{{- $ns := include "sebastian.namespace" . -}}
{{- $secretName := printf "%s-secrets" (include "sebastian.fullname" .) -}}
{{- $existing := (lookup "v1" "Secret" $ns $secretName) -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ $secretName | quote }}
  namespace: {{ $ns }}
  labels:
    {{- include "sebastian.labels" . | nindent 4 }}
  annotations:
    {{- if .Values.setup.applianceBootstrap.enabled }}
    # Appliance (Flux-reconciled): NOT a helm hook. Hook resources are deleted
    # (before-hook-creation) before each re-run, which makes the lookup-based
    # preservation below fail and regenerates NEXTAUTH_SECRET/CRYPTR_KEY/etc. on
    # every reconcile -- silently invalidating the initial admin password hash
    # and any encrypted data. As a regular resource it's preserved across
    # reconciles, so the lookup keeps the originally generated values;
    # resource-policy:keep guards it on uninstall.
    "helm.sh/resource-policy": keep
    {{- else }}
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-5"
    {{- end }}
type: Opaque
data:
{{- if $existing }}
  {{- /* Preserve existing generated secrets, allow explicit values to override */}}
  NEXTAUTH_SECRET: {{ if and .Values.secrets .Values.secrets.NEXTAUTH_SECRET }}{{ .Values.secrets.NEXTAUTH_SECRET | b64enc | quote }}{{ else }}{{ index $existing.data "NEXTAUTH_SECRET" }}{{ end }}
  CRYPTR_KEY: {{ if and .Values.secrets .Values.secrets.CRYPTR_KEY }}{{ .Values.secrets.CRYPTR_KEY | b64enc | quote }}{{ else }}{{ index $existing.data "CRYPTR_KEY" }}{{ end }}
  TOKEN_SECRET_KEY: {{ if and .Values.secrets .Values.secrets.TOKEN_SECRET_KEY }}{{ .Values.secrets.TOKEN_SECRET_KEY | b64enc | quote }}{{ else }}{{ index $existing.data "TOKEN_SECRET_KEY" }}{{ end }}
  IMAP_WEBHOOK_SECRET: {{ if and .Values.secrets .Values.secrets.IMAP_WEBHOOK_SECRET }}{{ .Values.secrets.IMAP_WEBHOOK_SECRET | b64enc | quote }}{{ else }}{{ index $existing.data "IMAP_WEBHOOK_SECRET" }}{{ end }}
  AI_DOCUMENT_API_KEY: {{ if and .Values.secrets .Values.secrets.AI_DOCUMENT_API_KEY }}{{ .Values.secrets.AI_DOCUMENT_API_KEY | b64enc | quote }}{{ else if index $existing.data "AI_DOCUMENT_API_KEY" }}{{ index $existing.data "AI_DOCUMENT_API_KEY" }}{{ else }}{{ randAlphaNum 64 | b64enc | quote }}{{ end }}
  COLLAB_PERSIST_API_KEY: {{ if and .Values.secrets .Values.secrets.COLLAB_PERSIST_API_KEY }}{{ .Values.secrets.COLLAB_PERSIST_API_KEY | b64enc | quote }}{{ else if index $existing.data "COLLAB_PERSIST_API_KEY" }}{{ index $existing.data "COLLAB_PERSIST_API_KEY" }}{{ else }}{{ randAlphaNum 64 | b64enc | quote }}{{ end }}
  HOCUSPOCUS_JWT_SECRET: {{ if and .Values.secrets .Values.secrets.HOCUSPOCUS_JWT_SECRET }}{{ .Values.secrets.HOCUSPOCUS_JWT_SECRET | b64enc | quote }}{{ else }}{{ index $existing.data "HOCUSPOCUS_JWT_SECRET" }}{{ end }}
  {{- if and .Values.secrets .Values.secrets.stripe_secret_key }}
