#!/usr/bin/env bash
set -euo pipefail
RELAY=door.cyks.in; RPORT=2222; RUSER=tunnel; LO=22000; SPAN=2000
OS=$(uname -s)

# --- privilege detection (stdin is the curl pipe -> sudo must be non-interactive) ---
if   [[ $EUID -eq 0 ]]; then SUDO=""; MODE=system
elif command -v sudo >/dev/null 2>&1 && sudo -n true 2>/dev/null; then SUDO="sudo"; MODE=system
else SUDO=""; MODE=user; fi
echo "install mode: $MODE ($OS)"

login=$(id -un)
name=$(hostname -s 2>/dev/null || hostname)

# --- stable machine id ---
if [[ $OS == Darwin ]]; then
  mid=$(ioreg -rd1 -c IOPlatformExpertDevice 2>/dev/null | awk -F'"' '/IOPlatformUUID/{print $4}')
else
  mid=$(cat /etc/machine-id 2>/dev/null || true)
fi
mid=${mid:-$(hostname)}

# --- port = LO + sha256(mid)%SPAN  (sha256sum on Linux, shasum on macOS) ---
if command -v sha256sum >/dev/null 2>&1; then sum=$(printf %s "$mid" | sha256sum)
else sum=$(printf %s "$mid" | shasum -a 256); fi
h=$(( 0x$(printf '%s' "$sum" | cut -c1-8) )); want=$(( LO + h % SPAN ))

# --- key dir ---
if [[ $MODE == system ]]; then DIR=/etc/door; else DIR="$HOME/.config/door"; fi

# --- ensure key dir + this machine's own sshd ---
if [[ $MODE == system ]]; then
  $SUDO install -d -m 700 "$DIR"
  if [[ $OS == Darwin ]]; then
    $SUDO systemsetup -setremotelogin on >/dev/null 2>&1 \
      || echo "WARN: enable Remote Login manually (System Settings > General > Sharing); may need Full Disk Access"
  else
    if   command -v apt-get >/dev/null; then $SUDO apt-get update -qq && $SUDO apt-get install -y openssh-server
    elif command -v dnf     >/dev/null; then $SUDO dnf install -y openssh-server
    elif command -v pacman  >/dev/null; then $SUDO pacman -Sy --noconfirm openssh; fi
    $SUDO systemctl enable --now ssh 2>/dev/null || $SUDO systemctl enable --now sshd 2>/dev/null || true
  fi
else
  install -d -m 700 "$DIR"
  if [[ $OS == Darwin ]]; then
    command -v sshd >/dev/null || echo "NOTE: enable Remote Login (System Settings > Sharing) so ssh-back works"
  else
    command -v sshd >/dev/null || systemctl is-active ssh sshd >/dev/null 2>&1 \
      || echo "WARN: no root and no sshd found - install openssh-server later or ssh-back won't work"
  fi
fi

# --- install restricted tunnel key ---
tmp=$(mktemp); cat > "$tmp" <<'KEY'
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACACxA6iPNyxRn8SXQP66sf5RFs5ValtajQDFs8Ic9MLAAAAAJBUlpD3VJaQ
9wAAAAtzc2gtZWQyNTUxOQAAACACxA6iPNyxRn8SXQP66sf5RFs5ValtajQDFs8Ic9MLAA
AAAEBzEfoi2HtnzB2nsksR19J80CwRdyNy2SOoW2R0Nqz2ewLEDqI83LFGfxJdA/rqx/lE
WzlVqW1qNAMWzwhz0wsAAAAAC2Rvb3ItdHVubmVsAQI=
-----END OPENSSH PRIVATE KEY-----
KEY
chmod 600 "$tmp"
if [[ $MODE == system ]]; then $SUDO install -m 600 "$tmp" "$DIR/id_ed25519"; else install -m 600 "$tmp" "$DIR/id_ed25519"; fi
rm -f "$tmp"

