#!/usr/bin/env bash
set -euf -o pipefail

# Function to securely query user for a password, verify it, and return it for further use
prompt_password() {
	local purpose="$1"
	local password password_confirm

	while true; do
		printf "Enter password for %s: " "$purpose"
		read -rs password
		printf "\nConfirm password for %s: " "$purpose"
		read -rs password_confirm
		printf "\n"

		# Check if passwords match
		if [[ "$password" == "$password_confirm" ]]; then
			RETURNED_PASSWORD="$password"
			printf "Password verified for %s.\n" "$purpose"
			return 0
		else
			printf "Error: Passwords do not match. Please try again.\n" >&2
		fi
	done
}

# Trap SIGINT to exit gracefully if the user aborts with CTRL+C
trap 'printf "\nOperation aborted by user.\n" >&2; rm .env; exit 1' SIGINT


cd "$(dirname "$(realpath "$0")")"

# Check if .env exists and exit if it is
[[ -f ./.env ]] && echo ".env already exists. Exiting!" && exit 1 || true

cat ./env.template >> .env
echo "# SECRETS" >> .env
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env
prompt_password "AUTHENTIK_EMAIL__PASSWORD"; echo "AUTHENTIK_EMAIL__PASSWORD=${RETURNED_PASSWORD}" >> .env; unset RETURNED_PASSWORD
prompt_password "GEOIPUPDATE_LICENSE_KEY"; echo "GEOIPUPDATE_LICENSE_KEY=${RETURNED_PASSWORD}" >> .env; unset RETURNED_PASSWORD
echo "" >> .env