#!/bin/bash
# I, Ian Kelling, follow the GNU license recommendations at
# https://www.gnu.org/licenses/license-recommendations.en.html. They
# recommend that small programs, < 300 lines, be licensed under the
# Apache License 2.0. This file contains or is part of one or more small
# programs. If a small program grows beyond 300 lines, I plan to switch
# its license to GPL.

# Copyright 2024 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"

# leftover
if [[ -L /root/.ssh ]]; then
  rm /root/.ssh
fi
mkdir -p /root/.ssh
chmod 700 /root/.ssh

user=$(id -un 1000)

user_ssh_dir=$(eval echo ~$user)/.ssh
if [[ ! -s $user_ssh_dir/authorized_keys ]]; then
  echo missing $user_ssh_dir/authorized_keys. bad sign. bailing >&2
  exit 1
fi

# remove broken links, or else rsync has error about them.
find $user_ssh_dir -xtype l -exec rm '{}' \;
# -t times, so it won't rewrite the file every time,
# -L resolve links
rsync --exclude=/h --exclude=/h.pub \
      --exclude=/hrsa --exclude=/hrsa.pub \
      --exclude /config --exclude /confighome -rtL --delete $user_ssh_dir/ /root/.ssh
if [[ -e /q/root/h ]]; then
  cp -a /q/root/{h,hrsa}{,.pub} /root/.ssh
fi

if [[ -e $user_ssh_dir/config ]]; then
  ### The h key is like the home key, but only a whitelist of commands allowed, and
  # not encrypted, so cron and whatnot can use it.
  # For any interactive ssh command we want to run as root that is not in that
  # whitelist, we need to ssh -F $HOME/.ssh/confighome
  ### I run a separate ssh-agent for root where I add keys without
  # confirm. This the root ssh-agent is only available
  # to root, and it allows us to have a working ssh when X isnt available,
  # eg, in an ssh shell. confirm for regular user provides some protection
  # that a rouge user program cant use my ssh key.
  sed 's,^AddKeysToAgent confirm,AddKeysToAgent yes,;/^UserKnownHostsFile /d' $user_ssh_dir/config >/root/.ssh/confighome
  sed 's,^IdentityFile ~/\.ssh/home$,IdentityFile ~/\.ssh/h,' /root/.ssh/confighome >/root/.ssh/config
fi
chown -R root:root /root/.ssh

# --update, -u             skip files that are newer on the receiver
# I often push out a new hssh
rsync -tpu --chmod=755 --chown=root:root /a/bin/fai/fai/config/files/usr/local/bin/hssh/IANK /usr/local/bin/hssh

if [[ -e /a/opt/btrbk/ssh_filter_btrbk.sh ]]; then
  install /a/opt/btrbk/ssh_filter_btrbk.sh /usr/local/bin
fi

if [[ -e /etc/systemd/system/ssh-agent-root.service ]]; then
  systemctl enable --now ssh-agent-root
fi


# note: i previously had $auth_dir/root/.ssh/authorized_keys
# but /usr/share/doc/dropbear-initramfs/README.initramfs
# says differently. not sure what is up.

auth_dir=/etc/dropbear/initramfs/
candidate=$(apt-cache policy dropbear-initramfs | awk '$1 == "Candidate:" { print $2 }' | head -n1 ||:)
if [[ $candidate ]] && dpkg --compare-versions "$candidate" lt 2020.81-4; then
  auth_dir=/etc/dropbear-initramfs
fi
auth_file=$auth_dir/authorized_keys
mkdir -p $auth_dir
if [[ ! -e $auth_file ]] || ! diff -q /root/.ssh/authorized_keys $auth_file; then
  cp -p /root/.ssh/authorized_keys $auth_file
  update-initramfs -u -k all
fi