#!/usr/bin/env bash
# Bootstrap the OpenBao entry for ess_pro_compose.
# Only stores the registry credentials and the OIDC client secret —
# the rest of the cryptographic material is generated by the role locally
# on first deploy (and persists in {{ ess_compose_secrets_dir }} on the host).

set -euo pipefail
MOUNT="${MOUNT:-kv}"
PATH_="${PATH_:-digitalboard/ess-compose}"

read -p  "Element registry username (from customer.element.io): " REG_USER
read -sp "Element registry token: "                                 REG_TOKEN; echo
read -sp "Authentik OIDC client_secret for ess-mas: "               OIDC_SECRET; echo

bao kv put "${MOUNT}/${PATH_}" \
  registry_username="${REG_USER}" \
  registry_token="${REG_TOKEN}" \
  oidc_client_secret="${OIDC_SECRET}"

echo "Done. Verify: bao kv get ${MOUNT}/${PATH_}"