#!/bin/bash
# Generate and upload Forgejo secrets to Google Secret Manager.
# Run once per project before the first `terraform apply`.
# Idempotent: skips secrets that already exist.
set -euo pipefail

if [[ -z "$(gcloud config get-value project 2>/dev/null)" ]]; then
  echo "ERROR: no active gcloud project. Run 'gcloud config set project YOUR_PROJECT' first." >&2
  exit 1
fi

for SECRET in forgejo-secret-key forgejo-internal-token; do
  if gcloud secrets describe "$SECRET" >/dev/null 2>&1; then
    echo "$SECRET already exists, skipping"
  else
    openssl rand -hex 32 \
      | gcloud secrets create "$SECRET" --replication-policy=automatic --data-file=-
    echo "Created $SECRET"
  fi
done

echo
echo "Tip: also save these values in your password manager for cross-project recovery."
echo "     gcloud secrets versions access latest --secret=forgejo-secret-key"
echo "     gcloud secrets versions access latest --secret=forgejo-internal-token"