#!/bin/bash
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

# restricted ssh does not allow arguments, but they exist in $SSH_ORIGINAL_COMMAND
# debug
dfile=/tmp/hssh-debug-$(id -u)
date >>$dfile
echo SSH_ORIGINAL_COMMAND: $SSH_ORIGINAL_COMMAND >>$dfile

if [[ ! $SSH_ORIGINAL_COMMAND ]]; then
  echo "no SSH_ORIGINAL_COMMAND" >&2
  exit 1
fi

mapfile -t cmds <<'EOF'
# btrbk-run
date +%z
cat /a/bin/bash_unpublished/source-state
cat /etc/hostname
ps --no-headers -o comm 1
systemctl is-active btrbk.service
mkdir -p /mnt/root/btrbk && date +%z && df --output=size,pcent / | tail -n1
DISPLAY=:0 xprintidle
rsync --server --sender -logDtprRe.iLsfxC . /usr/local/./bin/mount-latest-subvol /usr/local/./bin/check-subvol-stale /usr/local/./lib/err
rsync --server --sender -logDtpre.iLsfxC . /usr/local/lib/err
rsync --server --sender -logDtpre.iLsfxC . /usr/local/bin/mount-latest-subvol /usr/local/bin/check-subvol-stale
scp -f /a/bin/distro-setup/btrbk-run
# mount-latest-remote
timeout -s 9 600 /usr/local/bin/mount-latest-subvol
rsync --server -OtpRe.LsfxC . /usr/local
/usr/local/bin/mail-backup-clean
/usr/local/bin/check-mailq
find /var/local/cron-errors /home/iank/cron-errors /sysd-mail-once-state -type f
EOF

allow=false
for c in "${cmds[@]}"; do
  # echo "c $c" # debug
  if [[ $c == \#* ]]; then continue; fi
  if [[ $SSH_ORIGINAL_COMMAND == "$c" ]]; then
    allow=true
    break
  fi
done
if $allow; then
  eval $SSH_ORIGINAL_COMMAND || exit $?
else
  f=/usr/local/bin/ssh_filter_btrbk.sh
  if [[ ! -e $f ]]; then
    f=/a/opt/btrbk/ssh_filter_btrbk.sh
  fi
  $f --target --delete --source --info || exit $?
fi