#!/bin/bash -x

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

if [[ $EUID != 0 ]]; then
  echo "$0: error: expected to be root."
  exit 1
fi

# ssh host keys
# note, $BASH_SOURCE is not defined here under fai.

src=$(dirname "$0")/p/c/machine_specific/$HOSTNAME/filesystem/etc/ssh
dst=$target/etc/ssh
if [[ -e $src && -e $dst ]]; then
  # outside of fai context or setting up a brand new host, we skip this
  cp -rT $src $dst
fi

root_pw_f=/q/root/shadow/standard
if [[ ! -e $root_pw_f ]]; then
  root_pw_f=/q/root/shadow/$HOSTNAME
fi

au() { # add user. i don't use adduser for portability
  local user=${@: -1}
  if ! $ROOTCMD getent passwd $user; then
    $ROOTCMD useradd -c $user -Um -s /bin/bash $@
  fi
}


# only setup root pass for bootstrap vol
# for bootstrap vol, we only use root user
if ifclass VOL_BULLSEYE_BOOTSTRAP || ifclass VOL_BOOKWORM_BOOTSTRAP; then
  sed 's/^/root:/' $root_pw_f | $ROOTCMD chpasswd -e
  exit 0
fi


# return of 9 = user already exists. so we are idempotent.
au iank
# generating a hashed password:
# under debian, you can do
# mkpasswd -m sha-512 -s >/q/root/shadow/standard
# On arch, best seems to be copy your shadow file to a temp location,
# then passwd, get out the new pass, then copy the shadow file back.
if [[ -e $root_pw_f ]]; then
  sed 's/^/root:/' $root_pw_f | $ROOTCMD chpasswd -e
  sed 's/^/iank:/' $root_pw_f | $ROOTCMD chpasswd -e
fi

au user2
if ifclass frodo; then
  sed 's/^/user2:/' /q/root/shadow/user2 | $ROOTCMD chpasswd -e
fi
# comparing iank's groups to user2, I see none she should join on arch
$ROOTCMD usermod -a -G user2 iank


$ROOTCMD getent group docker &>/dev/null || $ROOTCMD groupadd -r docker
$ROOTCMD usermod -a -G docker iank

# based on unison error, with 8192 from
# sysctl -a | grep fs.inotify.max_user_watches
#http://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux
f=$target/etc/sysctl.d/99-sysctl.conf
key=fs.inotify.max_user_watches
if [[ -e $f ]]; then sed -ri --follow-symlinks "/^\s*$key\s*=/d" $f; fi
echo "fs.inotify.max_user_watches = 50000" >> $f
# applies it. it would be also be applied after a reboot
$ROOTCMD sysctl --system

if getent group sudo >/dev/null; then
  $ROOTCMD usermod -aG sudo iank
fi

mkdir -p $target/etc/sudoers.d
cat >$target/etc/sudoers.d/ianksudoers <<'EOF'
Defaults timestamp_timeout=1440
# used in bashrc
Defaults  env_keep += SUDOD
# always_set_home
# makes ubuntu be like debian
# https://unix.stackexchange.com/a/91572
Defaults always_set_home
# umask: default setting is to have  minimum umask of 0022
# This lets us have user-specific umasks which are more permissive.
# I did this for transmission and set it's umask gecos on install,
# see there for more info.
Defaults !umask
# i use sudo in cronjobs, it spams the logs rather uselessly
# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands
Defaults:root,iank !log_allowed, !pam_session
# for just the root user, set some env vars
Defaults>root env_file=/etc/rootsudoenv

# a few commands we should be able to run with no password
iank ALL = (root) NOPASSWD: /usr/local/bin/spend,/usr/local/bin/us,/usr/local/bin/off,/usr/bin/nmtui-connect,/usr/local/bin/bitcoinoff,/usr/local/bin/bitcoinon

EOF

case $HOSTNAME in
  li|bk|je)
    cat >>$target/etc/sudoers.d/ianksudoers <<'EOF'
iank  ALL=(ALL)  NOPASSWD: ALL
EOF
    ;;
esac

# remove old config line. can be removed eventually.
f=$target/etc/sudoers
line='iank  ALL=(ALL)  NOPASSWD: ALL'
if grep -qxF "$line" $f; then
  sed -i "/^$line/d" $f
fi


au --system -s /bin/false --home-dir /var/lib/bitcoind bitcoin