#!/bin/bash

set -o errexit
set -o nounset
set -o pipefail

#
# Helper functions
#
declare -i term_width=120

host=${1}
key=${2}

h2() {
    printf '\e[1;33m==>\e[37;1m %s\e[0m\n' "$*"
}

SSHD_CONFIG=/etc/ssh/sshd_config
CA_FILE=/etc/ssh/trusted-ca.pem
VAULT_CERT="https://${host}/v1/${key}/public_key"

echo $VAULT_CERT

if !(grep -q "TrustedUserCAKeys" $SSHD_CONFIG); then
	h2 "Add new TrustedUserCAKeys"
	curl -s -o $CA_FILE $VAULT_CERT
	echo "TrustedUserCAKeys ${CA_FILE}" | tee -a $SSHD_CONFIG
else 
	CA_FILE=$(grep "TrustedUserCAKeys" $SSHD_CONFIG|cut -d' ' -f2)
	h2 "Attach trusted CA to ${CA_FILE}"
	curl -s $VAULT_CERT >> $CA_FILE	
fi

h2 "Restart sshd service"
systemctl restart sshd
h2 "Done."