mb_recipe :ssl do

during :provision, "generate_dh"
during :provision, "generate_self_signed_crt"

end

namespace :mb do

namespace :ssl do
  desc "Generate an SSL key and CSR for Ngnix HTTPS"
  task :generate_csr do
    _run_ssl_script
    _copy_to_all_web_servers(%w(.key .csr))
  end

  desc "Generate an SSL key, CSR, and self-signed cert for Ngnix HTTPS"
  task :generate_self_signed_crt do
    _run_ssl_script("--self")
    _copy_to_all_web_servers(%w(.key .csr .crt))
  end

  desc "Generate unique DH group"
  task :generate_dh do
    privileged_on roles(:web) do
      unless test("sudo [ -f /etc/ssl/dhparams.pem ]")
        execute :sudo, "openssl dhparam -out /etc/ssl/dhparams.pem 2048"
        execute :sudo, "chmod 600 /etc/ssl/dhparams.pem"
      end
    end
  end

  def _run_ssl_script(opt="")
    privileged_on primary(:web) do
      files_exist = %w(.key .csr .crt).any? do |ext|
        test("sudo [ -f /etc/ssl/#{application_basename}#{ext} ]")
      end

      if files_exist
        info("Files exist; skipping SSL key generation.")
      else
        config = "/tmp/csr_config"
        ssl_script = "/tmp/ssl_script"

        template("csr_config.erb", config, :sudo => true)
        template("ssl_setup", ssl_script, :mode => "+x", :sudo => true)

        within "/etc/ssl" do
          execute :sudo, ssl_script, opt, application_basename, config
          execute :sudo, "rm", ssl_script, config
        end
      end
    end
  end

  def _copy_to_all_web_servers(extensions)
    # TODO
  end
end

end