  stripe_secret_key: {{ .Values.secrets.stripe_secret_key | b64enc | quote }}
  {{- else if index $existing.data "stripe_secret_key" }}
  stripe_secret_key: {{ index $existing.data "stripe_secret_key" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.stripe_publishable_key }}
  stripe_publishable_key: {{ .Values.secrets.stripe_publishable_key | b64enc | quote }}
  {{- else if index $existing.data "stripe_publishable_key" }}
  stripe_publishable_key: {{ index $existing.data "stripe_publishable_key" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.stripe_webhook_secret }}
  stripe_webhook_secret: {{ .Values.secrets.stripe_webhook_secret | b64enc | quote }}
  {{- else if index $existing.data "stripe_webhook_secret" }}
  stripe_webhook_secret: {{ index $existing.data "stripe_webhook_secret" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.IPINFO_API_TOKEN }}
  IPINFO_API_TOKEN: {{ .Values.secrets.IPINFO_API_TOKEN | b64enc | quote }}
  {{- else if index $existing.data "IPINFO_API_TOKEN" }}
  IPINFO_API_TOKEN: {{ index $existing.data "IPINFO_API_TOKEN" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_IAP_KEY_ID }}
  APPLE_IAP_KEY_ID: {{ .Values.secrets.APPLE_IAP_KEY_ID | b64enc | quote }}
  {{- else if index $existing.data "APPLE_IAP_KEY_ID" }}
  APPLE_IAP_KEY_ID: {{ index $existing.data "APPLE_IAP_KEY_ID" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_IAP_ISSUER_ID }}
  APPLE_IAP_ISSUER_ID: {{ .Values.secrets.APPLE_IAP_ISSUER_ID | b64enc | quote }}
  {{- else if index $existing.data "APPLE_IAP_ISSUER_ID" }}
  APPLE_IAP_ISSUER_ID: {{ index $existing.data "APPLE_IAP_ISSUER_ID" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_IAP_BUNDLE_ID }}
  APPLE_IAP_BUNDLE_ID: {{ .Values.secrets.APPLE_IAP_BUNDLE_ID | b64enc | quote }}
  {{- else if index $existing.data "APPLE_IAP_BUNDLE_ID" }}
  APPLE_IAP_BUNDLE_ID: {{ index $existing.data "APPLE_IAP_BUNDLE_ID" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_IAP_PRIVATE_KEY }}
  APPLE_IAP_PRIVATE_KEY: {{ .Values.secrets.APPLE_IAP_PRIVATE_KEY | b64enc | quote }}
  {{- else if index $existing.data "APPLE_IAP_PRIVATE_KEY" }}
  APPLE_IAP_PRIVATE_KEY: {{ index $existing.data "APPLE_IAP_PRIVATE_KEY" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_IAP_ENVIRONMENT }}
  APPLE_IAP_ENVIRONMENT: {{ .Values.secrets.APPLE_IAP_ENVIRONMENT | b64enc | quote }}
  {{- else if index $existing.data "APPLE_IAP_ENVIRONMENT" }}
  APPLE_IAP_ENVIRONMENT: {{ index $existing.data "APPLE_IAP_ENVIRONMENT" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_BUNDLE_ID }}
  APPLE_SIGN_IN_BUNDLE_ID: {{ .Values.secrets.APPLE_SIGN_IN_BUNDLE_ID | b64enc | quote }}
  {{- else if index $existing.data "APPLE_SIGN_IN_BUNDLE_ID" }}
  APPLE_SIGN_IN_BUNDLE_ID: {{ index $existing.data "APPLE_SIGN_IN_BUNDLE_ID" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_TEAM_ID }}
