#!/bin/bash

# Create dedicated tinsnip user for running infrastructure services

set -euo pipefail

log() {
    echo "[User Setup] $*"
}

create_tinsnip_user() {
    local username="tinsnip"
    local uid=1010
    
    log "Creating dedicated user '$username' with UID $uid..."
    
    if id "$username" &>/dev/null; then
        log "User $username already exists"
        return 0
    fi
    
    # Create regular user (not system user) for rootless Docker
    sudo useradd -m -u "$uid" -s /bin/bash -c "tinsnip Infrastructure Services" "$username"
    log "Created user $username with UID $uid"
    
    # Add subuid/subgid ranges for rootless Docker
    echo "$username:100000:65536" | sudo tee -a /etc/subuid
    echo "$username:100000:65536" | sudo tee -a /etc/subgid
    log "Added subuid/subgid mappings for rootless containers"
    
    # Enable lingering for systemd user sessions
    sudo loginctl enable-linger "$username"
    log "Enabled systemd lingering for $username"
    
    # Create directory structure
    sudo -u "$username" mkdir -p /home/"$username"/{services,config,data}
    log "Created directory structure"
}

find_available_uid() {
    local start_uid=995
    local end_uid=998
    
    for uid in $(seq $start_uid $end_uid); do
        if ! getent passwd "$uid" >/dev/null 2>&1; then
            echo "$uid"
            return 0
        fi
    done
    
    # If no UID in preferred range, let system assign
    echo ""
}

create_system_users() {
    log "Creating system users for services..."
    
    # Create lldap system user (will be used inside containers)
    if ! id "lldap" &>/dev/null; then
        local lldap_uid
        lldap_uid=$(find_available_uid)
        
        if [[ -n "$lldap_uid" ]]; then
            sudo useradd -r -u "$lldap_uid" -s /bin/false -d /nonexistent -c "LLDAP Service" lldap
            log "Created system user 'lldap' with UID $lldap_uid"
        else
            sudo useradd -r -s /bin/false -d /nonexistent -c "LLDAP Service" lldap
            lldap_uid=$(id -u lldap)
            log "Created system user 'lldap' with auto-assigned UID $lldap_uid"
        fi
        
        # Update docker-compose.yml with the actual UID
        update_lldap_uid "$lldap_uid"
    else
        local existing_uid
        existing_uid=$(id -u lldap)
        log "System user 'lldap' already exists with UID $existing_uid"
        update_lldap_uid "$existing_uid"
    fi
}

update_lldap_uid() {
    local uid="$1"
    local compose_file="/home/tinsnip/service/lldap/docker-compose.yml"
    
    # This will be updated after the service files are copied
    # Store the UID for later use with proper permissions
    local temp_file="/tmp/lldap-uid-$$"
    echo "$uid" > "$temp_file"
    sudo mv "$temp_file" /tmp/lldap-uid
    sudo chmod 644 /tmp/lldap-uid
}

main() {
    log "Setting up tinsnip user environment..."
    
    create_tinsnip_user
    create_system_users
    
    log "User setup complete!"
    log ""
    log "Created users:"
    log "  - tinsnip (UID 1010): Runs rootless Docker and all services"
    if [[ -f /tmp/lldap-uid ]]; then
        local lldap_uid
        lldap_uid=$(cat /tmp/lldap-uid)
        log "  - lldap (UID $lldap_uid): System user for LLDAP container"
    fi
}

main "$@"