# Copy to scripts/hetzner/bootstrap-secrets.env, adjust the non-secret values and
# pass entry paths, then source it before running bootstrap or destroy:
#   source scripts/hetzner/bootstrap-secrets.env
#   bash scripts/hetzner/bootstrap.sh
#
# Canonical operator path:
# - set *_PASS variables to pass entry paths
# - optionally override a value directly via ENV for CI/tests or one-off debugging
# - bootstrap/destroy will load the first line from each pass entry without echoing it

export PASS_PREFIX="infra/unrip3"
pass_ref() {
  printf '%s/%s' "$PASS_PREFIX" "$1"
}

# Required infra access
export HCLOUD_TOKEN_PASS="${HCLOUD_TOKEN_PASS:-$(pass_ref hetzner/hcloud-token)}"
export SSH_PUBLIC_KEY_PATH="${SSH_PUBLIC_KEY_PATH:-$HOME/.ssh/id_ed25519.pub}"

# Optional project override. Defaults target the built-in unrip project overlay.
export PROJECT_NAME="${PROJECT_NAME:-unrip}"
export PROJECT_NAMESPACE="${PROJECT_NAMESPACE:-$PROJECT_NAME}"
# export PROJECT_OVERLAY_DIR="$PWD/deploy/k8s/overlays/hetzner-single-node"
# export PROJECT_KUSTOMIZE_PATH="../../projects/unrip/base"
# export PROJECT_SECRET_NAME="unrip-secrets"
# export PROJECT_SECRET_ENV_BASENAME="unrip.env"
# export PROJECT_REGISTRY_SECRET_NAME="unrip-registry-creds"
# export PROJECT_IMAGE_REPOSITORY="unrip"
# export PROJECT_DEPLOYMENTS="near-intents-ingest dummy-reactor dummy-executor dummy-consumer"

# Tailscale-first admin access (recommended)
export TAILSCALE_AUTH_KEY_PASS="${TAILSCALE_AUTH_KEY_PASS:-$(pass_ref tailscale/auth-key)}"
# Optional override; leave empty to auto-discover the node via local `tailscale status --json`.
export TAILSCALE_CONTROL_PLANE_HOSTNAME="${TAILSCALE_CONTROL_PLANE_HOSTNAME:-}"

# Optional fallback if you intentionally want public SSH/Kubernetes admin exposure.
export TF_ADMIN_CIDR_BLOCKS="${TF_ADMIN_CIDR_BLOCKS:-[]}"

# Public naming for ingress/TLS
export PUBLIC_DOMAIN="${PUBLIC_DOMAIN:-doran.133011.xyz}"
export BASE_DOMAIN="${BASE_DOMAIN:-133011.xyz}"
export FORGEJO_DOMAIN="${FORGEJO_DOMAIN:-git.${BASE_DOMAIN}}"
export FORGEJO_ROOT_URL="${FORGEJO_ROOT_URL:-https://${FORGEJO_DOMAIN}/}"
export REGISTRY_DOMAIN="${REGISTRY_DOMAIN:-registry.${BASE_DOMAIN}}"
export LETSENCRYPT_EMAIL="${LETSENCRYPT_EMAIL:-ops@example.com}"

# Optional DNS automation: choose one provider
# Cloudflare
export CLOUDFLARE_API_TOKEN_PASS="${CLOUDFLARE_API_TOKEN_PASS:-$(pass_ref cloudflare/api-token)}"
export CLOUDFLARE_ZONE_ID_PASS="${CLOUDFLARE_ZONE_ID_PASS:-$(pass_ref cloudflare/zone-id)}"
# Porkbun
export PORKBUN_API_KEY_PASS="${PORKBUN_API_KEY_PASS:-$(pass_ref porkbun/api-key)}"
export PORKBUN_SECRET_API_KEY_PASS="${PORKBUN_SECRET_API_KEY_PASS:-$(pass_ref porkbun/secret-api-key)}"

# Registry auth for CI/CD and image pulls
export REGISTRY_USERNAME="${REGISTRY_USERNAME:-unrip}"
export REGISTRY_PASSWORD_PASS="${REGISTRY_PASSWORD_PASS:-$(pass_ref registry/password)}"

# Application secret
export NEAR_INTENTS_API_KEY_PASS="${NEAR_INTENTS_API_KEY_PASS:-$(pass_ref near-intents/api-key)}"

# Forgejo bootstrap
export FORGEJO_ADMIN_USERNAME="${FORGEJO_ADMIN_USERNAME:-forgejo-admin}"
export FORGEJO_ADMIN_EMAIL="${FORGEJO_ADMIN_EMAIL:-${FORGEJO_ADMIN_USERNAME}@${BASE_DOMAIN}}"
export FORGEJO_ADMIN_PASSWORD_PASS="${FORGEJO_ADMIN_PASSWORD_PASS:-$(pass_ref forgejo/admin-password)}"

# Optional explicit overrides for CI/testing:
# export HCLOUD_TOKEN="..."
# export REGISTRY_PASSWORD="..."
# export NEAR_INTENTS_API_KEY="..."
# export FORGEJO_ADMIN_PASSWORD="..."
# export CLOUDFLARE_API_TOKEN="..."
# export CLOUDFLARE_ZONE_ID="..."
# export PORKBUN_API_KEY="..."
# export PORKBUN_SECRET_API_KEY="..."