#!/usr/bin/env bash
#
# Idempotently add cert_cn → role mappings to pg_ident.conf.d on the moments
# postgres primary and standby, then reload postgres so the changes take
# effect. Re-running is a no-op (no duplicate lines, no spurious reload).
#
# Run from a workstation with ssh access to both pg hosts. This script ssh's
# out; do NOT run it on magrathea/frankie directly.

set -euo pipefail

api_host=nikola.kosherinata.internal
worker_host=frootmig.kosherinata.internal

pg_hosts=(
    magrathea.kosherinata.internal
    frankie.kosherinata.internal
)

# Each (cert_cn host, role) pair becomes one cert_cn line in
# pg_ident.conf.d/<cert_cn host>.conf on every pg host listed above.
mapping_pairs=(
    "$api_host"    moments_ro
    "$worker_host" moments_rw
)

ident_dir=/var/lib/pgsql/18/data/pg_ident.conf.d

for pg_host in "${pg_hosts[@]}"; do
    printf '==> %s\n' "$pg_host"
    ssh -o BatchMode=yes "$pg_host" "sudo bash -s -- ${ident_dir@Q} ${mapping_pairs[@]@Q}" <<'REMOTE_EOF'
set -euo pipefail
ident_dir="$1"; shift

changed=0
while [[ $# -gt 0 ]]; do
    cert_cn_host="$1"
    role="$2"
    shift 2

    line="cert_cn ${cert_cn_host} ${role}"
    file="${ident_dir}/${cert_cn_host}.conf"

    # The heredoc runs as root via sudo bash, so [[ -f ]] and grep are fine
    # without dropping privs. tee --append runs as postgres so a newly-created
    # file lands with the conventional postgres:postgres ownership.
    if [[ -f "$file" ]] && grep --fixed-strings --line-regexp --quiet -- "$line" "$file"; then
        printf '  present: %s\n' "$line"
    else
        printf '%s\n' "$line" | sudo -u postgres tee --append "$file" >/dev/null
        printf '  added:   %s\n' "$line"
        changed=1
    fi
done

if (( changed )); then
    systemctl reload postgresql-18
    echo "  reloaded postgresql-18"
else
    echo "  no changes; reload skipped"
fi
REMOTE_EOF
done