#!/bin/bash
set -euo pipefail

KC_BASE="${KC_BASE:?}"
KC_REALM="${KC_REALM:?}"
KC_ADMIN_USER="${KC_ADMIN_USER:?}"
KC_ADMIN_PASS="${KC_ADMIN_PASS:?}"

if ! command -v jq >/dev/null 2>&1; then
  apt-get update && apt-get install -y jq curl >/dev/null
fi

token=$(
  curl -s -d "grant_type=password" \
    -d "client_id=admin-cli" \
    -d "username=${KC_ADMIN_USER}" \
    -d "password=${KC_ADMIN_PASS}" \
    "${KC_BASE}/realms/master/protocol/openid-connect/token" | jq -r '.access_token'
)

if [[ -z "${token}" || "${token}" == "null" ]]; then
  echo "Failed to obtain admin token"
  exit 1
fi

users=$(curl -s -H "Authorization: Bearer ${token}" \
  "${KC_BASE}/admin/realms/${KC_REALM}/users?max=2000")

echo "${users}" | jq -c '.[]' | while read -r user; do
  username=$(echo "${user}" | jq -r '.username')
  email=$(echo "${user}" | jq -r '.email // empty')
  app_pw=$(echo "${user}" | jq -r '.attributes.mailu_app_password[0] // empty')
  [[ -z "${email}" || -z "${app_pw}" ]] && continue
  echo "Syncing ${email}"
  runuser -u www-data -- php occ mail:account:create \
    "${username}" "${username}" "${email}" \
    mail.bstein.dev 993 ssl "${email}" "${app_pw}" \
    mail.bstein.dev 587 tls "${email}" "${app_pw}" login || true
done