#!/usr/bin/env nu

# Generate Random Secrets for Provisioning Platform
# Creates a .env file with secure random secrets

def main [
    --output: string = ".env"   # Output file path
    --force                     # Overwrite existing file
] {
    print $"(ansi green_bold)Generating Secrets for Provisioning Platform(ansi reset)"
    print ""

    # Check if file exists
    if ($output | path exists) and not $force {
        print $"(ansi red_bold)Error:(ansi reset) ($output) already exists"
        print "Use --force to overwrite"
        return 1
    }

    # Read template
    if not (".env.example" | path exists) {
        print $"(ansi red_bold)Error:(ansi reset) .env.example not found"
        return 1
    }

    mut content = (open .env.example)

    # Generate secrets
    let secrets = {
        "CHANGE_ME_RANDOM_SECRET_HERE": (generate_secret 32),
        "CHANGE_ME_GITEA_SECRET_KEY": (generate_secret 32),
        "CHANGE_ME_ADMIN_PASSWORD": (generate_password 16),
        "CHANGE_ME_POSTGRES_PASSWORD": (generate_password 24),
        "CHANGE_ME_API_SERVER_JWT_SECRET": (generate_secret 32),
        "CHANGE_ME_HARBOR_ADMIN_PASSWORD": (generate_password 16),
        "CHANGE_ME_HARBOR_DB_PASSWORD": (generate_password 24),
        "CHANGE_ME_HARBOR_CORE_SECRET": (generate_secret 32),
        "CHANGE_ME_HARBOR_JOBSERVICE_SECRET": (generate_secret 32),
        "CHANGE_ME_GRAFANA_PASSWORD": (generate_password 16)
    }

    # Replace placeholders
    for secret in ($secrets | transpose key value) {
        $content = ($content | str replace -a $secret.key $secret.value)
    }

    # Save file with restricted permissions (600: rw-------)
    $content | save -f $output
    do {
        ^chmod 600 $output | complete
    } catch {
        print $"(ansi yellow)⚠️  Warning: Could not set restrictive permissions on ($output)(ansi reset)"
    }

    print $"(ansi green)✓ Generated ($output) with secure secrets(ansi reset)"
    print ""
    print $"(ansi cyan_bold)Generated Secrets (redacted):(ansi reset)"

    for secret in ($secrets | transpose key value) {
        let name = ($secret.key | str replace "CHANGE_ME_" "" | str replace "_" " " | str downcase | str title-case)
        print $"  ($name): [REDACTED - see ($output)]"
    }

    print ""
    print $"(ansi yellow)⚠️  SECURITY WARNING:(ansi reset)"
    print $"  • Secrets are held in this process memory temporarily"
    print $"  • The file ($output) contains unencrypted secrets"
    print $"  • Use encrypted vaults (SOPS/Age) for production secrets"
    print $"  • Never commit ($output) to version control"
    print $"  • Add to .gitignore immediately:"
    print $"    echo '($output)' >> .gitignore"
}

# Generate random secret (base64)
def generate_secret [length: int] {
    openssl rand -base64 $length | str trim
}

# Generate random password (alphanumeric)
def generate_password [length: int] {
    openssl rand -base64 48 | str replace -ra '[^a-zA-Z0-9]' '' | str substring 0..$length
}