#!/usr/bin/env bash
# reset-vault.sh — recover from a vault password mismatch.
#
# Symptoms : `verify-local.sh` or `bootstrap-local.sh phase 2` reports
# "can decrypt vault.yml" failing — the password in .vault-pass doesn't
# match what was used to encrypt vault.yml. Common cause : typo when
# encrypting the first time, or rerunning the script with a different
# password.
#
# This script :
#   1. Confirms with the operator (destructive — vault.yml content is lost)
#   2. Removes infra/ansible/group_vars/all/vault.yml
#   3. Removes infra/ansible/.vault-pass
#   4. Clears the `vault=DONE` marker in the local state file
#   5. Suggests `PHASE=2 ./bootstrap-local.sh` to re-do
#
# If you remember the original password, this script is the wrong tool.
# Edit .vault-pass to put the correct password instead.

set -Eeuo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
. "$SCRIPT_DIR/lib.sh"
trap_errors

REPO_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel)
VAULT_YML="$REPO_ROOT/infra/ansible/group_vars/all/vault.yml"
VAULT_PASS="$REPO_ROOT/infra/ansible/.vault-pass"
STATE_FILE="$REPO_ROOT/.git/talas-bootstrap/local.state"

warn "This script DELETES the encrypted vault.yml + .vault-pass."
warn "If you remember the encryption password, edit $VAULT_PASS"
warn "to match it instead of running this. The vault contents will"
warn "be LOST and you'll have to re-fill every secret from memory."
echo
read -rp "Type 'RESET' to confirm: " confirm
if [[ "$confirm" != "RESET" ]]; then
    info "aborted"
    exit 0
fi

info "removing $VAULT_YML"
rm -f "$VAULT_YML"
info "removing $VAULT_PASS"
rm -f "$VAULT_PASS"

if [[ -f "$STATE_FILE" ]]; then
    info "clearing 'vault=DONE' from $STATE_FILE"
    sed -i '/^vault=/d' "$STATE_FILE"
fi

ok "vault state cleared"
echo
cat <<EOF >&2
  Next step :
    cd $SCRIPT_DIR
    PHASE=2 ./bootstrap-local.sh

  You will be re-prompted for the JWT keys (auto-generated) and the
  vault password (memorize it this time !).
EOF