#!/usr/bin/env bash
# Inštalačný skript pre Ubuntu 24.04 LXC kontajner
# Beží VNÚTRI kontajnera po jeho vytvorení

source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
color
verb_ip6
catch_errors
setting_up_container
network_check
update_os

# =============================================================================
# Inštalácia balíčkov
# =============================================================================
msg_info "Inštalujem dodatočné balíčky"
$STD apt-get install -y mc wget git curl openssh-server
msg_ok "Balíčky nainštalované"

# =============================================================================
# Vytvorenie užívateľov z USERS_JSON + SELECTED_USERS
# =============================================================================
if [[ -n "${USERS_JSON:-}" && -n "${SELECTED_USERS:-}" ]]; then
  msg_info "Vytváram užívateľov"

  # Parsovanie SELECTED_USERS (whiptail vracia "user1" "user2" formát)
  selected_list=$(echo "$SELECTED_USERS" | tr -d '"')

  # Parsovanie users.json bez jq — cez grep/sed/awk
  # Prechádzame každý blok užívateľa
  current_user=""
  current_sudo="false"
  current_keys=()
  in_keys=false

  while IFS= read -r line; do
    # Detekcia username
    if echo "$line" | grep -q '"username"'; then
      # Ak máme predchádzajúceho užívateľa, spracuj ho
      if [[ -n "$current_user" ]]; then
        # Kontrola, či bol užívateľ vybraný
        if echo "$selected_list" | grep -qw "$current_user"; then
          # Vytvorenie užívateľa s náhodným heslom
          random_pw=$(openssl rand -base64 16)
          useradd -m -s /bin/bash "$current_user"
          echo "${current_user}:${random_pw}" | chpasswd

          # SSH kľúče
          user_home="/home/${current_user}"
          mkdir -p "${user_home}/.ssh"
          chmod 700 "${user_home}/.ssh"
          for key in "${current_keys[@]}"; do
            echo "$key" >> "${user_home}/.ssh/authorized_keys"
          done
          chmod 600 "${user_home}/.ssh/authorized_keys"
          chown -R "${current_user}:${current_user}" "${user_home}/.ssh"

          # Sudo bez hesla
          if [[ "$current_sudo" == "true" ]]; then
            echo "${current_user} ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/${current_user}"
            chmod 440 "/etc/sudoers.d/${current_user}"
          fi

          msg_ok "Užívateľ vytvorený: ${current_user}"
        fi
      fi
      current_user=$(echo "$line" | sed 's/.*"username"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
      current_sudo="false"
      current_keys=()
      in_keys=false
    fi

    # Detekcia sudo
    if echo "$line" | grep -q '"sudo"'; then
      if echo "$line" | grep -q 'true'; then
        current_sudo="true"
      fi
    fi

    # Detekcia SSH kľúčov
    if echo "$line" | grep -q '"ssh_keys"'; then
      in_keys=true
      continue
    fi
    if [[ "$in_keys" == true ]]; then
      if echo "$line" | grep -q '\]'; then
        in_keys=false
        continue
      fi
      local key
      key=$(echo "$line" | sed 's/.*"\(ssh-[^"]*\)".*/\1/')
      [[ -n "$key" && "$key" != "$line" ]] && current_keys+=("$key")
    fi
  done <<< "$USERS_JSON"

  # Spracuj posledného užívateľa
  if [[ -n "$current_user" ]]; then
    if echo "$selected_list" | grep -qw "$current_user"; then
      random_pw=$(openssl rand -base64 16)
      useradd -m -s /bin/bash "$current_user"
      echo "${current_user}:${random_pw}" | chpasswd

      user_home="/home/${current_user}"
      mkdir -p "${user_home}/.ssh"
      chmod 700 "${user_home}/.ssh"
      for key in "${current_keys[@]}"; do
        echo "$key" >> "${user_home}/.ssh/authorized_keys"
      done
      chmod 600 "${user_home}/.ssh/authorized_keys"
      chown -R "${current_user}:${current_user}" "${user_home}/.ssh"

      if [[ "$current_sudo" == "true" ]]; then
        echo "${current_user} ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/${current_user}"
        chmod 440 "/etc/sudoers.d/${current_user}"
      fi

      msg_ok "Užívateľ vytvorený: ${current_user}"
    fi
  fi
fi

# =============================================================================
# SSH Hardening
# =============================================================================
msg_info "Konfigurujem SSH"

# Záloha pôvodnej konfigurácie
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# Zakázať root login a prihlásenie heslom
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config

# Reštart SSH
systemctl enable ssh
systemctl restart ssh

msg_ok "SSH nakonfigurované (len kľúče, root zakázaný)"

# =============================================================================
# Štandardné dokončenie
# =============================================================================
motd_ssh
customize
cleanup_lxc