prvng_core/nulib/sops_env.nu

export-env {
    # Get infrastructure path (early return if not set)
    let infra_path = if ("CURRENT_INFRA_PATH" in $env) { $env.CURRENT_INFRA_PATH } else { "" }
    if ($infra_path | is-empty) {
        return
    }

    # Check vault-service configuration
    let vault_url = if ("VAULT_SERVICE_URL" in $env) { $env.VAULT_SERVICE_URL } else { "" }
    let vault_env = if ("PROVISIONING_ENV" in $env) { $env.PROVISIONING_ENV } else { "dev" }
    let use_vault = (not ($vault_url | is-empty)) and ($vault_url | str starts-with "http")

    if $use_vault {
        # Attempt to fetch public key from vault-service
        let response = (http get $"($vault_url)/api/v1/age/get-public?env=($vault_env)" | complete)

        if $response.exit_code == 0 {
            let json = ($response.stdout | from json)
            let public_key = ($json | get -o public_key | default "")

            if not ($public_key | is-empty) {
                $env.SOPS_AGE_RECIPIENTS = $public_key
                print $"✓ Age public key loaded from vault-service for ($vault_env)"
                return
            }
        }

        print "⚠️ Could not fetch Age key from vault-service, using filesystem fallback"
    }

    # Fallback: Load from filesystem
    let kloud_path = if ("CURRENT_KLOUD_PATH" in $env) { $env.CURRENT_KLOUD_PATH } else { "" }
    let base_path = if ($kloud_path | is-empty) { $infra_path } else { $kloud_path }

    $env.PROVISIONING_SOPS = (get_def_sops $base_path)
    $env.PROVISIONING_KAGE = (get_def_age $base_path)

    # Parse filesystem Age key
    let kage_file = if ("PROVISIONING_KAGE" in $env) { $env.PROVISIONING_KAGE } else { "" }
    if not ($kage_file | is-empty) {
        $env.SOPS_AGE_KEY_FILE = $kage_file

        let key_line = (grep "public key:" $env.SOPS_AGE_KEY_FILE | head -n 1 | default "")
        let key_parts = ($key_line | split row ":" | each { |x| $x | str trim })
        let public_key = if ($key_parts | length) > 1 { $key_parts | get 1 } else { "" }

        if not ($public_key | is-empty) {
            $env.SOPS_AGE_RECIPIENTS = $public_key
        } else {
            print $"❗Error no key found in (_ansi red_bold)($kage_file)(_ansi reset) file"
            exit 1
        }
    }
}