#!/usr/bin/env bash
# age decrypt file with github keys

# Use ENV or default values for keys file and source
KEYS_FILE="${AGE_KEYSFILE:-$HOME/.ssh/keys.txt}"
KEYS_SOURCE="${AGE_KEYSSOURCE:-https://github.com/ivuorinen.keys}"

# Check for required commands
if ! command -v age &> /dev/null; then
  echo "Error: age is not installed. Please install it to continue."
  exit 1
fi

if ! command -v curl &> /dev/null; then
  echo "Error: curl is not installed. Please install it to continue."
  exit 1
fi

# Ensure a file is provided
if [[ $# -lt 1 ]]; then
  echo "Usage: $0 <file-to-decrypt>"
  exit 1
fi

FILE="$1"
if [[ ! -f "$FILE" ]]; then
  echo "Error: File '$FILE' does not exist."
  exit 1
fi

# Check if keys file exists, otherwise fetch it
if [[ ! -f "$KEYS_FILE" ]]; then
  echo "Keys file '$KEYS_FILE' not found. Attempting to fetch from $KEYS_SOURCE..."

  # Create the directory if it doesn't exist
  mkdir -p "$(dirname "$KEYS_FILE")"

  # Fetch the keys and save to the file
  if ! curl -s "$KEYS_SOURCE" -o "$KEYS_FILE" || [[ ! -s "$KEYS_FILE" ]]; then
    rm -f "$KEYS_FILE" 2> /dev/null || true
    echo "Error: Failed to fetch keys from $KEYS_SOURCE"
    exit 1
  fi

  # Set permissions to 0400
  chmod 0400 "$KEYS_FILE"
  echo "Keys file fetched and permissions set to 0400."
fi

# Decrypt the file
OUTPUT_FILE="${FILE%.age}"
TEMP_FILE="$(mktemp -p "$(dirname "$OUTPUT_FILE")")"
if age -d -i "$KEYS_FILE" "$FILE" > "$TEMP_FILE" && mv "$TEMP_FILE" "$OUTPUT_FILE"; then
  echo "File decrypted successfully: $OUTPUT_FILE"
else
  rm -f "$TEMP_FILE"
  echo "Error: Failed to decrypt file."
  exit 1
fi