#!/bin/sh
# Migrate auth-token from /etc/iconik/<service>/config.ini to systemd-creds
# encrypted credentials. Run as root.
#
# Steps performed:
#   1. Detect the installed unit (storage gateway or edge transcoder).
#   2. Extract the auth-token value from config.ini.
#   3. Encrypt it via `systemd-creds encrypt` into /etc/credstore.encrypted/.
#   4. Write a drop-in override with LoadCredentialEncrypted=.
#   5. Back up config.ini and strip the auth-token line.
#   6. daemon-reload and restart the unit.
#
# If an encrypted blob already exists, it will be overwritten!
# If config.ini already has no auth-token line, the script exits
# without changes.

set -eu

if [ "$(id -u)" -ne 0 ]; then
    echo "must run as root" >&2
    exit 1
fi

if systemctl cat iconik_storage_gateway.service >/dev/null 2>&1; then
    UNIT=iconik_storage_gateway
    PREFIX=iconik-isg
    CONFIG_DIR=/etc/iconik/iconik_storage_gateway
elif systemctl cat iconik-storage-gateway.service >/dev/null 2>&1; then
    UNIT=iconik-storage-gateway
    PREFIX=iconik-isg
    CONFIG_DIR=/etc/iconik/iconik_storage_gateway
elif systemctl cat iconik_edge_transcoder.service >/dev/null 2>&1; then
    UNIT=iconik_edge_transcoder
    PREFIX=iconik-et
    CONFIG_DIR=/etc/iconik/iconik_edge_transcoder
elif systemctl cat iconik-edge-transcoder.service >/dev/null 2>&1; then
    UNIT=iconik-edge-transcoder
    PREFIX=iconik-et
    CONFIG_DIR=/etc/iconik/iconik_edge_transcoder
else
    echo "no iconik service (storage gateway or edge transcoder) found" >&2
    exit 1
fi

CONFIG=$CONFIG_DIR/config.ini
DIR=/etc/credstore.encrypted
OVERRIDE_DIR=/etc/systemd/system/${UNIT}.service.d
OVERRIDE=$OVERRIDE_DIR/credentials.conf
CRED_FILE=$DIR/$PREFIX.auth-token

if [ ! -f "$CONFIG" ]; then
    echo "config not found: $CONFIG" >&2
    exit 1
fi

# Match `auth-token` or `auth_token`, any spacing around `=`, capture the value.
TOKEN=$(sed -n 's/^[[:space:]]*auth[-_]token[[:space:]]*=[[:space:]]*\(..*\)$/\1/p' "$CONFIG" \
    | sed 's/[[:space:]]*$//' \
    | grep -v '^$' \
    | tail -n 1 || true)

if [ -z "${TOKEN:-}" ]; then
    echo "no auth-token line found in $CONFIG -- nothing to migrate"
    exit 0
fi

mkdir -p "$DIR" "$OVERRIDE_DIR"

if [ -e "$CRED_FILE" ]; then
    echo "overwriting existing $CRED_FILE"
    rm -f "$CRED_FILE"
fi
printf '%s' "$TOKEN" | systemd-creds encrypt --name=auth-token - "$CRED_FILE"
chmod 0400 "$CRED_FILE"
echo "wrote $CRED_FILE"

# Rebuild the override to reference every encrypted secret on disk, matching
# the layout produced by systemd_creds_setup.sh.
{
    echo "[Service]"
    for f in "$DIR/$PREFIX".*; do
        [ -e "$f" ] || continue
        echo "LoadCredentialEncrypted=${f##*$PREFIX.}:$f"
    done
} > "$OVERRIDE"
echo "wrote $OVERRIDE"

# Drop any line that assigns auth-token / auth_token.
sed -i.tmp '/^[[:space:]]*auth[-_]token[[:space:]]*=/d' "$CONFIG"
rm -f "$CONFIG.tmp"
echo "removed auth-token from $CONFIG"

systemctl daemon-reload
systemctl restart "$UNIT"
echo "restarted $UNIT"