SHELL := /usr/bin/env bash

# Decrypt Hetzner token at runtime (requires your SOPS_AGE_KEY loaded locally)
HCLOUD_TOKEN := $(shell sops -d --extract '["ops"]["hcloud_token"]' inventory/group_vars/secrets.sops.yaml 2>/dev/null)

.PHONY: all apply tf-init tf-apply ansible destroy fmt check sops-edit sops-rotate

all: apply

fmt:
	terraform -chdir=terraform/hetzner fmt -recursive || true

tf-init:
	terraform -chdir=terraform/hetzner init

tf-apply: tf-init
	@if [ -z "$(HCLOUD_TOKEN)" ]; then echo "HCLOUD_TOKEN empty. Did you load your SOPS key and encrypt ops.hcloud_token?"; exit 1; fi
	@export HCLOUD_TOKEN=$(HCLOUD_TOKEN); \
	terraform -chdir=terraform/hetzner apply -auto-approve

ansible:
	cd ansible && ansible-playbook playbooks/bootstrap.yaml -u admin

apply: fmt tf-apply ansible

destroy:
	@if [ -z "$(HCLOUD_TOKEN)" ]; then echo "HCLOUD_TOKEN empty. Did you load your SOPS key?"; exit 1; fi
	@export HCLOUD_TOKEN=$(HCLOUD_TOKEN); \
	terraform -chdir=terraform/hetzner destroy -auto-approve

sops-edit:
	sops inventory/group_vars/secrets.sops.yaml

check:
	terraform -chdir=terraform/hetzner plan >/dev/null || true
	cd ansible && ansible-inventory --list >/dev/null