#!/usr/bin/env bash
# Generate a mkcert wildcard TLS cert for the current Lima VM IP.
# Output: secrets/local/tls.crt + secrets/local/tls.key
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
SECRETS_DIR="$REPO_ROOT/secrets/local"

echo "==> Getting Lima VM IP..."
LIMA_IP=$(limactl shell sunbeam hostname -I | awk '{print $1}')
if [[ -z "$LIMA_IP" ]]; then
  echo "ERROR: Could not determine Lima VM IP. Is the 'sunbeam' VM running?" >&2
  exit 1
fi

DOMAIN="*.${LIMA_IP}.sslip.io"
echo "==> Generating mkcert cert for: $DOMAIN"

mkdir -p "$SECRETS_DIR"
cd "$SECRETS_DIR"

mkcert -install
mkcert "$DOMAIN"

# mkcert names the output files based on the domain; normalise to tls.crt / tls.key
CERT_FILE="_wildcard.${LIMA_IP}.sslip.io.pem"
KEY_FILE="_wildcard.${LIMA_IP}.sslip.io-key.pem"

if [[ -f "$CERT_FILE" ]]; then
  mv "$CERT_FILE" tls.crt
  mv "$KEY_FILE"  tls.key
  echo "==> Cert written to secrets/local/tls.crt and secrets/local/tls.key"
else
  echo "ERROR: Expected cert file '$CERT_FILE' not found." >&2
  exit 1
fi

echo "==> Domain: $DOMAIN"
echo "==> Lima IP: $LIMA_IP"
echo ""
echo "Next: run scripts/local-up.sh or manually apply the TLS secret:"
echo "  kubectl create secret tls pingora-tls -n ingress \\"
echo "    --cert=secrets/local/tls.crt \\"
echo "    --key=secrets/local/tls.key \\"
echo "    --dry-run=client -o yaml | kubectl apply -f -"