#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
CONFIG_FILE="${ROOT_DIR}/config.yaml"
CONFIG_TEMPLATE="${ROOT_DIR}/config.example.yaml"
SECRETS_DIR="${ROOT_DIR}/secrets"
KEYS_DIR="${ROOT_DIR}/keys"
ENCRYPTION_FILE="${SECRETS_DIR}/encryption.key"
SHARED_SECRET_FILE="${SECRETS_DIR}/shared_secret.txt"
SIGNING_KEY_FILE="${KEYS_DIR}/mas_signing.key"

command -v openssl >/dev/null 2>&1 || {
  echo "openssl es requerido para generar los secretos." >&2
  exit 1
}

mkdir -p "${SECRETS_DIR}" "${KEYS_DIR}"

if [ ! -f "${CONFIG_TEMPLATE}" ]; then
  echo "No se encontró ${CONFIG_TEMPLATE}, abortando." >&2
  exit 1
fi

if [ ! -f "${CONFIG_FILE}" ]; then
  cp "${CONFIG_TEMPLATE}" "${CONFIG_FILE}"
  echo "Se creó ${CONFIG_FILE} a partir de la plantilla."
else
  echo "Ya existe ${CONFIG_FILE}, se deja intacto."
fi

if [ ! -f "${ENCRYPTION_FILE}" ]; then
  openssl rand -hex 32 > "${ENCRYPTION_FILE}"
  chmod 600 "${ENCRYPTION_FILE}"
  echo "Generada clave de cifrado en ${ENCRYPTION_FILE}"
else
  echo "Ya existe ${ENCRYPTION_FILE}"
fi

if [ ! -f "${SHARED_SECRET_FILE}" ]; then
  openssl rand -hex 48 > "${SHARED_SECRET_FILE}"
  chmod 600 "${SHARED_SECRET_FILE}"
  echo "Generado secreto compartido en ${SHARED_SECRET_FILE}"
else
  echo "Ya existe ${SHARED_SECRET_FILE}"
fi

if [ ! -f "${SIGNING_KEY_FILE}" ]; then
  openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "${SIGNING_KEY_FILE}" >/dev/null
  chmod 600 "${SIGNING_KEY_FILE}"
  echo "Generada clave RSA en ${SIGNING_KEY_FILE}"
else
  echo "Ya existe ${SIGNING_KEY_FILE}"
fi

cat <<MSG

============================================
Recuerda copiar el contenido de:
  ${SHARED_SECRET_FILE}
al bloque matrix_authentication_service.secret en synapse_data/homeserver.yaml.
Revisa también ${CONFIG_FILE} para ajustar dominios/URLs públicas.
============================================
MSG