#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=_config.sh
source "${SCRIPT_DIR}/_config.sh"

SECRETS_DIR="${DEPLOY_DIR}/secrets"
NAMESPACE="honeydue"

log() { printf '[secrets] %s\n' "$*"; }
warn() { printf '[secrets][warn] %s\n' "$*" >&2; }
die() { printf '[secrets][error] %s\n' "$*" >&2; exit 1; }

# --- Prerequisites ---

command -v kubectl >/dev/null 2>&1 || die "Missing: kubectl"

kubectl get namespace "${NAMESPACE}" >/dev/null 2>&1 || {
  log "Creating namespace ${NAMESPACE}..."
  kubectl apply -f "${DEPLOY_DIR}/manifests/namespace.yaml"
}

# --- Validate secret files ---

require_file() {
  local path="$1" label="$2"
  [[ -f "${path}" ]] || die "Missing: ${path} (${label})"
  [[ -s "${path}" ]] || die "Empty: ${path} (${label})"
}

require_file "${SECRETS_DIR}/postgres_password.txt" "Postgres password"
require_file "${SECRETS_DIR}/secret_key.txt" "SECRET_KEY"
require_file "${SECRETS_DIR}/email_host_password.txt" "SMTP password"
# FCM server key is optional (Android not yet ready)
if [[ -f "${SECRETS_DIR}/fcm_server_key.txt" && -s "${SECRETS_DIR}/fcm_server_key.txt" ]]; then
  FCM_CONTENT="$(tr -d '\r\n' < "${SECRETS_DIR}/fcm_server_key.txt")"
  if [[ "${FCM_CONTENT}" == "PLACEHOLDER" ]]; then
    warn "fcm_server_key.txt is a placeholder — FCM push disabled"
    FCM_CONTENT=""
  fi
else
  warn "fcm_server_key.txt not found — FCM push disabled"
  FCM_CONTENT=""
fi
require_file "${SECRETS_DIR}/apns_auth_key.p8" "APNS private key"
require_file "${SECRETS_DIR}/minio_root_password.txt" "MinIO root password"

# Validate APNS key format
if ! grep -q "BEGIN PRIVATE KEY" "${SECRETS_DIR}/apns_auth_key.p8"; then
  die "APNS key file does not look like a private key: ${SECRETS_DIR}/apns_auth_key.p8"
fi

# Validate secret_key length (minimum 32 chars)
SECRET_KEY_LEN="$(tr -d '\r\n' < "${SECRETS_DIR}/secret_key.txt" | wc -c | tr -d ' ')"
if (( SECRET_KEY_LEN < 32 )); then
  die "secret_key.txt must be at least 32 characters (got ${SECRET_KEY_LEN})."
fi

# Validate MinIO password length (minimum 8 chars)
MINIO_PW_LEN="$(tr -d '\r\n' < "${SECRETS_DIR}/minio_root_password.txt" | wc -c | tr -d ' ')"
if (( MINIO_PW_LEN < 8 )); then
  die "minio_root_password.txt must be at least 8 characters (got ${MINIO_PW_LEN})."
fi

# --- Read optional config values ---

REDIS_PASSWORD="$(cfg redis.password 2>/dev/null || true)"
ADMIN_AUTH_USER="$(cfg admin.basic_auth_user 2>/dev/null || true)"
ADMIN_AUTH_PASSWORD="$(cfg admin.basic_auth_password 2>/dev/null || true)"
TLS_MODE="$(cfg tls.mode 2>/dev/null || echo "letsencrypt")"

# --- Create app secrets ---

log "Creating honeydue-secrets..."
SECRET_ARGS=(
  --namespace="${NAMESPACE}"
  --from-literal="POSTGRES_PASSWORD=$(tr -d '\r\n' < "${SECRETS_DIR}/postgres_password.txt")"
  --from-literal="SECRET_KEY=$(tr -d '\r\n' < "${SECRETS_DIR}/secret_key.txt")"
  --from-literal="EMAIL_HOST_PASSWORD=$(tr -d '\r\n' < "${SECRETS_DIR}/email_host_password.txt")"
  --from-literal="FCM_SERVER_KEY=${FCM_CONTENT}"
  --from-literal="MINIO_ROOT_PASSWORD=$(tr -d '\r\n' < "${SECRETS_DIR}/minio_root_password.txt")"
)

if [[ -n "${REDIS_PASSWORD}" ]]; then
  log "  Including REDIS_PASSWORD in secrets"
  SECRET_ARGS+=(--from-literal="REDIS_PASSWORD=${REDIS_PASSWORD}")
fi

kubectl create secret generic honeydue-secrets \
  "${SECRET_ARGS[@]}" \
  --dry-run=client -o yaml | kubectl apply -f -

# --- Create APNS key secret ---

log "Creating honeydue-apns-key..."
kubectl create secret generic honeydue-apns-key \
  --namespace="${NAMESPACE}" \
  --from-file="apns_auth_key.p8=${SECRETS_DIR}/apns_auth_key.p8" \
  --dry-run=client -o yaml | kubectl apply -f -

# --- Create GHCR registry credentials ---

REGISTRY_SERVER="$(cfg registry.server)"
REGISTRY_USER="$(cfg registry.username)"
REGISTRY_TOKEN="$(cfg registry.token)"

if [[ -n "${REGISTRY_SERVER}" && -n "${REGISTRY_USER}" && -n "${REGISTRY_TOKEN}" ]]; then
  log "Creating ghcr-credentials..."
  kubectl create secret docker-registry ghcr-credentials \
    --namespace="${NAMESPACE}" \
    --docker-server="${REGISTRY_SERVER}" \
    --docker-username="${REGISTRY_USER}" \
    --docker-password="${REGISTRY_TOKEN}" \
    --dry-run=client -o yaml | kubectl apply -f -
else
  warn "Registry credentials incomplete in config.yaml — skipping ghcr-credentials."
fi

# --- Create Cloudflare origin cert (only if cloudflare mode) ---

if [[ "${TLS_MODE}" == "cloudflare" ]]; then
  require_file "${SECRETS_DIR}/cloudflare-origin.crt" "Cloudflare origin cert"
  require_file "${SECRETS_DIR}/cloudflare-origin.key" "Cloudflare origin key"

  log "Creating cloudflare-origin-cert..."
  kubectl create secret tls cloudflare-origin-cert \
    --namespace="${NAMESPACE}" \
    --cert="${SECRETS_DIR}/cloudflare-origin.crt" \
    --key="${SECRETS_DIR}/cloudflare-origin.key" \
    --dry-run=client -o yaml | kubectl apply -f -
fi

# --- Create admin basic auth secret ---

if [[ -n "${ADMIN_AUTH_USER}" && -n "${ADMIN_AUTH_PASSWORD}" ]]; then
  command -v htpasswd >/dev/null 2>&1 || die "Missing: htpasswd (install apache2-utils)"
  log "Creating admin-basic-auth secret..."
  HTPASSWD="$(htpasswd -nb "${ADMIN_AUTH_USER}" "${ADMIN_AUTH_PASSWORD}")"
  kubectl create secret generic admin-basic-auth \
    --namespace="${NAMESPACE}" \
    --from-literal=users="${HTPASSWD}" \
    --dry-run=client -o yaml | kubectl apply -f -
else
  warn "admin.basic_auth_user/password not set in config.yaml — skipping admin-basic-auth."
  warn "Admin panel will NOT have basic auth protection."
fi

# --- Done ---

log ""
log "All secrets created in namespace '${NAMESPACE}'."
log "Verify: kubectl get secrets -n ${NAMESPACE}"