#!/bin/bash

if [ "$(id -u)" != "0" ]; then
    echo -e "\033[31mThis script requires superuser rights.\033[0m"
    exit 0
fi

if [ -z "$1" ]; then
  echo "Usage: $0 <SERVER_DOMAIN>"
  exit 1
fi

SERVER_DOMAIN=$1
SAFE_DIR="/data/secrets/safe"
DOMAIN_DIR="/data/secrets/$SERVER_DOMAIN"
KEYS_FILE="$SAFE_DIR/keys.env"
ARCHIVE_FILE="$SAFE_DIR/$SERVER_DOMAIN.tar.gz"

trap 'echo -e "\033[31msecrets-encrypt.sh: Something went wrong\033[0m"; exit 1' ERR
set -e

export DEBIAN_FRONTEND=noninteractive

generate_password() {
  tr -dc 'a-z0-9' < /dev/urandom | head -c20
}

echo "We check for the presence of a key in keys.env and get it..."
KEY_VAR=$(echo "$SERVER_DOMAIN" | tr '.' '_')

if grep -q "^$KEY_VAR=" "$KEYS_FILE"; then
  PASSWORD=$(grep "^$KEY_VAR=" "$KEYS_FILE" | cut -d '=' -f2)
  echo "Password for $SERVER_DOMAIN already exists"
else
  PASSWORD=$(generate_password)
  echo "$KEY_VAR=$PASSWORD" >> "$KEYS_FILE"
  echo "Generated new password for $SERVER_DOMAIN."
fi

echo "Pack and encrypt the archive..."
tar -czf - -C "$DOMAIN_DIR" . | openssl enc -aes-256-cbc -e -out "$ARCHIVE_FILE" -pass pass:"$PASSWORD" -pbkdf2 -iter 100000

trap - ERR
echo "Encrypted archive created at $ARCHIVE_FILE"