  APPLE_SIGN_IN_TEAM_ID: {{ .Values.secrets.APPLE_SIGN_IN_TEAM_ID | b64enc | quote }}
  {{- else if index $existing.data "APPLE_SIGN_IN_TEAM_ID" }}
  APPLE_SIGN_IN_TEAM_ID: {{ index $existing.data "APPLE_SIGN_IN_TEAM_ID" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_KEY_ID }}
  APPLE_SIGN_IN_KEY_ID: {{ .Values.secrets.APPLE_SIGN_IN_KEY_ID | b64enc | quote }}
  {{- else if index $existing.data "APPLE_SIGN_IN_KEY_ID" }}
  APPLE_SIGN_IN_KEY_ID: {{ index $existing.data "APPLE_SIGN_IN_KEY_ID" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_PRIVATE_KEY }}
  APPLE_SIGN_IN_PRIVATE_KEY: {{ .Values.secrets.APPLE_SIGN_IN_PRIVATE_KEY | b64enc | quote }}
  {{- else if index $existing.data "APPLE_SIGN_IN_PRIVATE_KEY" }}
  APPLE_SIGN_IN_PRIVATE_KEY: {{ index $existing.data "APPLE_SIGN_IN_PRIVATE_KEY" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.APPLE_SIGN_IN_ENCRYPTION_KEY }}
  APPLE_SIGN_IN_ENCRYPTION_KEY: {{ .Values.secrets.APPLE_SIGN_IN_ENCRYPTION_KEY | b64enc | quote }}
  {{- else if index $existing.data "APPLE_SIGN_IN_ENCRYPTION_KEY" }}
  APPLE_SIGN_IN_ENCRYPTION_KEY: {{ index $existing.data "APPLE_SIGN_IN_ENCRYPTION_KEY" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.TEAMS_BOT_APP_ID }}
  TEAMS_BOT_APP_ID: {{ .Values.secrets.TEAMS_BOT_APP_ID | b64enc | quote }}
  {{- else if index $existing.data "TEAMS_BOT_APP_ID" }}
  TEAMS_BOT_APP_ID: {{ index $existing.data "TEAMS_BOT_APP_ID" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.TEAMS_BOT_APP_TENANT_ID }}
  TEAMS_BOT_APP_TENANT_ID: {{ .Values.secrets.TEAMS_BOT_APP_TENANT_ID | b64enc | quote }}
  {{- else if index $existing.data "TEAMS_BOT_APP_TENANT_ID" }}
  TEAMS_BOT_APP_TENANT_ID: {{ index $existing.data "TEAMS_BOT_APP_TENANT_ID" }}
  {{- end }}
  {{- if and .Values.secrets .Values.secrets.TEAMS_BOT_APP_PASSWORD }}
  TEAMS_BOT_APP_PASSWORD: {{ .Values.secrets.TEAMS_BOT_APP_PASSWORD | b64enc | quote }}
  {{- else if index $existing.data "TEAMS_BOT_APP_PASSWORD" }}
  TEAMS_BOT_APP_PASSWORD: {{ index $existing.data "TEAMS_BOT_APP_PASSWORD" }}
  {{- end }}
{{- else }}
  {{- /* First install — generate or use explicit values */}}
  {{- if .Values.secrets }}
  NEXTAUTH_SECRET: {{ (.Values.secrets.NEXTAUTH_SECRET | default (randAlphaNum 32)) | b64enc | quote }}
  CRYPTR_KEY: {{ (.Values.secrets.CRYPTR_KEY | default (randAlphaNum 32)) | b64enc | quote }}
  TOKEN_SECRET_KEY: {{ (.Values.secrets.TOKEN_SECRET_KEY | default (randAlphaNum 32)) | b64enc | quote }}
  IMAP_WEBHOOK_SECRET: {{ (.Values.secrets.IMAP_WEBHOOK_SECRET | default (randAlphaNum 48)) | b64enc | quote }}
  AI_DOCUMENT_API_KEY: {{ (.Values.secrets.AI_DOCUMENT_API_KEY | default (randAlphaNum 64)) | b64enc | quote }}
  COLLAB_PERSIST_API_KEY: {{ (.Values.secrets.COLLAB_PERSIST_API_KEY | default (randAlphaNum 64)) | b64enc | quote }}
  HOCUSPOCUS_JWT_SECRET: {{ (.Values.secrets.HOCUSPOCUS_JWT_SECRET | default (randAlphaNum 64)) | b64enc | quote }}
