#!/bin/bash

# 🚀 Script to Generate Secure Secrets for Deployment

# Define root directory relative to the script location

# Stelle sicher, dass ROOT_DIR gesetzt ist
if [ -z "$ROOT_DIR" ]; then
    echo "❌ WARN: ROOT_DIR ist nicht gesetzt! Setze ROOT_DIR..."
    source ./set-project-root.sh
fi

SECRET_FILE="$ROOT_DIR/env/secrets.env"
GITIGNORE_FILE="$ROOT_DIR/.gitignore"

# ✅ Function to check if a command is installed
check_dependency() {
    command -v "$1" >/dev/null 2>&1
}

# 🔍 Check for OpenSSL, and prompt user to install if missing
if ! check_dependency "openssl"; then
    echo "⚠️  OpenSSL is not installed. It is required to generate secure secrets."
    echo "Would you like to install OpenSSL now? (yes/no)"
    read -r install_choice
    if [[ "$install_choice" == "yes" ]]; then
        if [[ "$OSTYPE" == "linux-gnu"* ]]; then
            sudo apt update && sudo apt install -y openssl
        elif [[ "$OSTYPE" == "darwin"* ]]; then
            brew install openssl
        else
            echo "❌ Unsupported OS. Please install OpenSSL manually."
            exit 1
        fi
    else
        echo "❌ OpenSSL is required but was not installed. Exiting."
        exit 1
    fi
fi

# ✅ Securely generate random values
generate_secret() {
    openssl rand -base64 32
}

# 🔄 Check if the secret file already exists
if [ -f "$SECRET_FILE" ]; then
    echo "⚠️  $SECRET_FILE already exists. Overwrite? (yes/no)"
    read -r response
    if [[ "$response" != "yes" ]]; then
        echo "❌ Secret file creation canceled."
        exit 1
    fi
fi

# ✏️ Write secrets to file
echo "🔐 Generating $SECRET_FILE ..."
mkdir -p "$(dirname "$SECRET_FILE")"  # Ensure the env directory exists
> "$SECRET_FILE"  # Clear file if it exists

# 🔑 Define and write secrets
echo "ADMIN_PASSWORD_HASH=$(openssl passwd -6 admin)" >> "$SECRET_FILE"
echo "JWT_SECRET=$(generate_secret)" >> "$SECRET_FILE"
echo "MARIADB_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
echo "MARIADB_ROOT_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
echo "REDIS_HOST_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
echo "TRAEFIK_BASIC_AUTH_USERS=admin:$(openssl passwd -6 traefikpass)" >> "$SECRET_FILE"
echo "GITEA_MYSQL_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
echo "NEXTCLOUD_ADMIN_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"
echo "MAIL_PASSWORD=$(generate_secret)" >> "$SECRET_FILE"

# 🛑 Ensure secrets.env is ignored by Git **without overwriting last line**
if [ -f "$SECRET_FILE" ]; then
    # Check if the last line is missing a newline and fix it
    if [ -s "$GITIGNORE_FILE" ] && [ "$(tail -c1 "$GITIGNORE_FILE")" != "" ]; then
        echo "" >> "$GITIGNORE_FILE"
    fi

    # Append 'env/secrets.env' only if it's not already in .gitignore
    if ! grep -q "^env/secrets.env$" "$GITIGNORE_FILE"; then
        echo "env/secrets.env" >> "$GITIGNORE_FILE"
        echo "✅ Added 'env/secrets.env' to .gitignore"
    fi
fi

echo "✅ Secrets have been generated and stored in $SECRET_FILE."
echo "⚠️  Keep this file secure and do NOT commit it to Git!"