#!/bin/sh
# Encrypt iconik storage gateway secrets with systemd-creds and wire them
# into the service via a drop-in override. Run as root.
# Press Enter to skip a secret you don't use.
#
# Auto-detects the installed unit:
#   iconik_storage_gateway / iconik-storage-gateway  -> prefix iconik-isg
#   iconik_edge_transcoder / iconik-edge-transcoder  -> prefix iconik-et
# (EL uses underscores, Debian uses hyphens.)

set -eu

if [ "$(id -u)" -ne 0 ]; then
    echo "must run as root" >&2
    exit 1
fi

if systemctl cat iconik_storage_gateway.service >/dev/null 2>&1; then
    UNIT=iconik_storage_gateway
    PREFIX=iconik-isg
elif systemctl cat iconik-storage-gateway.service >/dev/null 2>&1; then
    UNIT=iconik-storage-gateway
    PREFIX=iconik-isg
elif systemctl cat iconik_edge_transcoder.service >/dev/null 2>&1; then
    UNIT=iconik_edge_transcoder
    PREFIX=iconik-et
elif systemctl cat iconik-edge-transcoder.service >/dev/null 2>&1; then
    UNIT=iconik-edge-transcoder
    PREFIX=iconik-et
else
    echo "no iconik service (storage gateway or edge transcoder) found" >&2
    exit 1
fi

DIR=/etc/credstore.encrypted
OVERRIDE_DIR=/etc/systemd/system/${UNIT}.service.d
OVERRIDE=$OVERRIDE_DIR/credentials.conf

mkdir -p "$DIR" "$OVERRIDE_DIR"

encrypt() {
    name=$1
    out="$DIR/$PREFIX.$name"
    systemd-ask-password -n "$name:" | systemd-creds encrypt --name="$name" - "$out"
    chmod 0400 "$out"
    echo "wrote $out"
}

encrypt auth-token

# Rebuild the override to reference every encrypted secret on disk.
{
    echo "[Service]"
    for f in "$DIR/$PREFIX".*; do
        [ -e "$f" ] || continue
        echo "LoadCredentialEncrypted=${f##*$PREFIX.}:$f"
    done
} > "$OVERRIDE"

systemctl daemon-reload
systemctl restart "$UNIT"