code-tools/cert-mgmt/scripts/deploy_to_hosts.sh

#!/bin/zsh
# TLS Certificate deployment to SSH-accessible hosts

set -e

CERT_FILE="certificates/git.lab.crt"
KEY_FILE="certificates/git.lab.key"
DOMAIN="git.lab"

function log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
}

function deploy_to_host() {
    local host_ip="$1"
    local temp_dir="/tmp/git-lab-cert-$$"
    
    log "Deploying certificate to host: $host_ip"
    
    # Test SSH connectivity
    if ! timeout 5 ssh -o StrictHostKeyChecking=no -o BatchMode=yes -o ConnectTimeout=3 "$host_ip" 'echo "SSH test successful"' >/dev/null 2>&1; then
        log "ERROR: Cannot connect to $host_ip via SSH"
        return 1
    fi
    
    # Create temporary directory on remote host
    ssh -o StrictHostKeyChecking=no "$host_ip" "mkdir -p $temp_dir"
    
    # Copy certificate files
    log "Copying certificate files to $host_ip"
    scp -o StrictHostKeyChecking=no "$CERT_FILE" "$host_ip:$temp_dir/git.lab.crt"
    scp -o StrictHostKeyChecking=no "$KEY_FILE" "$host_ip:$temp_dir/git.lab.key"
    
    # Execute installation commands on remote host
    ssh -o StrictHostKeyChecking=no "$host_ip" << REMOTE_EOF
        # Install CA certificate
        sudo mkdir -p /usr/local/share/ca-certificates/
        sudo cp $temp_dir/git.lab.crt /usr/local/share/ca-certificates/git.lab.crt
        sudo chmod 644 /usr/local/share/ca-certificates/git.lab.crt
        sudo update-ca-certificates
        
        # Install SSL certificate for web services
        sudo mkdir -p /etc/ssl/git.lab/
        sudo cp $temp_dir/git.lab.crt /etc/ssl/git.lab/git.lab.crt
        sudo cp $temp_dir/git.lab.key /etc/ssl/git.lab/git.lab.key
        sudo chmod 644 /etc/ssl/git.lab/git.lab.crt
        sudo chmod 600 /etc/ssl/git.lab/git.lab.key
        sudo chown root:root /etc/ssl/git.lab/git.lab.*
        
        # Try to reload web services (graceful reload, not restart)
        if command -v systemctl >/dev/null 2>&1; then
            # Check for common web servers and reload if running
            for service in nginx apache2 httpd; do
                if systemctl is-active --quiet \$service 2>/dev/null; then
                    echo "Reloading \$service..."
                    sudo systemctl reload \$service || echo "Failed to reload \$service"
                fi
            done
        fi
        
        # Clean up
        rm -rf $temp_dir
        
        echo "Certificate deployment completed on \$(hostname)"
REMOTE_EOF
    
    if [[ $? -eq 0 ]]; then
        log "SUCCESS: Certificate deployed to $host_ip"
        return 0
    else
        log "ERROR: Failed to deploy certificate to $host_ip"
        return 1
    fi
}

function main() {
    if [[ ! -f "$CERT_FILE" ]] || [[ ! -f "$KEY_FILE" ]]; then
        log "ERROR: Certificate files not found. Run generate_certificate.sh first."
        exit 1
    fi
    
    # Read inventory file for hosts
    if [[ ! -f "inventory/network_inventory.yaml" ]]; then
        log "ERROR: Network inventory file not found. Run create_inventory.sh first."
        exit 1
    fi
    
    log "Starting certificate deployment to hosts..."
    
    # Extract host IPs from inventory (simple grep-based parsing)
    local hosts=($(grep -E "^\s*- ip:" inventory/network_inventory.yaml | sed 's/.*ip: "\([^"]*\)".*/\1/'))
    
    if [[ ${#hosts[@]} -eq 0 ]]; then
        log "No hosts found in inventory file"
        exit 0
    fi
    
    log "Found ${#hosts[@]} hosts to deploy to"
    
    local success_count=0
    local failed_hosts=()
    
    # Deploy to each host
    for host in "${hosts[@]}"; do
        if deploy_to_host "$host"; then
            ((success_count++))
        else
            failed_hosts+=("$host")
        fi
    done
    
    log "Deployment summary:"
    log "  Successful: $success_count/${#hosts[@]}"
    log "  Failed: ${#failed_hosts[@]}"
    
    if [[ ${#failed_hosts[@]} -gt 0 ]]; then
        log "Failed hosts:"
        for host in "${failed_hosts[@]}"; do
            log "  - $host"
        done
        exit 1
    fi
    
    log "All hosts deployed successfully!"
}

# Check if running directly or being sourced
if [[ "${BASH_SOURCE[0]}" == "${0}" ]] || [[ "${(%):-%N}" == "${0:t}" ]]; then
    main "$@"
fi