /etc/cgitrc.template > /etc/cgitrc

# Setup SSH
ssh-keygen -A  # Generate host keys if missing
mkdir -p /git/.ssh
touch /git/.ssh/authorized_keys
chmod 700 /git/.ssh
chmod 600 /git/.ssh/authorized_keys
/usr/sbin/sshd

spawn-fcgi -s ${FCGI_SOCK} /usr/bin/fcgiwrap
chmod 666 ${FCGI_SOCK}

exec caddy run --config /etc/caddy/Caddyfile --adapter caddyfile