#!/usr/bin/env bash
set -euo pipefail

# Bootstrap a dedicated Gitea user for OpenClaw on a local Dockerized Gitea host.
#
# What it does:
# - ensures an SSH keypair exists locally
# - creates the Gitea user via `gitea admin user create` inside the container
# - generates an API token for that user
# - uploads the SSH public key via the Gitea API
# - writes/updates an SSH config entry for easy git access
#
# Requirements:
# - local Docker access
# - running container named `gitea`
# - curl, python3, ssh-keygen
# - host reachability to the Gitea HTTP URL and SSH port
#
# Example:
#   ./scripts/bootstrap-gitea-openclaw.sh \
#     --username openclaw \
#     --email openclaw@git.an2.io \
#     --fullname OpenClaw \
#     --http-url https://git.an2.io \
#     --ssh-host git.an2.io \
#     --ssh-port 222

USERNAME="openclaw"
EMAIL="openclaw@git.an2.io"
FULLNAME="OpenClaw"
HTTP_URL="https://git.an2.io"
SSH_HOST="git.an2.io"
SSH_PORT="222"
SSH_KEY_PATH="${HOME}/.ssh/id_gitea_openclaw"
SSH_HOST_ALIAS="gitea"
CONTAINER_NAME="gitea"
ACCESS_TOKEN_NAME="openclaw-bootstrap"
ACCESS_TOKEN_SCOPES="all"

usage() {
  cat <<EOF2
Usage: $0 [options]

Options:
  --username <name>
  --email <email>
  --fullname <name>
  --http-url <url>
  --ssh-host <host>
  --ssh-port <port>
  --ssh-key-path <path>
  --ssh-host-alias <alias>
  --container-name <name>
  --token-name <name>
  --token-scopes <scopes>
EOF2
}

while [[ $# -gt 0 ]]; do
  case "$1" in
    --username) USERNAME="$2"; shift 2 ;;
    --email) EMAIL="$2"; shift 2 ;;
    --fullname) FULLNAME="$2"; shift 2 ;;
    --http-url) HTTP_URL="$2"; shift 2 ;;
    --ssh-host) SSH_HOST="$2"; shift 2 ;;
    --ssh-port) SSH_PORT="$2"; shift 2 ;;
    --ssh-key-path) SSH_KEY_PATH="$2"; shift 2 ;;
    --ssh-host-alias) SSH_HOST_ALIAS="$2"; shift 2 ;;
    --container-name) CONTAINER_NAME="$2"; shift 2 ;;
    --token-name) ACCESS_TOKEN_NAME="$2"; shift 2 ;;
    --token-scopes) ACCESS_TOKEN_SCOPES="$2"; shift 2 ;;
    -h|--help) usage; exit 0 ;;
    *) echo "Unknown option: $1" >&2; usage; exit 1 ;;
  esac
done

need_cmd() {
  command -v "$1" >/dev/null 2>&1 || { echo "Missing command: $1" >&2; exit 1; }
}

need_cmd docker
need_cmd curl
need_cmd python3
need_cmd ssh-keygen

mkdir -p "$(dirname "$SSH_KEY_PATH")"
if [[ ! -f "$SSH_KEY_PATH" ]]; then
  ssh-keygen -t ed25519 -f "$SSH_KEY_PATH" -C "${USERNAME}@${SSH_HOST}" -N ''
fi

if sudo docker exec --user git "$CONTAINER_NAME" gitea admin user list | awk 'NR>1 {print $2}' | grep -qx "$USERNAME"; then
  echo "User $USERNAME already exists"
else
  sudo docker exec --user git "$CONTAINER_NAME" gitea admin user create \
    --username "$USERNAME" \
    --fullname "$FULLNAME" \
    --email "$EMAIL" \
    --random-password \
    --must-change-password=false
fi

TOKEN=$(sudo docker exec --user git "$CONTAINER_NAME" gitea admin user generate-access-token \
  --username "$USERNAME" \
  --token-name "$ACCESS_TOKEN_NAME" \
  --raw \
  --scopes "$ACCESS_TOKEN_SCOPES")

echo "Generated token for $USERNAME (store this securely):"
echo "$TOKEN"

PUB_JSON=$(python3 - <<PY
import json
print(json.dumps(open('${SSH_KEY_PATH}.pub').read().strip()))
PY
)

curl -fsS -X POST "${HTTP_URL%/}/api/v1/user/keys" \
  -H "Authorization: token ${TOKEN}" \
  -H 'Content-Type: application/json' \
  --data "{\"title\":\"${USERNAME}@$(hostname)\",\"key\":${PUB_JSON}}" >/tmp/gitea-key-result.json || true

mkdir -p "${HOME}/.ssh"
touch "${HOME}/.ssh/config"
chmod 600 "${HOME}/.ssh/config"
if ! grep -q "^Host ${SSH_HOST_ALIAS}$" "${HOME}/.ssh/config"; then
  cat >> "${HOME}/.ssh/config" <<EOF2
Host ${SSH_HOST_ALIAS}
  HostName ${SSH_HOST}
  Port ${SSH_PORT}
  User git
  IdentityFile ${SSH_KEY_PATH}
  IdentitiesOnly yes
EOF2
fi

ssh -o StrictHostKeyChecking=accept-new -T "${SSH_HOST_ALIAS}" || true