##
## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##

<IfModule mod_macro.c>

<%=
  $cert_dir_le = '/srv/puppet.debian.org/from-letsencrypt'
  $cert_dir_backup = '/srv/puppet.debian.org/backup-keys'

  def make_pin_macro(site)
    pin_info = []
    pinfiles = [ "#{$cert_dir_le}/#{site}.pin",
                 "#{$cert_dir_backup}/#{site}.pin" ]
    pinfiles.each do |fn|
      if File.exist?(fn)
        pin_info << File.read(fn).chomp()
      end
    end

    res = []
    res << "<Macro http-pkp-#{site}>"
    if pin_info.size >= 2 then
      pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
      # 60 days
      pin_info << "max-age=5184000"
      pin_str = pin_info.join("; ")
      res << "  Header always set Public-Key-Pins \"#{pin_str}\""
    else
      res << "  # mod macro does not like empty macros, so here's some content:"
      res << "  <Directory /non-existant>"
      res << "  </Directory>"
    end
    res << "</Macro>"
    res << ""
    return res.join("\n")
  end

  macros = []
  Dir.glob("#{$cert_dir_le}/*.pin") do |pinfile|
    site = File.basename(pinfile, '.pin')
    macros << make_pin_macro(site)
  end
  macros.join("\n")
-%>

</IfModule>