#!/bin/bash
###################################
############ by Sthope ############
###################################

#### USAGE
# clear;bash -c "$(wget -qLO - https://git.sthope.dev/sthope/sthope-examples/raw/branch/master/docker_portainer_stacks/portainer/setup-dockerapi-notls)"
#

openssl genrsa -out key.pem 4096

MY_IP=$(ip -4 route get 8.8.8.8 | awk {'print $7'} | tr -d '\n')

openssl req -subj "/CN=$MY_IP" -new -key key.pem -out client.csr

echo extendedKeyUsage = clientAuth > extfile-client.cnf

openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -extfile extfile-client.cnf

chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

mkdir ~/.certs
cp ca.pem ~/.certs
cp server-cert.pem ~/.certs
cp server-key.pem ~/.certs

p(){
	port=$(( 100+( $(od -An -N2 -i /dev/random) )%(1023+1) ))
	while :
	do
		(echo >/dev/tcp/localhost/$port) &>/dev/null &&  port=$(( 100+( $(od -An -N2 -i /dev/random) )%(1023+1) )) || break
	done
	echo "$port"
}

mkdir -p /etc/systemd/system/docker.service.d/

cat << EOF > /etc/systemd/system/docker.service.d/startup_options.conf
# /etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/home/pi/.certs/ca.pem --tlscert=/home/pi/.certs/server-cert.pem --tlskey=/home/pi/.certs/server-key.pem -H fd:// -H tcp://0.0.0.0:$(p)
EOF

systemctl daemon-reload
systemctl restart docker.service

echo "######################################################################"
echo "############################# by Sthope ##############################"
echo "######################################################################"
echo "You can now connect Portainer to this host at ip: $MY_IP and port:"
cat /etc/systemd/system/docker.service.d/startup_options.conf