#!/usr/bin/env bash
# Generates a 20-secrets.yaml with fresh random component passwords.
# Usage:
#   ./scripts/generate-secrets.sh > infra/k3s/20-secrets.yaml
#   kubectl apply -f infra/k3s/20-secrets.yaml
#
# Re-running rotates the passwords — every component then needs to be
# restarted (kubectl rollout restart) so they pick up the new env.

set -eu

# 24 random bytes → 32 base64 chars, stripped of slashes/+ for safety in
# env vars + URLs. Avoids the SIGPIPE issue with `tr | head` under
# pipefail.
rand() { openssl rand -hex 16; }  # 32 hex chars = 16 bytes entropy, plenty for component auth

JICOFO_COMPONENT_SECRET=$(rand)
JICOFO_AUTH_PASSWORD=$(rand)
JVB_AUTH_PASSWORD=$(rand)

cat <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: jitsi-secrets
  namespace: jitsi
type: Opaque
stringData:
  JICOFO_COMPONENT_SECRET: "${JICOFO_COMPONENT_SECRET}"
  JICOFO_AUTH_USER: "focus"
  JICOFO_AUTH_PASSWORD: "${JICOFO_AUTH_PASSWORD}"
  JVB_AUTH_USER: "jvb"
  JVB_AUTH_PASSWORD: "${JVB_AUTH_PASSWORD}"
EOF