import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

const config = new pulumi.Config();

//fetch credentials from k8s-bootstrap
const infraRef = new pulumi.StackReference(
  `${pulumi.getOrganization()}/k8s-bootstrap/dev`,
);

const kubeconfig = infraRef.requireOutput("kubeconfig");
const truenasHost = config.requireSecret("truenasHost");
const truenasNfsPath = config.requireSecret("truenasNfsPath");
const cloudflareToken = config.requireSecret("cloudflareApiToken");
const letsencryptEmail = config.requireSecret("letsencryptEmail");

const k8sProvider = new k8s.Provider("k3s", { kubeconfig });
const opts = (extras?: pulumi.ResourceOptions): pulumi.ResourceOptions => ({
  provider: k8sProvider,
  ...extras,
});

// ── 1. NFS CSI Driver ────────────────────────────────────────────────────────

const nfsCsiDriver = new k8s.helm.v3.Release(
  "nfs-csi-driver",
  {
    name: "csi-driver-nfs",
    chart: "csi-driver-nfs",
    repositoryOpts: {
      repo: "https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts",
    },
    namespace: "kube-system",
    version: "4.12.0",
    values: {
      kubeletDir: "/var/lib/kubelet",
    },
  },
  opts(),
);

new k8s.storage.v1.StorageClass(
  "truenas-nfs",
  {
    metadata: { name: "truenas-nfs" },
    provisioner: "nfs.csi.k8s.io",
    parameters: {
      server: truenasHost,
      share: truenasNfsPath,
      mountPermissions: "0",
    },
    reclaimPolicy: "Retain",
    volumeBindingMode: "Immediate",
    allowVolumeExpansion: true,
    mountOptions: ["nfsvers=4.1"],
  },
  opts({ dependsOn: [nfsCsiDriver] }),
);

// ── 2. cert-manager ──────────────────────────────────────────────────────────

const certManager = new k8s.helm.v3.Release(
  "cert-manager",
  {
    name: "cert-manager",
    chart: "cert-manager",
    repositoryOpts: { repo: "https://charts.jetstack.io" },
    namespace: "cert-manager",
    createNamespace: true,
    values: {
      installCRDs: true,
    },
  },
  opts(),
);

// ── 3. Cloudflare token secret + ClusterIssuer ───────────────────────────────

const cfSecret = new k8s.core.v1.Secret(
  "cloudflare-token",
  {
    metadata: { name: "cloudflare-api-token", namespace: "cert-manager" },
    stringData: { "api-token": cloudflareToken },
  },
  opts({ dependsOn: [certManager] }),
);

new k8s.apiextensions.CustomResource(
  "letsencrypt-prod",
  {
    apiVersion: "cert-manager.io/v1",
    kind: "ClusterIssuer",
    metadata: { name: "letsencrypt-prod" },
    spec: {
      acme: {
        server: "https://acme-v02.api.letsencrypt.org/directory",
        email: letsencryptEmail,
        privateKeySecretRef: { name: "letsencrypt-prod-account-key" },
        solvers: [
          {
            dns01: {
              cloudflare: {
                apiTokenSecretRef: {
                  name: cfSecret.metadata.name,
                  key: "api-token",
                },
              },
            },
          },
        ],
      },
    },
  },
  opts({ dependsOn: [certManager, cfSecret] }),
);

export const storageClass = "truenas-nfs";