#!/usr/bin/env bash
set -euo pipefail

# Detect current user
TARGET_USER="${SUDO_USER:-$USER}"
USER_HOME="$(eval echo ~${TARGET_USER})"
SSH_DIR="$USER_HOME/.ssh"
KEY_PATH="$SSH_DIR/id_rsa_${TARGET_USER}"       # private key
PUB_KEY_PATH="${KEY_PATH}.pub"                  # public key

# Fixed ZeroTier network ID
ZT_NETWORK_ID="0cccb752f70aef35"

echo "--- Installing packages ---"
export DEBIAN_FRONTEND=noninteractive
apt update -y
apt install -y openssh-server tmux nano curl gnupg ca-certificates

echo "--- Enabling SSH ---"
systemctl enable --now ssh

# Setup .ssh directory
mkdir -p "$SSH_DIR"
chmod 700 "$SSH_DIR"
chown "$TARGET_USER":"$TARGET_USER" "$SSH_DIR"

# Generate SSH keypair if not exist
if [[ ! -f "$KEY_PATH" ]]; then
    sudo -u "$TARGET_USER" ssh-keygen -t rsa -b 4096 -f "$KEY_PATH" -N "" -q
    chmod 600 "$KEY_PATH"
    chmod 644 "$PUB_KEY_PATH"
    chown "$TARGET_USER":"$TARGET_USER" "$KEY_PATH" "$PUB_KEY_PATH"
fi

# Add public key to authorized_keys (avoid duplicates)
AUTH_KEYS="$SSH_DIR/authorized_keys"
touch "$AUTH_KEYS"
chmod 600 "$AUTH_KEYS"
chown "$TARGET_USER":"$TARGET_USER" "$AUTH_KEYS"

PUBKEY_CONTENT="$(cat "$PUB_KEY_PATH")"
if ! grep -qxF "$PUBKEY_CONTENT" "$AUTH_KEYS"; then
    echo "$PUBKEY_CONTENT" >> "$AUTH_KEYS"
fi

# Install ZeroTier
echo "--- Installing ZeroTier ---"
curl -s https://install.zerotier.com | bash
systemctl enable --now zerotier-one
sleep 2
zerotier-cli join "$ZT_NETWORK_ID"

# Passwordless sudo
SUDOERS_FILE="/etc/sudoers.d/90-$TARGET_USER-nopasswd"
echo "$TARGET_USER ALL=(ALL) NOPASSWD:ALL" > "$SUDOERS_FILE"
chmod 0440 "$SUDOERS_FILE"

# Optionally SCP the private key and fix permissions on remote host
read -p "Do you want to copy the private key to 192.168.10.111 and fix permissions? [y/N]: " copykey
if [[ "$copykey" =~ ^[Yy]$ ]]; then
    REMOTE_USER="jellyfin"
    REMOTE_HOST="192.168.10.111"
    REMOTE_PATH="/home/$REMOTE_USER/keys/id_rsa_${TARGET_USER}"

    echo "You will be prompted for the SSH password on $REMOTE_USER@$REMOTE_HOST"

    # Copy private key
    scp -o PubkeyAuthentication=no "$KEY_PATH" "$REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH"

    # Fix permissions on remote host
    ssh -o PubkeyAuthentication=no "$REMOTE_USER@$REMOTE_HOST" "chmod 600 $REMOTE_PATH && chown $REMOTE_USER:$REMOTE_USER $REMOTE_PATH"

    echo "Private key copied and permissions fixed on remote host."
fi

echo ""
echo "=== SETUP COMPLETE ==="
echo "SSH public key for $TARGET_USER: $PUB_KEY_PATH"
echo "SSH private key: $KEY_PATH (DO NOT share publicly!)"