#!/usr/bin/env bash
# Render Authentik blueprint templates using PUBLIC_HOST / SECURE / SUITE_ORIGIN from .env.resolved.
set -euo pipefail

ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
BP_DIR="$ROOT/deploy/authentik/blueprints"

if [[ -z "${SUITE_ORIGIN:-}" || -z "${PUBLIC_HOST:-}" ]]; then
  echo "render-blueprints: SUITE_ORIGIN and PUBLIC_HOST must be set (source .env.resolved first)" >&2
  exit 1
fi

render_one() {
  local tpl="$1"
  local out="${tpl%.template}"
  sed \
    -e "s|{{SUITE_ORIGIN}}|${SUITE_ORIGIN}|g" \
    -e "s|{{PUBLIC_HOST}}|${PUBLIC_HOST}|g" \
    -e "s|{{SECURE}}|${SECURE:-}|g" \
    "$tpl" > "$out"
  echo "render-blueprints: ${out##*/}"
}

shopt -s nullglob
for tpl in "$BP_DIR"/*.yaml.template; do
  render_one "$tpl"
done