#!/bin/sh -e

port () {
  case $1 in
    lud|vin) echo 22022 ;;
    pi3) echo 51022 ;;
    *) echo "port: unknown device: $1" >&2; return 1 ;;
  esac
}

hostkey () {
  case $1 in
    # Laptops have no SSH host keys, so use a special age key.
    lap) echo age1r2q54q6phf47ssc2wrw6enpdlghfaj0pdhp879se4d47zlkgq4sskzlj25 ;;
    frm) echo age1wm9cn6pwguc6a26ltlf39c00qlyka8c48dfc2fcj9w7j522ekcaq5hg2e8 ;;
    *) ssh-keygen -F "[$1.twilken.net]:$(port "$1")" |
         awk '$2 == "ssh-ed25519" { print $2, $3 }' ;;
  esac
}

store () {
  # Overwriting an existing encrypted file will change its content, even if
  # its decrypted content does not change, so leave it alone.
  [ -e "$3" ] && return 0
  pass show "$2" > /dev/null || return 1
  pass show "$2" | head -1 | age -e -a -r "$(hostkey "$1")" -o "$3"
}

store_restic () {
  store "$1" "computers/vin/restic-repos/$2" "tw/system/files/restic/$2.enc"
}

# Wireguard secret keys and pre-shared keys.
for host in lap lud vin frm; do
  store "$host" "computers/wireguard/private/$host" "tw/system/files/wireguard/$host.key.enc"
  for host2 in lap lud vin pi3 fp4 frm; do
    [ $host = $host2 ] && continue
    store "$host" "computers/wireguard/preshared/$host-$host2" "tw/system/files/wireguard/$host-$host2.psk.enc"
  done
done

# Restic repository passwords.
for repo in vin-grafana timo-laptop timo-phone timo-sync; do
  store_restic vin $repo
done

store_restic lud lud-nextcloud

store lud www/nextcloud/database tw/system/files/nextcloud-database-password.enc

[ -e tw/system/files/mythic-dns.scm.enc ] ||   # do not overwrite existing file
  cat << EOF | age -e -a -r "$(hostkey lud)" -o tw/system/files/mythic-dns.scm.enc
"$(pass show www/mythic-beasts/dns-lud | sed -rn '/^username: /s///p')"  ; username
"$(pass show www/mythic-beasts/dns-lud | head -1)"  ; password
EOF