#!/usr/bin/env bash
set -Eeuo pipefail

SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
CFG="$SCRIPT_DIR/config.sh"
[[ -f "$CFG" ]] || { echo "ERROR: config.sh fehlt: $CFG (erst 01_setup.sh ausführen)"; exit 1; }
# shellcheck disable=SC1090
source "$CFG"

# Der User, der das Script gestartet hat (auch wenn via sudo)
RUN_USER="${SUDO_USER:-$USER}"

# --- helpers ---
APP="raspi-backup"
STATE_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/${APP}"
LOG_FILE="${STATE_DIR}/${APP}.log"
mkdir -p "$STATE_DIR"

log(){ echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG_FILE" >/dev/null; }
die(){ log "ERROR: $*"; echo "ERROR: $*" >&2; exit 1; }
need_cmd(){ command -v "$1" >/dev/null 2>&1 || die "Fehlt: $1"; }
need_root(){ [[ "${EUID:-$(id -u)}" -eq 0 ]] || die "Bitte mit sudo starten: sudo $SCRIPT_DIR/03_verify.sh"; }
host_short(){ hostname -s 2>/dev/null || hostname 2>/dev/null || echo "raspi"; }
nas_alias(){ echo "${ALIAS_PREFIX}-$(host_short)"; }

need_root
need_cmd ssh

# validate config vars (OHNE SSH_USER)
: "${NAS_HOST:?}" "${NAS_USER:?}" "${NAS_PORT:?}" "${ALIAS_PREFIX:?}" "${NAS_BACKUP_BASE:?}" "${KEY_TYPE:?}"

hn="$(host_short)"
alias="$(nas_alias)"
ssh_user="$RUN_USER"
remote_root="${NAS_BACKUP_BASE%/}/${hn}"

# Keypfad (gehört RUN_USER)
key_path="$(eval echo "~${ssh_user}/.ssh/id_${KEY_TYPE}_${hn}")"
[[ -f "$key_path" ]] || die "Key fehlt: $key_path (erst 02_setup_ssh.sh ausführen)"

log "VERIFY START: run_user=${ssh_user} alias=${alias} remote_root=${remote_root}"

# optional Port check
if command -v nc >/dev/null 2>&1; then
  log "Check NAS Port: ${NAS_HOST}:${NAS_PORT}"
  nc -vz "$NAS_HOST" "$NAS_PORT" >/dev/null 2>&1 || die "NAS Port nicht erreichbar: ${NAS_HOST}:${NAS_PORT}"
else
  log "nc nicht vorhanden – überspringe Port-Check"
fi

# Direkte SSH Optionen (robust, nicht abhängig von ssh-config/alias)
SSH_BASE=(ssh -p "$NAS_PORT" -i "$key_path"
  -o IdentitiesOnly=yes
  -o BatchMode=yes
  -o StrictHostKeyChecking=yes
  -o ConnectTimeout=10
)

# 1) SSH login test als RUN_USER (wie bisher)
log "Check SSH Login (RUN_USER): ${NAS_USER}@${NAS_HOST}:${NAS_PORT}"
if ! sudo -u "$ssh_user" "${SSH_BASE[@]}" "${NAS_USER}@${NAS_HOST}" "echo ok" >/dev/null 2>&1; then
  die "SSH Login fehlgeschlagen als User '${ssh_user}' (Hostkey/Key/Netz prüfen)"
fi

# 2) Extra: SSH login test als root (wichtig, weil Backup Run via sudo/root)
log "Check SSH Login (root): ${NAS_USER}@${NAS_HOST}:${NAS_PORT}"
if ! "${SSH_BASE[@]}" "${NAS_USER}@${NAS_HOST}" "echo ok" >/dev/null 2>&1; then
  echo "Hinweis: root kann nicht verbinden (oft fehlt root der Hostkey in /root/.ssh/known_hosts)." >&2
  echo "Fix: 02_setup_ssh.sh erneut laufen lassen (lernt Hostkey für root), oder root-known_hosts ergänzen." >&2
  die "SSH Login fehlgeschlagen als root"
fi

# 3) Remote backup dir
log "Check/Create Remote Backup Dir: ${remote_root}"
sudo -u "$ssh_user" "${SSH_BASE[@]}" "${NAS_USER}@${NAS_HOST}" \
  "mkdir -p '$remote_root' && test -d '$remote_root'" >/dev/null \
  || die "Remote Backup Pfad nicht nutzbar: $remote_root"

log "VERIFY OK"
echo "Verify OK:"
echo "- NAS erreichbar (${NAS_HOST}:${NAS_PORT})"
echo "- SSH Login OK (User: ${NAS_USER}@${NAS_HOST}:${NAS_PORT})"
echo "- SSH Login OK (root: ${NAS_USER}@${NAS_HOST}:${NAS_PORT})"
echo "- Key OK (${key_path})"
echo "- Remote Backup Pfad OK (${remote_root})"
echo "Info: SSH-Alias (optional) wäre: ${alias}"