#!/usr/bin/env bash
# Postgres-Init-Script — läuft beim ersten Start des db-Containers.
#
# 1. Legt die Supabase-Standard-Rollen an (anon, authenticated, service_role,
#    supabase_auth_admin, supabase_storage_admin, authenticator).
#    Diese referenzieren die in den Rapport-Migrations definierten Policies.
# 2. Wendet alle Rapport-Migrations aus ./migrations/ in alphabetischer
#    Reihenfolge an.
#
# Nach diesem Script ist die DB einsatzbereit.

set -euo pipefail

echo "→ Supabase-Standard-Rollen anlegen…"
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres <<-EOSQL
  -- Standard-Rollen (idempotent)
  do \$\$ begin
    if not exists (select 1 from pg_roles where rolname = 'anon') then
      create role anon nologin noinherit;
    end if;
    if not exists (select 1 from pg_roles where rolname = 'authenticated') then
      create role authenticated nologin noinherit;
    end if;
    if not exists (select 1 from pg_roles where rolname = 'service_role') then
      create role service_role nologin noinherit bypassrls;
    end if;
    if not exists (select 1 from pg_roles where rolname = 'authenticator') then
      execute format('create role authenticator noinherit login password %L', current_setting('rapport.postgres_password', true));
    end if;
    if not exists (select 1 from pg_roles where rolname = 'supabase_auth_admin') then
      execute format('create role supabase_auth_admin login password %L', current_setting('rapport.postgres_password', true));
    end if;
    if not exists (select 1 from pg_roles where rolname = 'supabase_storage_admin') then
      execute format('create role supabase_storage_admin login password %L', current_setting('rapport.postgres_password', true));
    end if;
    if not exists (select 1 from pg_roles where rolname = 'supabase_admin') then
      execute format('create role supabase_admin superuser login password %L', current_setting('rapport.postgres_password', true));
    end if;
  end \$\$;

  grant anon to authenticator;
  grant authenticated to authenticator;
  grant service_role to authenticator;

  -- auth-Schema (für GoTrue)
  create schema if not exists auth authorization supabase_auth_admin;

  -- storage-Schema (für Storage-Service)
  create schema if not exists storage authorization supabase_storage_admin;

  -- pgcrypto + andere Extensions
  create extension if not exists pgcrypto;
  create extension if not exists "uuid-ossp";
EOSQL

echo "→ Rapport-Migrations applizieren…"
for f in /docker-entrypoint-initdb.d/migrations/*.sql; do
  if [ -f "$f" ]; then
    echo "  → $(basename "$f")"
    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres -f "$f"
  fi
done

echo "✓ DB-Initialisierung abgeschlossen."