#!/usr/bin/env bash
# Inštalačný skript pre Ubuntu 24.04 LXC kontajner
# Beží VNÚTRI kontajnera po jeho vytvorení

source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
color
verb_ip6
catch_errors
setting_up_container
network_check
update_os

# =============================================================================
# Inštalácia balíčkov
# =============================================================================
msg_info "Inštalujem dodatočné balíčky"
$STD apt-get install -y mc wget git curl openssh-server
msg_ok "Balíčky nainštalované"

# =============================================================================
# Vytvorenie užívateľov z USERS_JSON + SELECTED_USERS
# =============================================================================

# Funkcia na vytvorenie jedného užívateľa
create_user() {
  local username="$1"
  local sudo_flag="$2"
  shift 2
  local keys=("$@")

  # Vytvorenie užívateľa s náhodným heslom
  local random_pw
  random_pw=$(openssl rand -base64 16)
  useradd -m -s /bin/bash "$username"
  echo "${username}:${random_pw}" | chpasswd

  # SSH kľúče
  local user_home="/home/${username}"
  mkdir -p "${user_home}/.ssh"
  chmod 700 "${user_home}/.ssh"
  for key in "${keys[@]}"; do
    echo "$key" >> "${user_home}/.ssh/authorized_keys"
  done
  chmod 600 "${user_home}/.ssh/authorized_keys"
  chown -R "${username}:${username}" "${user_home}/.ssh"

  # Sudo bez hesla
  if [[ "$sudo_flag" == "true" ]]; then
    echo "${username} ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/${username}"
    chmod 440 "/etc/sudoers.d/${username}"
  fi

  msg_ok "Užívateľ vytvorený: ${username}"

  # Inštalácia Claude Code
  msg_info "Inštalujem Claude Code pre ${username}"
  if su - "$username" -c "curl -fsSL https://claude.ai/install.sh | bash"; then
    # Pridanie ~/.local/bin do PATH
    su - "$username" -c "grep -q '.local/bin' ~/.bashrc || echo 'export PATH=\"\$HOME/.local/bin:\$PATH\"' >> ~/.bashrc"
    msg_ok "Claude Code nainštalovaný pre ${username}"
  else
    msg_warn "Claude Code inštalácia zlyhala pre ${username} (nefatálna chyba)"
  fi

  # Stiahnutie claude-setup.md do home adresára
  if [[ -n "${CLAUDE_SETUP_URL:-}" ]]; then
    curl -fsSL "$CLAUDE_SETUP_URL" -o "${user_home}/claude-setup.md" 2>/dev/null && \
      chown "${username}:${username}" "${user_home}/claude-setup.md" && \
      msg_ok "claude-setup.md skopírovaný do ${user_home}" || \
      msg_warn "Nepodarilo sa stiahnuť claude-setup.md"
  fi
}

# Zoznam vytvorených užívateľov (pre referenciu)
CREATED_USERS=()

if [[ -n "${USERS_JSON:-}" && -n "${SELECTED_USERS:-}" ]]; then
  msg_info "Vytváram užívateľov"

  # Parsovanie SELECTED_USERS (whiptail vracia "user1" "user2" formát)
  selected_list=$(echo "$SELECTED_USERS" | tr -d '"')

  # Parsovanie users.json bez jq — cez grep/sed/awk
  current_user=""
  current_sudo="false"
  current_keys=()
  in_keys=false

  while IFS= read -r line; do
    # Detekcia username
    if echo "$line" | grep -q '"username"'; then
      # Ak máme predchádzajúceho užívateľa, spracuj ho
      if [[ -n "$current_user" ]]; then
        if echo "$selected_list" | grep -qw "$current_user"; then
          create_user "$current_user" "$current_sudo" "${current_keys[@]}"
          CREATED_USERS+=("$current_user")
        fi
      fi
      current_user=$(echo "$line" | sed 's/.*"username"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
      current_sudo="false"
      current_keys=()
      in_keys=false
    fi

    # Detekcia sudo
    if echo "$line" | grep -q '"sudo"'; then
      if echo "$line" | grep -q 'true'; then
        current_sudo="true"
      fi
    fi

    # Detekcia SSH kľúčov
    if echo "$line" | grep -q '"ssh_keys"'; then
      in_keys=true
      continue
    fi
    if [[ "$in_keys" == true ]]; then
      if echo "$line" | grep -q '\]'; then
        in_keys=false
        continue
      fi
      key=$(echo "$line" | sed 's/.*"\(ssh-[^"]*\)".*/\1/')
      [[ -n "$key" && "$key" != "$line" ]] && current_keys+=("$key")
    fi
  done <<< "$USERS_JSON"

  # Spracuj posledného užívateľa
  if [[ -n "$current_user" ]]; then
    if echo "$selected_list" | grep -qw "$current_user"; then
      create_user "$current_user" "$current_sudo" "${current_keys[@]}"
      CREATED_USERS+=("$current_user")
    fi
  fi
fi

# =============================================================================
# SSH Hardening
# =============================================================================
msg_info "Konfigurujem SSH"

# Záloha pôvodnej konfigurácie
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# Zakázať root login a prihlásenie heslom
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config

# Reštart SSH
systemctl enable ssh
systemctl restart ssh

msg_ok "SSH nakonfigurované (len kľúče, root zakázaný)"

# =============================================================================
# Štandardné dokončenie
# =============================================================================
motd_ssh
customize
cleanup_lxc