#!/usr/bin/env bash
# Render Authentik blueprint + email templates using .env.resolved variables.
set -euo pipefail

ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
BP_DIR="$ROOT/deploy/authentik/blueprints"
TPL_DIR="$ROOT/deploy/authentik/templates"

if [[ -z "${SUITE_ORIGIN:-}" || -z "${PUBLIC_HOST:-}" ]]; then
  echo "render-blueprints: SUITE_ORIGIN and PUBLIC_HOST must be set (source .env.resolved first)" >&2
  exit 1
fi

# Frontend origin for auth pages (/login, /reset-password). Falls back to SUITE_ORIGIN.
AUTH_APP_URL="${AUTH_APP_URL:-${NEXT_PUBLIC_APP_URL:-${SUITE_ORIGIN}}}"
if [[ "$AUTH_APP_URL" == */mail ]]; then
  AUTH_APP_URL="${AUTH_APP_URL%/mail}"
fi

render_one() {
  local tpl="$1"
  local out="${tpl%.template}"
  sed \
    -e "s|{{SUITE_ORIGIN}}|${SUITE_ORIGIN}|g" \
    -e "s|{{PUBLIC_HOST}}|${PUBLIC_HOST}|g" \
    -e "s|{{SECURE}}|${SECURE:-}|g" \
    -e "s|{{AUTH_APP_URL}}|${AUTH_APP_URL}|g" \
    "$tpl" > "$out"
  echo "render-blueprints: ${out##*/}"
}

shopt -s nullglob
for tpl in "$BP_DIR"/*.yaml.template; do
  render_one "$tpl"
done

for tpl in "$TPL_DIR"/**/*.template "$TPL_DIR"/*/*.template; do
  [[ -f "$tpl" ]] || continue
  render_one "$tpl"
done