#/usr/bin/env bash
# Purpose: manage .sops.yaml based on gpg keys in the same dir
set -euo pipefail
# sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files

sops_config=".sops.yaml"

function fn_extract_fpr(){
  gpgkeyfile=$1;shift;
  # fingerprint
  # caveat: restrict to netgo.de email, use-case:
  # uid ... <...@mehrwerk.net>
  # uid ... <...@netgo.de>
  fpr="$(gpg --show-keys --list-options show-only-fpr-mbox "${gpgkeyfile}" | grep '@netgo.de' | awk "{print \$1}")"
  echo "${fpr}"
}

function fn_extract_uid(){
  gpgkeyfile=$1;shift;
  # user id
  # caveat: restrict to netgo.de email, use-case:
  # uid ... <...@mehrwerk.net>
  # uid ... <...@netgo.de>
  uid="$(gpg --show-keys --with-colons "${gpgkeyfile}" | awk -F':' '$1=="uid" {print $10}' | grep '@netgo.de')"
  echo "${uid}"
}

function fn_update_sops_config(){
  # CAVEAT: dirty hacks, just get it done. Not DRY at all.

  echo "# Fingerprint | User Type | User ID"
  for gpgkeyfile in *automation*gpg.pub; do
    u_type="autom"
    echo "# $(fn_extract_fpr "${gpgkeyfile}") | ${u_type} | $(fn_extract_uid "${gpgkeyfile}")"
  done
  for gpgkeyfile in $(ls *gpg.pub | grep -v automation); do
    u_type="human"
    echo "# $(fn_extract_fpr "${gpgkeyfile}") | ${u_type} | $(fn_extract_uid "${gpgkeyfile}")"
  done
  echo "# keys in https://git.dev-at.de/smardigo-hetzner/communication-keys"

  cat <<EOM
creation_rules:
  # list of keys for encryption in stage
  - pgp: >-
EOM
  for gpgkeyfile in *automation*gpg.pub; do
    echo "      $(fn_extract_fpr "${gpgkeyfile}"),"
  done
  # all but last line get comma
  for gpgkeyfile in $(ls *gpg.pub | grep -v automation | sed '$d'); do
    echo "      $(fn_extract_fpr "${gpgkeyfile}"),"
  done
  # last line no comma
  for gpgkeyfile in $(ls *gpg.pub | grep -v automation | tail -n 1); do
    echo "      $(fn_extract_fpr "${gpgkeyfile}")"
  done
}

(fn_update_sops_config) >> "${sops_config}"