#!/bin/bash

export SOPS_AGE_KEY_FILE=wbc-dev-cluster-base.age-key

echo "WARNING: THIS SHOULD ONLY BE DONE ONCE!!!"
echo "This script creates the secrets, encrypts them using sops with a new age key which should be then stored in vaultwarden."
echo "You almost certainly don't want to do this, and instead want to download the age key from vaultwarden."

age-keygen -o ${SOPS_AGE_KEY_FILE}

export SOPS_AGE_RECIPIENT=$(grep '^# public key:' ${SOPS_AGE_KEY_FILE} | sed s/'.* age'/age/g)

talosctl gen secrets -o secrets.yaml
sops encrypt --age $SOPS_AGE_RECIPIENT secrets.yaml > secrets.enc.yaml
rm secrets.yaml
mv secrets.enc.yaml secrets.yaml

echo 'SECRETS CREATED, PLEASE UPDATE VAULTWARDEN :'
echo '- secrets.yaml - used by talosctl - safe to commit to git, encrypted by :'
echo '- wbc-dev-cluster-base.age-key - used by sops - DO NOT COMMIT! Put in Vaultwarden'
