#!/usr/bin/env ruby
# frozen_string_literal: true
# Usage: ruby scripts/set_password.rb
# Sets (or resets) the admin password in config.yml.

require 'openssl'
require 'yaml'
require 'securerandom'

CONFIG_PATH = ENV['CONFIG_PATH'] || '/opt/albumen/config.yml'
ITERATIONS  = 100_000

print 'New admin password: '
STDOUT.flush
password = $stdin.gets&.chomp
abort 'No password given.' if password.nil? || password.strip.empty?

salt   = SecureRandom.hex(32)
digest = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, ITERATIONS, 32, 'SHA256')
hash   = "pbkdf2_sha256$#{ITERATIONS}$#{salt}$#{digest.unpack1('H*')}"

config = File.exist?(CONFIG_PATH) ? (YAML.load_file(CONFIG_PATH) || {}) : {}
config['admin_password_hash'] = hash
config['session_secret']    ||= SecureRandom.hex(32)

tmp = "#{CONFIG_PATH}.tmp.#{Process.pid}"
File.write(tmp, config.to_yaml)
File.rename(tmp, CONFIG_PATH)
File.chmod(0o600, CONFIG_PATH)

begin
  require 'etc'
  pw = Etc.getpwnam('albumen')
  File.chown(pw.uid, pw.gid, CONFIG_PATH)
rescue ArgumentError
  # 'albumen' user doesn't exist (dev environment); leave ownership as-is
end

puts "Password set. Config written to #{CONFIG_PATH}"