#!/usr/bin/env bash
# Bootstrap the OpenBao secret needed by the ess-pro Ansible role.
# Single KV v2 entry at kv/digitalboard/ess-pro with all keys flat
# (same layout as digitalboard/bookstack, digitalboard/opnform, etc.).
#
# Requires: `bao` CLI in PATH, `BAO_ADDR` exported, authenticated.

set -euo pipefail

MOUNT="${MOUNT:-kv}"
PATH_="${PATH_:-digitalboard/ess-pro}"

read -p "Element registry username (from customer.element.io): " REG_USER
read -s -p "Element registry token: " REG_TOKEN; echo
read -s -p "Keycloak ess-mas client secret: " OIDC_SECRET; echo
read -p "Garage S3 access key: " S3_AK
read -s -p "Garage S3 secret key: " S3_SK; echo

bao kv put "${MOUNT}/${PATH_}" \
  username="${REG_USER}" \
  token="${REG_TOKEN}" \
  client_secret="${OIDC_SECRET}" \
  s3_access_key="${S3_AK}" \
  s3_secret_key="${S3_SK}"

echo "Done. Verify with: bao kv get ${MOUNT}/${PATH_}"