#!/bin/sh
# Exit immediately if any command fails
set -e

# --- Configuration (from Environment Variables) ---
# Use ':-' to set a default value if the variable is unset or null.
APP_NAME="${APP_NAME:-sops-init}"
GPG_KEY_PATH="${GPG_KEY_PATH:-/run/secrets/gpg_key}"

# The directory containing encrypted files.
SOPS_INPUT_DIR="${SOPS_INPUT_DIR:-/config_in}"
# The directory where decrypted files will be written.
SOPS_OUTPUT_DIR="${SOPS_OUTPUT_DIR:-/config_out}"
# The suffix of files to search for.
SOPS_FILE_SUFFIX="${SOPS_FILE_SUFFIX:-.sops.yaml}"


# --- Script Logic ---
echo "✅ $APP_NAME: Decryption container started."
echo "➡️  $APP_NAME: Input Dir: '$SOPS_INPUT_DIR', Output Dir: '$SOPS_OUTPUT_DIR', Suffix: '$SOPS_FILE_SUFFIX'"

# Validate that the required files/directories exist
if [ ! -f "$GPG_KEY_PATH" ]; then
    echo "❌ $APP_NAME: ERROR: GPG secret key not found at '$GPG_KEY_PATH'"
    exit 1
fi

if [ ! -d "$SOPS_INPUT_DIR" ]; then
    echo "❌ $APP_NAME: ERROR: Input directory not found at '$SOPS_INPUT_DIR'"
    exit 1
fi

# Ensure the output directory exists
mkdir -p "$SOPS_OUTPUT_DIR"

echo "🔐 $APP_NAME: Importing GPG private key..."
gpg --batch --import "$GPG_KEY_PATH"

echo "🔎 $APP_NAME: Searching for files ending in '$SOPS_FILE_SUFFIX'..."

# Use 'find' to locate all target files and loop through them
find "$SOPS_INPUT_DIR" -type f -name "*${SOPS_FILE_SUFFIX}" | while read -r encrypted_file; do
    # Get the filename without the full path
    base_filename_with_suffix=$(basename "$encrypted_file")
    # Remove the suffix to get the clean output filename
    output_filename=$(basename "$encrypted_file" "$SOPS_FILE_SUFFIX")
    # Construct the full output path
    decrypted_file="${SOPS_OUTPUT_DIR}/${output_filename}"

    echo "   - Decrypting '$base_filename_with_suffix' to '$decrypted_file'"
    sops --decrypt "$encrypted_file" > "$decrypted_file"
done

echo "🎉 $APP_NAME: All files decrypted. Exiting."