#!/bin/bash
#
# setup-ssh.sh - Configure SSH so any user gets the toes CLI
#
# This script:
#   1. Compiles and installs the NSS module
#   2. Adds "toes" to nsswitch.conf passwd line
#   3. Configures PAM to accept any password (home network appliance)
#   4. Ensures PasswordAuthentication is enabled in sshd
#   5. Adds /usr/local/bin/toes to /etc/shells
#   6. Restarts sshd
#
# Run as root on the toes machine.

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

echo "==> Setting up SSH auto-CLI for toes"

# 1. Compile and install NSS module
echo "  Compiling NSS module..."
gcc -shared -o /tmp/libnss_toes.so.2 "$SCRIPT_DIR/nss/libnss_toes.c" -fPIC
cp /tmp/libnss_toes.so.2 /lib/
ldconfig
echo "  Installed libnss_toes.so.2"

# 2. Add toes to nsswitch.conf
if ! grep -q 'passwd:.*toes' /etc/nsswitch.conf; then
  sed -i 's/^passwd:.*/& toes/' /etc/nsswitch.conf
  echo "  Added toes to nsswitch.conf"
else
  echo "  nsswitch.conf already configured"
fi

# 3. Configure PAM - accept any password for SSH
if ! grep -q 'pam_permit.so.*# toes' /etc/pam.d/sshd; then
  # Comment out existing auth and replace with pam_permit
  sed -i '/^@include common-auth/s/^/# /' /etc/pam.d/sshd
  sed -i '/^auth/s/^/# /' /etc/pam.d/sshd
  # Add pam_permit after the commented lines
  echo 'auth sufficient pam_permit.so # toes' >> /etc/pam.d/sshd
  echo "  Configured PAM for passwordless SSH"
else
  echo "  PAM already configured"
fi

# 4. Ensure PasswordAuthentication yes in sshd_config
SSHD_CONFIG="/etc/ssh/sshd_config"
if grep -q '^PasswordAuthentication no' "$SSHD_CONFIG"; then
  sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' "$SSHD_CONFIG"
  echo "  Enabled PasswordAuthentication"
elif grep -q '^#PasswordAuthentication' "$SSHD_CONFIG"; then
  sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication yes/' "$SSHD_CONFIG"
  echo "  Enabled PasswordAuthentication"
elif ! grep -q '^PasswordAuthentication yes' "$SSHD_CONFIG"; then
  echo 'PasswordAuthentication yes' >> "$SSHD_CONFIG"
  echo "  Added PasswordAuthentication yes"
else
  echo "  PasswordAuthentication already enabled"
fi

# 5. Ensure /usr/local/bin/toes is in /etc/shells
TOES_SHELL="/usr/local/bin/toes"
if ! grep -q "^${TOES_SHELL}$" /etc/shells; then
  echo "$TOES_SHELL" >> /etc/shells
  echo "  Added $TOES_SHELL to /etc/shells"
else
  echo "  $TOES_SHELL already in /etc/shells"
fi

# Ensure the toes binary exists (symlink to bun entry point)
if [ ! -f "$TOES_SHELL" ]; then
  echo "  WARNING: $TOES_SHELL does not exist yet"
  echo "  Create it with: ln -sf /path/to/toes/cli $TOES_SHELL"
fi

# Create toes-cli system user for guest SSH sessions
if ! id toes-cli &>/dev/null; then
  useradd --system --uid 3001 --home-dir /home/toes-cli --shell /usr/local/bin/toes --create-home toes-cli
  echo "  Created toes-cli user"
else
  echo "  toes-cli user already exists"
fi

# Ensure /home/toes-cli exists for guest sessions
if [ ! -d /home/toes-cli ]; then
  mkdir -p /home/toes-cli
  chmod 755 /home/toes-cli
  echo "  Created /home/toes-cli"
fi

# 6. Restart sshd
echo "  Restarting sshd..."
systemctl restart sshd || service ssh restart || true

echo "==> Done. Any SSH user will now get the toes CLI."
echo "    SSH users are mapped to the toes-cli account (UID 3001)."
echo "    toes@toes.local still gets a regular shell."