#!/usr/bin/env bash
# One-time bootstrap: generate a root CA for omarchy-stream and upload it to
# 1Password. Run this on ONE machine; every host install.sh thereafter pulls
# the CA from 1Password to mint per-host certs.
#
# Re-running this script will refuse to overwrite an existing item unless
# --force is passed. The CA's private key is the trust root for every paired
# host; replacing it forces re-trust on every device.

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=../lib/common.sh
source "$SCRIPT_DIR/../lib/common.sh"
# shellcheck source=../lib/certs.sh
source "$SCRIPT_DIR/../lib/certs.sh"

FORCE=0
CA_VALID_DAYS=3650
CA_CN="omarchy-stream Root CA"
CA_O="omarchy-stream"

usage() {
  cat <<EOF
Usage: $(basename "$0") [--force]

Generates a new root CA and uploads it to 1Password.

  --force   Overwrite an existing CA item in the vault (DANGEROUS: invalidates
            every host cert previously signed by the existing CA).

Configuration (env vars, all optional):
  OP_VAULT           1Password vault (default: Private)
  OP_CA_ITEM         Item title in that vault (default: Omarchy-Stream Root CA)
EOF
}

while [[ $# -gt 0 ]]; do
  case "$1" in
    --force) FORCE=1 ;;
    -h|--help) usage; exit 0 ;;
    *) err "Unknown option: $1"; usage; exit 2 ;;
  esac
  shift
done

require_not_root
op_require_signin

# Check whether the item already exists. `op item get` exits 0 if found.
if op item get "$OP_CA_ITEM" --vault "$OP_VAULT" >/dev/null 2>&1; then
  if [[ $FORCE -eq 0 ]]; then
    err "Item '$OP_CA_ITEM' already exists in vault '$OP_VAULT'."
    err "Re-running cert-bootstrap with --force will replace it, which invalidates"
    err "every host cert minted from the existing CA. If you just want to refresh"
    err "host certs on this machine, run install.sh (with FORCE_CERTS=1 to mint)."
    exit 1
  fi
  warn "Overwriting existing CA item (--force given)"
  op item delete "$OP_CA_ITEM" --vault "$OP_VAULT" >/dev/null
fi

tmpdir="$(mktemp -d "${XDG_RUNTIME_DIR:-/tmp}/omarchy-ca-bootstrap.XXXXXX")"
chmod 700 "$tmpdir"
trap "rm -rf '$tmpdir'" EXIT

step "Generating root CA (4096-bit RSA, ${CA_VALID_DAYS} days)"
openssl genrsa -out "$tmpdir/ca-key.pem" 4096 2>/dev/null
chmod 600 "$tmpdir/ca-key.pem"

openssl req -new -x509 \
  -key "$tmpdir/ca-key.pem" \
  -out "$tmpdir/ca-cert.pem" \
  -days "$CA_VALID_DAYS" \
  -sha256 \
  -subj "/CN=${CA_CN}/O=${CA_O}" \
  -addext "basicConstraints=critical,CA:TRUE" \
  -addext "keyUsage=critical,keyCertSign,cRLSign" 2>/dev/null

ok "Generated CA cert and key"
info "CA fingerprint (SHA256):"
openssl x509 -in "$tmpdir/ca-cert.pem" -noout -fingerprint -sha256 \
  | sed 's/^/    /'

step "Uploading to 1Password (vault: $OP_VAULT, item: $OP_CA_ITEM)"
op item create \
  --category "Secure Note" \
  --vault "$OP_VAULT" \
  --title "$OP_CA_ITEM" \
  "notesPlain=Root CA for omarchy-stream Sunshine certs. Bootstrapped $(date -Iseconds) on $(hostname -s)." \
  "cert[text]=$(cat "$tmpdir/ca-cert.pem")" \
  "key[concealed]=$(cat "$tmpdir/ca-key.pem")" \
  >/dev/null

ok "Uploaded CA to 1Password"
info ""
info "References for install.sh / lib/certs.sh:"
info "    op://${OP_VAULT}/${OP_CA_ITEM}/cert"
info "    op://${OP_VAULT}/${OP_CA_ITEM}/key"
info ""
info "Next: on each host (including this one if it'll be a Sunshine host), run:"
info "    ./install.sh"
info "and the cert step will pull the CA from 1Password and mint a host cert."