#!/bin/bash

set -e -u

# Keyserver to use. You need to trust this keyserver that the uid is not spoofed when receiving keys
KEYSERVER=""
# File which contains a list of fingerprints to receive and encrypt the vault for
KEY_FILE=""
REPO_BASE_PATH="$(dirname $0)/.."
# File in which the passphrase for the gpg vault is encrypted
VAULT_PASS_FILE="$REPO_BASE_PATH/gpg/vault_passphrase.gpg"

ACTION="$1"
# default action is vault decrypt
if [[ -z "$ACTION" ]]; then
    ACTION="decrypt"
fi


case "$ACTION" in
    "decrypt")
        gpg2 --batch --use-agent --decrypt $VAULT_PASS_FILE 2>/dev/null
    ;;

    "reencrypt")
        gpg2 --batch --use-agent --output $REPO_BASE_PATH/gpg/vault_passphrase --decrypt $VAULT_PASS_FILE
	CMD="gpg2 --batch --use-agent --armor --output $VAULT_PASS_FILE"
        for FINGERPRINT in $(cat KEY_FILE) do
          CMD="$CMD --recipient $FINGERPRINT"
        done
        CMD="$CMD --encrypt $REPO_BASE_PATH/gpg/vault_passhphrase"
	$($CMD)
    ;;

    "init")
        mkdir -p $REPO_BASE_PATH/gpg
	touch $REPO_BASE_PATH/gpg/vault_passphrase
	touch $REPO_BASE_PATH/gpg/$KEY_FILE
    ;;
esac