#!/usr/bin/env bash
set -euo pipefail

target_dir="${1:-$(pwd)}"
mysql_env="${target_dir}/.env"
app_env="${target_dir}/.env.production"

if [[ -e "${app_env}" ]]; then
  echo "Refuse to overwrite existing .env.production in ${target_dir}" >&2
  exit 1
fi

if ! command -v openssl >/dev/null 2>&1; then
  echo "openssl is required to generate production secrets" >&2
  exit 1
fi

mkdir -p "${target_dir}"
umask 077

if [[ -e "${mysql_env}" ]]; then
  # shellcheck disable=SC1090
  source "${mysql_env}"

  mysql_database="${MYSQL_DATABASE:-access_manage}"
  mysql_user="${MYSQL_USER:-access_user}"
  mysql_password="${MYSQL_PASSWORD:-}"

  if [[ -z "${mysql_password}" ]]; then
    echo "MYSQL_PASSWORD is missing in ${mysql_env}" >&2
    exit 1
  fi

  echo "Found existing ${mysql_env}; only creating ${app_env}"
else
  mysql_root_password="root_$(openssl rand -hex 24)"
  mysql_database="access_manage"
  mysql_user="access_user"
  mysql_password="app_$(openssl rand -hex 24)"

  cat > "${mysql_env}" <<EOF
MYSQL_ROOT_PASSWORD=${mysql_root_password}
MYSQL_DATABASE=${mysql_database}
MYSQL_USER=${mysql_user}
MYSQL_PASSWORD=${mysql_password}
EOF

  echo "Created ${mysql_env}"
fi

jwt_secret="$(openssl rand -hex 48)"

cat > "${app_env}" <<EOF
NODE_ENV=production
PORT=3500

DB_HOST=127.0.0.1
DB_PORT=3307
DB_USER=${mysql_user}
DB_PASSWORD=${mysql_password}
DB_NAME=${mysql_database}
DB_CONNECTION_LIMIT=10

JWT_SECRET=${jwt_secret}
JWT_EXPIRES_IN=2h
EOF

echo "Created ${app_env}"