#!/bin/bash

if [[ -n "$CERC_SCRIPT_DEBUG" ]]; then
  set -x
fi

set -e

TMKMS_HOME=/root/tmkms
INPUT_PRIV_KEY_FILE=$TMKMS_HOME/tmp/priv_validator_key.json
TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
TMKMS_STATE_DIR=$TMKMS_HOME/state

# Initialize tmkms config if priv_validator_key does not exist
if [[ ! -f "$TMKMS_HOME/tmkms.toml" ]]; then
  echo "Initializing tmkms configuration..."

  tmkms init $TMKMS_HOME
else
  echo "tmkms configuration already exists. Skipping initialization."
fi

# Configure tmkms.toml and handle key import/copy based on TMKMS_MODE
case "$TMKMS_MODE" in
  "yubihsm")
    # Add chain configuration for yubihsm
    # TODO: Take password from env var
    cat <<EOF > $TMKMS_HOME/tmkms.toml

    [[chain]]
    id = "$CHAIN_ID"
    key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
    state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"

    [[validator]]
    chain_id = "$CHAIN_ID"
    addr = "tcp://$NODE_IP:$NODE_PORT"
    secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
    protocol_version = "v0.34"
    reconnect = true

    [[providers.yubihsm]]
    adapter = { type = "usb" }
    auth = { key = 1, password = "password" }
EOF

    # Setup YubiHSM
    tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml

    # Import the private validator key into tmkms for yubihsm (only if not already present)
    if ! tmkms yubihsm keys list | grep -q "0x0001:"; then
      echo "Importing private validator key into tmkms for yubihsm..."
      tmkms yubihsm keys import -i 1 $INPUT_PRIV_KEY_FILE -c $TMKMS_HOME/tmkms.toml
    else
      echo "Key 0x0001 already present in YubiHSM. Skipping import."
    fi
    ;;

  "softsign")
    # Add chain configuration for softsign
    cat <<EOF > $TMKMS_HOME/tmkms.toml

    [[chain]]
    id = "$CHAIN_ID"
    key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
    state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"

    [[validator]]
    chain_id = "$CHAIN_ID"
    addr = "tcp://$NODE_IP:$NODE_PORT"
    secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
    protocol_version = "v0.34"
    reconnect = true

    [[providers.softsign]]
    key_type = "consensus"
    path = "$TMKMS_SECRETS_DIR/priv_validator_key"
    chain_ids = ["$CHAIN_ID"]
EOF

    # Import the private validator key into tmkms for softsign (only if not already present)
    if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
      echo "Importing private validator key into tmkms for softsign..."
      tmkms softsign import $INPUT_PRIV_KEY_FILE $TMKMS_SECRETS_DIR/priv_validator_key
    else
      echo "Softsign key already present. Skipping import."
    fi
    ;;

  *)
    echo "Error: TMKMS_MODE environment variable not set or invalid. Please set it to 'yubihsm' or 'softsign'."
    exit 1
    ;;
esac

# Remove the original input private validator key file after processing
if [[ -f "$INPUT_PRIV_KEY_FILE" ]]; then
  rm -rf $INPUT_PRIV_KEY_FILE
fi

# Start tmkms
echo "Starting tmkms..."
tmkms start --config $TMKMS_HOME/tmkms.toml