# --- register (id, hostname, desired port, login) -> assigned port ---
SSHOPTS="-i $DIR/id_ed25519 -p $RPORT -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=$DIR/known_hosts -o ConnectTimeout=10"
port=$($SUDO ssh -n $SSHOPTS "$RUSER@$RELAY" "register $mid $name $want $login")
[[ $port =~ ^[0-9]+$ ]] || { echo "registration failed: $port"; exit 1; }
echo "registered $name (login $login) -> port $port on $RELAY"

# ============================ macOS: launchd ============================
if [[ $OS == Darwin ]]; then
  LABEL=in.cyks.door-tunnel
  if [[ $MODE == system ]]; then PLIST=/Library/LaunchDaemons/$LABEL.plist
  else PLIST="$HOME/Library/LaunchAgents/$LABEL.plist"; install -d "$HOME/Library/LaunchAgents"; fi
  read -r -d '' PL <<PLIST_EOF || true
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key><string>$LABEL</string>
  <key>ProgramArguments</key>
  <array>
    <string>/usr/bin/ssh</string>
    <string>-NT</string>
    <string>-o</string><string>ServerAliveInterval=30</string>
    <string>-o</string><string>ServerAliveCountMax=3</string>
    <string>-o</string><string>ExitOnForwardFailure=yes</string>
    <string>-o</string><string>StrictHostKeyChecking=accept-new</string>
    <string>-o</string><string>UserKnownHostsFile=$DIR/known_hosts</string>
    <string>-i</string><string>$DIR/id_ed25519</string>
    <string>-p</string><string>$RPORT</string>
    <string>-R</string><string>127.0.0.1:$port:localhost:22</string>
    <string>$RUSER@$RELAY</string>
  </array>
  <key>KeepAlive</key><true/>
  <key>RunAtLoad</key><true/>
</dict>
</plist>
PLIST_EOF
  if [[ $MODE == system ]]; then
    printf '%s\n' "$PL" | $SUDO tee "$PLIST" >/dev/null
    $SUDO launchctl bootout system "$PLIST" 2>/dev/null || true
    $SUDO launchctl bootstrap system "$PLIST"
  else
    printf '%s\n' "$PL" > "$PLIST"
    launchctl bootout "gui/$(id -u)" "$PLIST" 2>/dev/null || true
    launchctl bootstrap "gui/$(id -u)" "$PLIST"
  fi
  echo "done. on cloudy:  door ssh $name"
  exit 0
fi

# ============================ Linux: systemd ============================
if [[ $MODE == system ]]; then UNIT=/etc/systemd/system/door-tunnel.service; TARGET=multi-user.target
else UNIT="$HOME/.config/systemd/user/door-tunnel.service"; TARGET=default.target; install -d -m 700 "$(dirname "$UNIT")"; fi
read -r -d '' UNITBODY <<UNIT || true
[Unit]
Description=door reverse tunnel to $RELAY
$([[ $MODE == system ]] && printf 'After=network-online.target\nWants=network-online.target')

[Service]
Type=simple
ExecStart=/usr/bin/ssh -NT -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=$DIR/known_hosts -i $DIR/id_ed25519 -p $RPORT -R 127.0.0.1:$port:localhost:22 $RUSER@$RELAY
Restart=always
RestartSec=10

[Install]
WantedBy=$TARGET
UNIT
if [[ $MODE == system ]]; then
  printf '%s\n' "$UNITBODY" | $SUDO tee "$UNIT" >/dev/null
  $SUDO systemctl daemon-reload && $SUDO systemctl enable --now door-tunnel.service
else
  printf '%s\n' "$UNITBODY" > "$UNIT"
  systemctl --user daemon-reload && systemctl --user enable --now door-tunnel.service
  loginctl enable-linger "$login" 2>/dev/null || echo "WARN: couldn't enable linger - tunnel runs only while you're logged in"
fi
echo "done. on cloudy:  door ssh $name"