#!/bin/sh
set -eu

group='git'
data_dir='/var/lib/gitlab'
secrets_file='/etc/gitlab/secrets.yml'
shell_secret_file='/etc/gitlab/gitlab_shell_secret'
workhorse_secret_file='/etc/gitlab/gitlab_workhorse_secret'
kas_secret_file='/etc/gitlab/gitlab_kas_secret'

gen_random_b64() {
	local bits="$1"
	ruby <<-EOF
		require 'securerandom'
		require 'base64'
		puts Base64.strict_encode64(SecureRandom.random_bytes($bits))
	EOF
}


echo "* Checking $secrets_file" >&2

ruby <<-EOF
	require 'openssl'
	require 'securerandom'
	require 'yaml'

	secrets_file = '$secrets_file'
	changed = false

	secrets = YAML.load_file(secrets_file) if File.exist?(secrets_file)
	secrets ||= {}
	prod = secrets['production'] ||= {}
	prod['db_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
	prod['secret_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
	prod['otp_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
	prod['encrypted_settings_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
	prod['openid_connect_signing_key'] ||= begin
	  changed = true
	  prod.delete('jws_private_key') || OpenSSL::PKey::RSA.new(2048).to_pem
	end
	# db/fixtures/production/010_settings.rb
	prod['ci_jwt_signing_key'] ||= ( changed = true; OpenSSL::PKey::RSA.new(2048).to_pem )

	if changed
	  STDERR.puts "* Generating random secrets into #{secrets_file}"
	  File.write(secrets_file, YAML.dump(secrets), mode: 'w', perm: 0640)
	end
EOF
chown root:$group "$secrets_file"

if [ ! -f "$shell_secret_file" ]; then
	echo "* Generating random secret in $shell_secret_file" >&2

	head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64 > "$shell_secret_file"
	chown root:$group "$shell_secret_file"
	chmod 0640 "$shell_secret_file"
fi

if [ ! -f "$workhorse_secret_file" ]; then
	echo "* Generating random secret in $workhorse_secret_file" >&2

	# Sync with lib/gitlab/workhorse.rb.
	gen_random_b64 32 > "$workhorse_secret_file"
	chown root:$group "$workhorse_secret_file"
	chmod 0640 "$workhorse_secret_file"
fi

if [ ! -f "$kas_secret_file" ]; then
	echo "* Generating random secret in $kas_secret_file" >&2

	# Sync with lib/gitlab/workhorse.rb.
	gen_random_b64 32 > "$kas_secret_file"
	chown root:$group "$kas_secret_file"
	chmod 0640 "$kas_secret_file"
fi

# NOTE: We create this symlink in post-install script instead of APKBULD,
# so user can decide to have tmp dir inside $data_dir (e.g. it's on bigger disk).
if [ ! -e "$data_dir"/tmp ]; then
	ln -s /var/tmp/gitlab "$data_dir"/tmp
fi


if [ "${0##*.}" = 'post-upgrade' ]; then
	cat >&2 <<-EOF
	*
	* To finish GitLab upgrade run:
	*
	*     gitlab-rake gitlab:db:configure
	*
	EOF
else
	cat >&2 <<-EOF
	*
	* 1. Adjust settings in /etc/gitlab/database.yml and gitlab.yml.
	*
	* 2. Create database for GitLab:
	*
	*     psql -c "CREATE ROLE gitlab PASSWORD 'top-secret' INHERIT LOGIN;"
	*     psql -c "CREATE DATABASE gitlab OWNER gitlab ENCODING 'UTF-8';"
	*     psql -d gitlab -c "CREATE EXTENSION pg_trgm; CREATE EXTENSION btree_gist;"
	*
	* 3. Run "gitlab-rake gitlab:setup", or "gitlab-rake gitlab:db:configure" if
	*    you are updating existing database.
	*
	EOF
fi