#!/bin/sh
# on_install hook (provider: mosquitto).
#
# Runs ONCE, INSIDE the mosquitto container, via `docker compose exec sh -s`
# while a consumer app that `requires` mosquitto is being installed. The
# reconciler/install-runner exports FURTKA_CONSUMER_APP (the app being
# installed) into our environment. stdout KEY=VALUE lines are merged into the
# consumer's .env (hook wins on conflict), so this is how the consumer learns
# its broker address and credentials.
#
# Why we stash the password provider-side: the on_start hook (ensure-client.sh)
# gets NO access to the consumer's stored password and its stdout is discarded,
# so it cannot re-create the same account after a passwd wipe unless we keep a
# copy here, on mosquitto's own persistent data volume.
set -eu

user="${FURTKA_CONSUMER_APP:?provision-client: FURTKA_CONSUMER_APP not set}"
passwd_file=/mosquitto/data/passwd
stash_dir=/mosquitto/data/furtka-clients
stash="${stash_dir}/${user}.pw"

umask 077
mkdir -p "$stash_dir"

# One random 32-char password per consumer, generated once and stashed.
pass="$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 32)"
printf '%s' "$pass" > "$stash"

# -b: batch mode (user + password as args). Creates the account, or updates
# it if this consumer is being reinstalled.
mosquitto_passwd -b "$passwd_file" "$user" "$pass"

# Reload the password file so the new account is usable without bouncing the
# broker. PID 1 in this container is mosquitto (see compose `exec mosquitto`).
kill -HUP 1 2>/dev/null || true

# Handed back to the install runner and merged into the consumer's .env.
echo "MQTT_SERVER=mqtt://host.docker.internal:1883"
echo "MQTT_USER=${user}"
echo "MQTT_PASS=${pass}"