_Assistant_Lead_Tech/scripts/sync-service-secrets.sh

#!/usr/bin/env bash

_sync_service_secrets() {
  source "$LEADTECH/scripts/env_paths.sh" || { echo "env_paths.sh introuvable" >&2; return 1; }

  if [ ! -f "$SECRETS_KDBX" ]; then
    echo "Coffre introuvable : $SECRETS_KDBX" >&2
    return 1
  fi

  if ! command -v keepassxc-cli >/dev/null 2>&1; then
    echo "keepassxc-cli introuvable" >&2
    return 1
  fi

  local target_file="$HOME/.config/auto-secrets/service.env"
  mkdir -p "$(dirname "$target_file")"
  touch "$target_file"
  chmod 600 "$target_file"

  if [ -z "${KDBX_PASSWORD:-}" ]; then
    printf "Mot de passe KeePassXC : " >&2
    stty -echo
    IFS= read -r KDBX_PASSWORD
    stty echo
    printf '\n' >&2
  fi

  echo "Sync des secrets de service..." >&2

  local csv
  csv=$(printf '%s\n' "$KDBX_PASSWORD" | keepassxc-cli export --format csv "$SECRETS_KDBX" 2>/dev/null) || {
    echo "Impossible d'exporter le coffre." >&2
    return 1
  }

  local rendered_lines
  rendered_lines=$(printf '%s' "$csv" | python3 -c "
import sys, csv, re, io

raw = sys.stdin.read()
start = raw.find('\"Group\"')
if start == -1:
    sys.exit(0)
reader = csv.DictReader(io.StringIO(raw[start:]))
for row in reader:
    group = row.get('Group', '')
    title = row.get('Title', '')
    password = row.get('Password', '')
    if group != 'Racine/services' and not group.startswith('Racine/services/'):
        continue
    if not re.match(r'^[A-Z_][A-Z0-9_]*\$', title):
        continue
    if not password:
        continue
    print(title + '=' + password)
")

  if [ -z "$rendered_lines" ]; then
    echo "Aucun secret de service chargé." >&2
    return 1
  fi

  local loaded
  loaded=$(printf '%s' "$rendered_lines" | grep -c '.')

  printf '%s\n' "$rendered_lines" > "$target_file"
  chmod 600 "$target_file"

  echo "Secrets de service écrits dans : $target_file"
  echo "Secrets de service chargés : $loaded"
}

_sync_service_secrets
unset -f _sync_service_secrets