#!/usr/bin/env bash
# Setup dev-vm (LXC 5700): create four users (dev1–dev4), shared /srv/projects, and Gitea for private GitOps.
# Run inside the container (e.g. pct exec 5700 -- bash -s) or copy and run as root in the container.
#
# Usage (from host):
#   ssh root@192.168.11.11 "pct exec 5700 -- bash -s" < scripts/setup-dev-vm-users-and-gitea.sh
#   (Dev VM IP: 192.168.11.59 from config/ip-addresses.conf)
# Or copy and run:
#   pct push 5700 scripts/setup-dev-vm-users-and-gitea.sh /tmp/setup-dev-vm.sh
#   pct exec 5700 -- bash /tmp/setup-dev-vm.sh
#
# Requires: container already created and booted (create-dev-vm-5700.sh).

set -euo pipefail

DEV_GROUP="dev"
PROJECTS_DIR="/srv/projects"
GITEA_USER="git"
GITEA_HOME="/opt/gitea"
GITEA_VERSION="${GITEA_VERSION:-1.25.4}"

echo "=== Dev VM setup: users + Gitea ==="

# Ensure we have necessary packages (Debian/Ubuntu)
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get install -y -qq curl sudo jq ca-certificates

# Create shared group and directory
getent group "$DEV_GROUP" >/dev/null || groupadd "$DEV_GROUP"
mkdir -p "$PROJECTS_DIR"
chgrp "$DEV_GROUP" "$PROJECTS_DIR"
chmod 2775 "$PROJECTS_DIR"

# Create four dev users (no password; SSH key only)
for i in 1 2 3 4; do
  u="dev$i"
  if ! getent passwd "$u" >/dev/null; then
    useradd -m -s /bin/bash -G "$DEV_GROUP" "$u"
    echo "$u:!*" | chpasswd -e  # lock password
    mkdir -p "/home/$u/.ssh"
    chmod 700 "/home/$u/.ssh"
    touch "/home/$u/.ssh/authorized_keys"
    chmod 600 "/home/$u/.ssh/authorized_keys"
    chown -R "$u:$u" "/home/$u/.ssh"
    echo "  User $u created. Add SSH keys to /home/$u/.ssh/authorized_keys"
  else
    echo "  User $u already exists"
  fi
  # Allow dev group to use sudo for package installs (optional)
  echo "${u} ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt" > "/etc/sudoers.d/dev-${u}" 2>/dev/null || true
  chmod 440 "/etc/sudoers.d/dev-${u}" 2>/dev/null || true
done

# Install Gitea
if ! command -v gitea &>/dev/null; then
  echo "Installing Gitea ${GITEA_VERSION}..."
  GITEA_URL="https://dl.gitea.com/gitea/${GITEA_VERSION}/gitea-${GITEA_VERSION}-linux-amd64"
  curl -sL -o /usr/local/bin/gitea "$GITEA_URL"
  chmod +x /usr/local/bin/gitea
  useradd -r -s /bin/false -d "$GITEA_HOME" "$GITEA_USER" 2>/dev/null || true
  mkdir -p "$GITEA_HOME" /etc/gitea
  chown -R "$GITEA_USER:$GITEA_USER" "$GITEA_HOME" /etc/gitea
  chmod 770 /etc/gitea
  # Minimal app.ini so first-run wizard can complete
  cat > /etc/gitea/app.ini <<'INI'
[server]
HTTP_PORT = 3000
DOMAIN = localhost
ROOT_URL = http://localhost:3000/
[repository]
ROOT = /opt/gitea/data/gitea-repositories
[database]
DB_TYPE = sqlite3
PATH = /opt/gitea/data/gitea.db
[log]
MODE = console
LEVEL = Info
INI
  mkdir -p "$GITEA_HOME/data"
  chown -R "$GITEA_USER:$GITEA_USER" "$GITEA_HOME"
  # Systemd unit (works in LXC with cgroup v2)
  cat > /etc/systemd/system/gitea.service <<'SVC'
[Unit]
Description=Gitea (Git service)
After=network.target

[Service]
Type=simple
User=git
Group=git
WorkingDirectory=/opt/gitea
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
SVC
  systemctl daemon-reload
  systemctl enable gitea.service
  systemctl start gitea.service
  echo "  Gitea installed and started. First-run: http://<dev-vm-ip>:3000 (complete installer, create admin, then create repos)."
else
  echo "  Gitea already installed"
fi

echo ""
echo "Done. Next:"
echo "  1. Add SSH keys for dev1..dev4 to /home/devN/.ssh/authorized_keys (e.g. pct exec 5700 -- bash -c 'echo \"key\" >> /home/dev1/.ssh/authorized_keys')"
echo "  2. Rsync projects: rsync -avz /home/intlc/projects/ dev1@<IP>:$PROJECTS_DIR/"
echo "  3. Open Gitea: http://<IP>:3000 — create admin, then create repositories and add remotes from $PROJECTS_DIR"
echo "  4. Cursor: Remote-SSH to dev1@<IP> (or dev2..dev4)"