#!/bin/sh
log() { printf '\n\033[m\033[38;5;11m~~~ %s %s ~~~\033[m\n' $1 $2; }

log "deploy environment"

# obvious stuff
export PATH=${PATH}:/usr/local/bin
export SHELL=/bin/sh
# a righteous secure umask
umask 027

log "deploy ssh_agent"

# ensure we have a usable running ssh agent to inject keys into
# reuse an existing agent if there is one
SSH_AUTH_SOCK=$(find /tmp/ssh-* -type s -name agent.\* -print | head -1 )

# else, clean up and acquire a new one
if test ! -S "${SSH_AUTH_SOCK:-}" ; then
    echo no existing ssh-agent found, spawning a new one
    /bin/pkill -U $USER ssh-agent
    eval $(/usr/bin/ssh-agent)
fi

echo ssh-agent: $SSH_AUTH_SOCK
export SSH_AUTH_SOCK

log "vault authn"

# obtain a vault token for use during this session
# ensure we have address and auth key for vault
if test -z "${VAULT_ADDR:-}" ; then
    echo vault: missing VAULT_ADDR url
    exit 1
fi

if test -z "${VAULT_SECRET:-}" ; then
    echo vault: missing VAULT_SECRET token
    exit 1
fi

# from here on error handling can be enabled safely
set -o pipefail
set -e

# acquire a valid token
export VAULT_TOKEN=$(/usr/local/bin/vault login -token-only -method=github token=${VAULT_SECRET})
/usr/local/bin/vault read secret/test > /dev/null 2>&1
log "vault tokens_valid"

# acquire ssh keys
# first, the deploy key as github only checks the first presented key
/usr/local/bin/vault read -field=ssh_private_key secret/enso-bot | ssh-add -
# then, the ansible key, as ssh daemon on servers will check both
/usr/local/bin/vault read -field=ssh_private_key secret/ansible  | ssh-add -
log "ssh_agent keys_loaded"
ssh-add -L


log "cleaning environment"

export VAULT_SECRET=""
test "$PHASE" == "webhook" && export BUILDKITE_REPO=''
test "$PHASE" != "webhook" && export CABAL_HMAC_SECRET=''

log "setup tmpdir"
# set a per-job custom TMPDIR
export TMPDIR=$(mktemp -d -t buildkite)
echo tmpdir: $TMPDIR
echo home:   $HOME
echo pwd:    $(pwd -P)

############ end common section ############

log "buildkite env ready"