#!/usr/bin/env bash

# Script: gen-firezone-secrets.sh
# Purpose: Generate all Firezone-required secrets as random hex values,
#          and store them in an OpenShift secret.
#          Configures Gmail as SMTP relay in OUTBOUND_EMAIL_ADAPTER_OPTS.

set -euo pipefail

# Change to your desired namespace (project name):
NAMESPACE="firezone"
SECRET_NAME="firezone-secrets"

# Random hex strings for Firezone secrets (adjust byte sizes as needed).
SECRET_KEY_BASE="$(openssl rand -hex 32)"
LIVE_VIEW_SIGNING_SALT="$(openssl rand -hex 8)"
COOKIE_SIGNING_SALT="$(openssl rand -hex 8)"
COOKIE_ENCRYPTION_SALT="$(openssl rand -hex 8)"
TOKENS_KEY_BASE="$(openssl rand -hex 32)"
TOKENS_SALT="$(openssl rand -hex 8)"
RELEASE_COOKIE="$(openssl rand -hex 16)"

# Database credentials (example)
DB_USERNAME="firezone_db_user"
DB_PASSWORD="firezone_db_pass"

# Gmail SMTP configuration
# Replace these with your actual Gmail username & app password
GMAIL_USERNAME="postmaster@mg.calegix.net"
GMAIL_APP_PASSWORD="9e847ec32783381d4ff3a316c8157c64-667818f5-9bf832a6"

# We'll embed these in a JSON object that Swoosh can parse:
OUTBOUND_EMAIL_ADAPTER_OPTS="$(cat <<EOF
{
  "api_key": "6c560f38672717eb06055acd32d52966-667818f5-7e660ceb",
  "domain": "mg.calegix.net"
}
EOF
)"

echo "Creating/updating Secret '$SECRET_NAME' in namespace '$NAMESPACE'..."

oc -n "$NAMESPACE" create secret generic "$SECRET_NAME" \
    --from-literal=SECRET_KEY_BASE="$SECRET_KEY_BASE" \
    --from-literal=LIVE_VIEW_SIGNING_SALT="$LIVE_VIEW_SIGNING_SALT" \
    --from-literal=COOKIE_SIGNING_SALT="$COOKIE_SIGNING_SALT" \
    --from-literal=COOKIE_ENCRYPTION_SALT="$COOKIE_ENCRYPTION_SALT" \
    --from-literal=TOKENS_KEY_BASE="$TOKENS_KEY_BASE" \
    --from-literal=TOKENS_SALT="$TOKENS_SALT" \
    --from-literal=RELEASE_COOKIE="$RELEASE_COOKIE" \
    --from-literal=username="$DB_USERNAME" \
    --from-literal=password="$DB_PASSWORD" \
    --from-literal=OUTBOUND_EMAIL_ADAPTER_OPTS="$OUTBOUND_EMAIL_ADAPTER_OPTS" \
    --dry-run=client -o yaml | oc apply -f -

echo "Done! Your Firezone secrets have been created/updated."