#!/usr/bin/env bash
# One-time setup: generate SSH key for SAMURAI and install it on Windows
# Run this once from monk, then approve the connection on SAMURAI if prompted.
#
# Prerequisites on SAMURAI (Windows 11):
#   - OpenSSH Server enabled: Settings → Apps → Optional Features → OpenSSH Server
#   - Service running: sc start sshd  (or via Services panel)
#   - Firewall: allow port 22 from Tailscale interface (100.x.x.x range)

set -euo pipefail

SAMURAI_IP="100.74.0.109"
SAMURAI_USER="${SAMURAI_USER:-kenpat}"
KEY_PATH="${HOME}/.ssh/id_ed25519_samurai"

if [[ -f "${KEY_PATH}" ]]; then
  echo "Key already exists at ${KEY_PATH} — skipping generation"
else
  ssh-keygen -t ed25519 -C "monk→samurai-backup" -f "${KEY_PATH}" -N ""
  echo "Generated: ${KEY_PATH}"
fi

echo ""
echo "Installing public key on SAMURAI (${SAMURAI_USER}@${SAMURAI_IP}) ..."
echo "You will be prompted for your Windows password once."
echo ""

# ssh-copy-id works if OpenSSH Server is running on Windows
ssh-copy-id -i "${KEY_PATH}.pub" \
  -p 22 \
  "${SAMURAI_USER}@${SAMURAI_IP}"

echo ""
echo "Testing passwordless login ..."
if ssh -i "${KEY_PATH}" -o BatchMode=yes "${SAMURAI_USER}@${SAMURAI_IP}" echo "SSH OK from monk"; then
  echo ""
  echo "Setup complete. backup-volumes.sh will use ${KEY_PATH}"
else
  echo ""
  echo "ERROR: passwordless login failed. On Windows, ensure:"
  echo "  1. OpenSSH Server is running (sc query sshd)"
  echo "  2. C:\\ProgramData\\ssh\\administrators_authorized_keys contains the key"
  echo "     (for admin accounts, Windows ignores ~/.ssh/authorized_keys)"
  echo ""
  echo "  Run in PowerShell as admin:"
  echo '  Add-Content -Force "$env:ProgramData\ssh\administrators_authorized_keys" (Get-Content "$env:USERPROFILE\.ssh\authorized_keys")'
fi