#!/usr/bin/env sh
set -e

CA_URL="https://ca.para.net:9000"
ROOT_URL="$CA_URL/roots.pem"
TMP_FILE="$(mktemp)"

echo "Downloading roots.pem from $ROOT_URL ..."
curl -sSLk "$ROOT_URL" -o "$TMP_FILE"

if [ ! -s "$TMP_FILE" ]; then
  echo "Error: roots.pem is empty or failed to download."
  exit 1
fi

# Read /etc/os-release (source manually in POSIX shell)
OS_ID=""
OS_LIKE=""
if [ -f /etc/os-release ]; then
  while IFS= read -r line; do
    case "$line" in
    ID=*) OS_ID=$(echo "$line" | cut -d= -f2 | tr -d '"') ;;
    ID_LIKE=*) OS_LIKE=$(echo "$line" | cut -d= -f2 | tr -d '"') ;;
    esac
  done </etc/os-release
fi

echo "Detected OS: ID=$OS_ID, ID_LIKE=$OS_LIKE"

# Normalize to lowercase
OS_ID=$(echo "$OS_ID" | tr 'A-Z' 'a-z')
OS_LIKE=$(echo "$OS_LIKE" | tr 'A-Z' 'a-z')

# Detect family
if echo "$OS_ID $OS_LIKE" | grep -Eq 'debian|ubuntu'; then
  echo "Installing on Debian-based system"
  TARGET_PATH="/usr/local/share/ca-certificates/step-ca.crt"
  cp "$TMP_FILE" "$TARGET_PATH"
  echo "Updating CA trust store..."
  update-ca-certificates

elif echo "$OS_ID $OS_LIKE" | grep -Eq 'rhel|centos|rocky|alma'; then
  echo "Installing on RHEL-based system"
  TARGET_PATH="/etc/pki/ca-trust/source/anchors/step-ca.pem"
  cp "$TMP_FILE" "$TARGET_PATH"
  echo "Updating CA trust store..."
  update-ca-trust extract

else
  echo "Unsupported operating system (ID=$OS_ID, LIKE=$OS_LIKE)"
  echo "You may need to install the CA manually."
  exit 2
fi

echo "Testing connection to $CA_URL ..."
if curl -sSL "$CA_URL" >/dev/null 2>&1; then
  echo "Connection successful — root CA is trusted."
else
  echo "Connection failed — check certificate installation or network configuration."
fi

rm -f "$TMP_FILE"