#!/usr/bin/env bash
set -euf -o pipefail

# Function to securely query user for a password, verify it, and return it for further use
prompt_password() {
	local purpose="$1"
	local password password_confirm

	while true; do
		printf "Enter password for %s: " "$purpose"
		read -rs password
		printf "\nConfirm password for %s: " "$purpose"
		read -rs password_confirm
		printf "\n"

		# Check if passwords match
		if [[ "$password" == "$password_confirm" ]]; then
			RETURNED_PASSWORD="$password"
			printf "Password verified for %s.\n" "$purpose"
			return 0
		else
			printf "Error: Passwords do not match. Please try again.\n" >&2
		fi
	done
}

# Trap SIGINT to exit gracefully if the user aborts with CTRL+C
trap 'printf "\nOperation aborted by user.\n" >&2; exit 1' SIGINT


cd "$(dirname "$(realpath "$0")")/../"

# Check if .env exists and exit if it is
[[ -f ./.env ]] && echo ".env already exists. Exiting!" && exit 1 || true

cat ./env.template >> ./.env
echo "# SECRETS" >> ./.env
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> ./.env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> ./.env
prompt_password "AUTHENTIK_EMAIL__PASSWORD"; echo "AUTHENTIK_EMAIL__PASSWORD=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD
prompt_password "GEOIPUPDATE_LICENSE_KEY"; echo "GEOIPUPDATE_LICENSE_KEY=${RETURNED_PASSWORD}" >> ./.env; unset RETURNED_PASSWORD
echo "" >> ./.env

# Generate dhparam, if not existing
[[ ! -d ./data/nginx/certs ]] && mkdir -p ./data/nginx/certs && chmod 700 ./data/nginx/certs || true
[[ ! -f ./data/nginx/certs/dhparams.pem ]] && echo "" && openssl dhparam -out ./data/nginx/certs/dhparams.pem 4096 \
	&& echo "" && echo "Checking generated dhparams" && openssl dhparam -check -in ./data/nginx/certs/dhparams.pem || true

# Create certificate
if [[ ! -d ./data/.lego ]]; then
	echo ""
	echo "Create certificate"
	lego \
		--path ./data/.lego \
		--accept-tos \
		--email="acme@base23.de" \
		--domains="sso.base23.de" \
		--http run

	# Link certificates to correct directory

	ln -s ../../.lego/certificates/sso.base23.de.crt ./data/nginx/certs/sso.base23.de.crt
	ln -s ../../.lego/certificates/sso.base23.de.issuer.crt ./data/nginx/certs/sso.base23.de.issuer.crt
	ln -s ../../.lego/certificates/sso.base23.de.key ./data/nginx/certs/sso.base23.de.key
fi

# Setup cronjob to automatically renew certificates