  {{- if .Values.secrets.stripe_secret_key }}
  stripe_secret_key: {{ .Values.secrets.stripe_secret_key | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.stripe_publishable_key }}
  stripe_publishable_key: {{ .Values.secrets.stripe_publishable_key | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.stripe_webhook_secret }}
  stripe_webhook_secret: {{ .Values.secrets.stripe_webhook_secret | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.IPINFO_API_TOKEN }}
  IPINFO_API_TOKEN: {{ .Values.secrets.IPINFO_API_TOKEN | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_IAP_KEY_ID }}
  APPLE_IAP_KEY_ID: {{ .Values.secrets.APPLE_IAP_KEY_ID | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_IAP_ISSUER_ID }}
  APPLE_IAP_ISSUER_ID: {{ .Values.secrets.APPLE_IAP_ISSUER_ID | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_IAP_BUNDLE_ID }}
  APPLE_IAP_BUNDLE_ID: {{ .Values.secrets.APPLE_IAP_BUNDLE_ID | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_IAP_PRIVATE_KEY }}
  APPLE_IAP_PRIVATE_KEY: {{ .Values.secrets.APPLE_IAP_PRIVATE_KEY | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_IAP_ENVIRONMENT }}
  APPLE_IAP_ENVIRONMENT: {{ .Values.secrets.APPLE_IAP_ENVIRONMENT | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_SIGN_IN_BUNDLE_ID }}
  APPLE_SIGN_IN_BUNDLE_ID: {{ .Values.secrets.APPLE_SIGN_IN_BUNDLE_ID | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_SIGN_IN_TEAM_ID }}
  APPLE_SIGN_IN_TEAM_ID: {{ .Values.secrets.APPLE_SIGN_IN_TEAM_ID | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_SIGN_IN_KEY_ID }}
  APPLE_SIGN_IN_KEY_ID: {{ .Values.secrets.APPLE_SIGN_IN_KEY_ID | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_SIGN_IN_PRIVATE_KEY }}
  APPLE_SIGN_IN_PRIVATE_KEY: {{ .Values.secrets.APPLE_SIGN_IN_PRIVATE_KEY | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.APPLE_SIGN_IN_ENCRYPTION_KEY }}
  APPLE_SIGN_IN_ENCRYPTION_KEY: {{ .Values.secrets.APPLE_SIGN_IN_ENCRYPTION_KEY | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.TEAMS_BOT_APP_ID }}
  TEAMS_BOT_APP_ID: {{ .Values.secrets.TEAMS_BOT_APP_ID | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.TEAMS_BOT_APP_TENANT_ID }}
  TEAMS_BOT_APP_TENANT_ID: {{ .Values.secrets.TEAMS_BOT_APP_TENANT_ID | b64enc | quote }}
  {{- end }}
  {{- if .Values.secrets.TEAMS_BOT_APP_PASSWORD }}
  TEAMS_BOT_APP_PASSWORD: {{ .Values.secrets.TEAMS_BOT_APP_PASSWORD | b64enc | quote }}
  {{- end }}
  {{- else }}
  NEXTAUTH_SECRET: {{ randAlphaNum 32 | b64enc | quote }}
  CRYPTR_KEY: {{ randAlphaNum 32 | b64enc | quote }}
  TOKEN_SECRET_KEY: {{ randAlphaNum 32 | b64enc | quote }}
  IMAP_WEBHOOK_SECRET: {{ randAlphaNum 48 | b64enc | quote }}
  AI_DOCUMENT_API_KEY: {{ randAlphaNum 64 | b64enc | quote }}
  COLLAB_PERSIST_API_KEY: {{ randAlphaNum 64 | b64enc | quote }}
  HOCUSPOCUS_JWT_SECRET: {{ randAlphaNum 64 | b64enc | quote }}
  {{- end }}
{{- end }}