-- Credentials table for storing infrastructure secrets.
-- Values are encrypted using pgcrypto with a server-side key.
-- This allows rdev-api to manage its own configuration without K8s secrets.

-- Enable pgcrypto extension for encryption
CREATE EXTENSION IF NOT EXISTS pgcrypto;

-- Credentials table
CREATE TABLE IF NOT EXISTS credentials (
    key         VARCHAR(255) PRIMARY KEY,
    value       BYTEA NOT NULL,  -- Encrypted value
    description TEXT,
    category    VARCHAR(50),
    created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_by  VARCHAR(255)
);

-- Index for category lookups
CREATE INDEX IF NOT EXISTS idx_credentials_category ON credentials(category);

-- Update trigger for updated_at
CREATE OR REPLACE FUNCTION update_credentials_updated_at()
RETURNS TRIGGER AS $$
BEGIN
    NEW.updated_at = NOW();
    RETURN NEW;
END;
$$ LANGUAGE plpgsql;

DROP TRIGGER IF EXISTS credentials_updated_at ON credentials;
CREATE TRIGGER credentials_updated_at
    BEFORE UPDATE ON credentials
    FOR EACH ROW
    EXECUTE FUNCTION update_credentials_updated_at();

-- Comments
COMMENT ON TABLE credentials IS 'Encrypted storage for infrastructure credentials';
COMMENT ON COLUMN credentials.key IS 'Unique credential identifier (e.g., GITEA_TOKEN)';
COMMENT ON COLUMN credentials.value IS 'Encrypted credential value using pgcrypto';
COMMENT ON COLUMN credentials.description IS 'Human-readable description of the credential';
COMMENT ON COLUMN credentials.category IS 'Grouping category (gitea, cloudflare, woodpecker, etc.)';
COMMENT ON COLUMN credentials.updated_by IS 'Who last modified this credential';