#!/usr/bin/env bash
set -Eeuo pipefail

SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
CFG="$SCRIPT_DIR/config.sh"
[[ -f "$CFG" ]] || { echo "ERROR: config.sh fehlt: $CFG (erst 01_setup.sh ausführen)"; exit 1; }
# shellcheck disable=SC1090
source "$CFG"

# --- helpers ---
APP="raspi-backup"
STATE_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/${APP}"
LOG_FILE="${STATE_DIR}/${APP}.log"
mkdir -p "$STATE_DIR"

log(){ echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG_FILE" >/dev/null; }
die(){ log "ERROR: $*"; echo "ERROR: $*" >&2; exit 1; }
need_cmd(){ command -v "$1" >/dev/null 2>&1 || die "Fehlt: $1"; }
need_root(){ [[ "${EUID:-$(id -u)}" -eq 0 ]] || die "Bitte mit sudo starten: sudo $SCRIPT_DIR/02_setup_ssh.sh"; }
host_short(){ hostname -s 2>/dev/null || hostname 2>/dev/null || echo "raspi"; }
nas_alias(){ echo "${ALIAS_PREFIX}-$(host_short)"; }

need_root
need_cmd ssh
need_cmd ssh-keygen

# validate config vars
: "${NAS_HOST:?}" "${NAS_USER:?}" "${NAS_PORT:?}" "${KEY_TYPE:?}" "${ALIAS_PREFIX:?}" "${SSH_USER:?}" "${NAS_AUTH_KEYS_FILE:?}"

hn="$(host_short)"
alias="$(nas_alias)"
ssh_user="$SSH_USER"

user_home="$(eval echo "~${ssh_user}")"
[[ -d "$user_home" ]] || die "Home für SSH_USER '$ssh_user' nicht gefunden."

ssh_dir="${user_home}/.ssh"
key="${ssh_dir}/id_${KEY_TYPE}_${hn}"
pub="${key}.pub"
cfg="${ssh_dir}/config"

log "SSH Setup START: ssh_user=${ssh_user} alias=${alias} nas=${NAS_USER}@${NAS_HOST}:${NAS_PORT} key=${key}"
log "NAS_AUTH_KEYS_FILE: ${NAS_AUTH_KEYS_FILE}"

# .ssh anlegen
sudo -u "$ssh_user" mkdir -p "$ssh_dir"
sudo -u "$ssh_user" chmod 700 "$ssh_dir"
sudo -u "$ssh_user" touch "$cfg"
sudo -u "$ssh_user" chmod 600 "$cfg"

# Key anlegen falls fehlt
if [[ ! -f "$key" ]]; then
  log "Erzeuge Key: $key"
  sudo -u "$ssh_user" ssh-keygen -t "$KEY_TYPE" -a 64 -f "$key" -N "" -C "${ssh_user}@${hn}"
else
  log "Key existiert: $key"
fi

# Alias Block append-only
if ! sudo -u "$ssh_user" grep -qE "^Host[[:space:]]+${alias}$" "$cfg"; then
  log "Füge Alias Block hinzu: $alias"
  sudo -u "$ssh_user" tee -a "$cfg" >/dev/null <<EOF
Host ${alias}
  HostName ${NAS_HOST}
  User ${NAS_USER}
  Port ${NAS_PORT}
  IdentityFile ${key}
  IdentitiesOnly yes
  ServerAliveInterval 30
  ServerAliveCountMax 3
EOF
else
  log "Alias existiert schon: $alias"
fi

# Testconnect (accept-new nur beim Setup)
log "SSH Verbindungstest (accept-new nur setup)..."
sudo -u "$ssh_user" ssh -p "$NAS_PORT" -o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 \
  "${NAS_USER}@${NAS_HOST}" "echo ok" >/dev/null \
  || die "SSH Verbindung fehlgeschlagen: ${NAS_HOST}:${NAS_PORT}"

# Pubkey lesen
[[ -f "$pub" ]] || die "Public key fehlt: $pub"
pubkey="$(sudo -u "$ssh_user" cat "$pub")"

# WICHTIG: Key in zentrale NAS-Datei schreiben (nicht ~/.ssh/authorized_keys)
# - legt Verzeichnis an
# - sorgt für Datei + Rechte
# - fügt Key nur hinzu, wenn noch nicht vorhanden
log "Installiere Public Key in zentrale Datei am NAS..."
sudo -u "$ssh_user" ssh -p "$NAS_PORT" -o ConnectTimeout=10 \
  "${NAS_USER}@${NAS_HOST}" \
  "set -e;
   f='${NAS_AUTH_KEYS_FILE}';
   d=\$(dirname \"\$f\");
   mkdir -p \"\$d\";
   touch \"\$f\";
   chmod 600 \"\$f\";
   grep -qxF '$pubkey' \"\$f\" || echo '$pubkey' >> \"\$f\""

log "SSH Setup OK."
echo "SSH Setup OK."
echo "Test:"
echo "  sudo -u ${ssh_user} ssh ${alias} 'echo hello'"