#!/bin/bash
# deploy-galene-credentials.sh — деплой TURN-кредов Galene в CT 108
# Секреты из Vaultwarden (объект GALENE, поле config — JSON ice-servers).
#
# Использование:
#   /root/scripts/deploy-galene-credentials.sh
#   /root/scripts/deploy-galene-credentials.sh --dry-run
#
# Ротация: сменил TURN username/credential в Vaultwarden → запустил скрипт → systemctl restart galene
#
# Требования: bw, jq, /root/.bw-master (chmod 600)

set -e

CT_ID=108
ICE_SERVERS_PATH="/opt/galene-data/data/ice-servers.json"
BW_MASTER_FILE="${BW_MASTER_PASSWORD_FILE:-/root/.bw-master}"
DRY_RUN=false

for arg in "$@"; do
  case "$arg" in
    --dry-run) DRY_RUN=true ;;
  esac
done

export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH}"

log() { echo "[$(date -Iseconds)] $*"; }
err() { echo "[$(date -Iseconds)] ERROR: $*" >&2; }

ensure_bw_unlocked() {
  local status
  status=$(bw status 2>/dev/null | jq -r '.status' 2>/dev/null || echo "unknown")
  if [ "$status" = "unlocked" ]; then
    log "bw already unlocked, reusing session"
    return 0
  fi
  if [ ! -f "$BW_MASTER_FILE" ]; then
    err "Missing $BW_MASTER_FILE"
    exit 1
  fi
  export BW_SESSION=$(bw unlock --passwordfile "$BW_MASTER_FILE" --raw 2>/dev/null) || {
    err "bw unlock failed"
    exit 1
  }
  log "bw unlocked"
}

get_secrets() {
  local config
  config=$(bw get item "GALENE" 2>/dev/null | jq -r '.fields[] | select(.name=="config") | .value // empty')
  if [ -z "$config" ]; then
    err "GALENE: missing config field (JSON ice-servers)"
    exit 1
  fi
  if ! echo "$config" | jq . >/dev/null 2>&1; then
    err "GALENE config: invalid JSON"
    exit 1
  fi
  ICE_CONFIG="$config"
}

push_ice_servers() {
  local tmp
  tmp=$(mktemp)
  echo "$ICE_CONFIG" | jq -c . > "$tmp"
  pct push "$CT_ID" "$tmp" "${ICE_SERVERS_PATH}.tmp"
  rm -f "$tmp"
  pct exec "$CT_ID" -- bash -c "chmod 600 ${ICE_SERVERS_PATH}.tmp && mv ${ICE_SERVERS_PATH}.tmp ${ICE_SERVERS_PATH}"
  log "ice-servers.json written (atomic), chmod 600"
}

restart_galene() {
  pct exec "$CT_ID" -- systemctl restart galene
  log "galene restarted"
}

main() {
  log "deploy-galene-credentials start (dry_run=$DRY_RUN)"
  ensure_bw_unlocked
  get_secrets

  if [ "$DRY_RUN" = true ]; then
    log "DRY-RUN: would push ice-servers.json and restart galene"
    log "  config: $(echo "$ICE_CONFIG" | jq -c .)"
    exit 0
  fi

  push_ice_servers
  restart_galene
  log "done"
}

main