#!/usr/bin/env bash
# Prerequisites:
# 1password vault created with a single item in it with the property 'runner_token'.
# Define the vault and item used.
# Usage: ./bootstrap_instace.sh <incus vm instance name>

set -euo pipefail

# Check if instance name is provided
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <instance-name>" >&2
    exit 1
fi

INCUS_INSTANCE="$1"  # Use the provided instance name

# Set variables
INCUS_PATH="/var/lib/gitea-runner/default/tokenfile"

# Check if OP_SESSION environment variable exists, if not, sign in
if [ -z "${OP_SESSION:-}" ]; then
    echo "Not logged in to 1Password CLI. Attempting to sign in..."
    if ! eval "$(op signin)"; then
        echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2
        exit 1
    fi
fi

# Retrieve both tokens from 1Password
RUNNER_TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token")
TAILSCALE_KEY=$(op read "op://forgejo-runner/tailscale/client_secret")

if [ -z "$RUNNER_TOKEN" ]; then
    echo "Failed to retrieve runner token from 1Password" >&2
    exit 1
fi

if [ -z "$TAILSCALE_KEY" ]; then
    echo "Failed to retrieve Tailscale auth key from 1Password" >&2
    exit 1
fi

# Function to configure runner token with retries
push_and_check_token() {
    local retries=5
    local count=0
    while [ $count -lt $retries ]; do
        echo "Attempt $((count+1)) of $retries: Configuring runner token..."
        if incus exec "$INCUS_INSTANCE" -- sh -c "echo 'TOKEN=$RUNNER_TOKEN' > '$INCUS_PATH'"; then
            if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then
                echo "Runner token file successfully verified in Incus instance."
                return 0
            fi
        fi
        ((count++))
        echo "File not found or configuration failed. Retrying in 5 seconds..."
        sleep 5
    done
    echo "Failed to configure and verify runner token after $retries attempts." >&2
    return 1
}

# Configure runner token and Tailscale
if push_and_check_token; then
    echo "Runner token successfully configured in instance $INCUS_INSTANCE"
    echo "Configuring Tailscale..."
    TAILSCALE_CMD="/run/current-system/sw/bin/tailscale"
    TAILSCALE_ARGS=(
        "--ssh"
        "--auth-key=\"$TAILSCALE_KEY?ephemeral=false&preauthorized=true\""
        "--advertise-tags=tag:forgejo-runner"
    )
    if incus exec "$INCUS_INSTANCE" -- sh -c "$TAILSCALE_CMD up ${TAILSCALE_ARGS[*]}"; then
        echo "Tailscale successfully configured"
    else
        echo "Failed to configure Tailscale" >&2
        exit 1
    fi
else
    echo "Failed to bootstrap $INCUS_INSTANCE" >&2
    exit 1
fi

echo "Bootstrapping $INCUS_INSTANCE completed successfully."