#!/bin/bash
# tin key install - Install SSH key on NAS server

set -euo pipefail

# Get tinsnip root and source libraries
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TINSNIP_ROOT="$(dirname "$(dirname "$SCRIPT_DIR")")"
source "$TINSNIP_ROOT/lib/core.sh"
source "$TINSNIP_ROOT/lib/registry.sh"

# Install public key on a NAS server
install_key_on_nas() {
    local nas_server="$1"
    local nas_user="${2:-$(whoami)}"
    check_tinsnip_station || return 1
    
    local ssh_keys_dir="$NAS_CREDENTIALS_DIR/ssh-keys"
    local key_path="$ssh_keys_dir/${nas_server}.key"
    local pub_key_path="${key_path}.pub"
    
    if [[ ! -f "$pub_key_path" ]]; then
        error_with_prefix "Key Install" "No public key found for $nas_server"
        echo "Generate one first with: tin key generate $nas_server" >&2
        return 1
    fi
    
    log_with_prefix "Key Install" "Installing public key on $nas_server for user $nas_user..."
    
    # Test basic SSH connectivity first
    if ! ssh -o ConnectTimeout=5 -o BatchMode=yes "$nas_user@$nas_server" "echo 'SSH test'" &>/dev/null; then
        log_with_prefix "Key Install" "Cannot SSH to $nas_server with key-based auth, will need password..."
    fi
    
    # Install the key (may require password this one time)
    log_with_prefix "Key Install" "Installing public key (you may be prompted for password):"
    if ssh-copy-id -i "$pub_key_path" "$nas_user@$nas_server"; then
        log_with_prefix "Key Install" "✅ Public key installed successfully on $nas_server"
        
        # Test passwordless access
        if ssh -o BatchMode=yes -i "$key_path" "$nas_user@$nas_server" "echo 'Passwordless test'" &>/dev/null; then
            log_with_prefix "Key Install" "✅ Passwordless SSH confirmed working"
        else
            warn_with_prefix "Key Install" "❌ Passwordless SSH test failed - check key installation"
        fi
    else
        error_with_prefix "Key Install" "Failed to install public key on $nas_server"
        return 1
    fi
}

show_help() {
    cat << EOF
tin key install - Install SSH key on NAS server

USAGE:
    tin key install <nas-server> [username]

DESCRIPTION:
    Install a previously generated SSH public key on a NAS server to enable
    passwordless SSH access. The key must be generated first with 'tin key generate'.

ARGUMENTS:
    <nas-server>    NAS server hostname or IP address
    [username]      SSH username on NAS (default: admin)

EXAMPLES:
    tin key install DS412plus.local              # Install for 'admin' user
    tin key install 192.168.0.206 simonhorrobin  # Install for 'simonhorrobin' user
    tin key install mynas root                   # Install for 'root' user

NOTES:
    - The SSH key must be generated first with 'tin key generate <nas-server>'
    - You may be prompted for the NAS user's password during installation
    - After installation, SSH access will be passwordless
    - Default username 'admin' works for most Synology NAS systems

EOF
}

# Handle help flags
case "${1:-}" in
    --help|-h|help)
        show_help
        exit 0
        ;;
esac

# Main execution
if [[ $# -eq 0 ]]; then
    error_with_prefix "Key Install" "NAS server name required"
    echo "Usage: tin key install <nas-server> [username]" >&2
    exit 1
fi

nas_server="$1"
nas_user="${2:-$(whoami)}"

# Validate NAS server name
if [[ -z "$nas_server" ]]; then
    error_with_prefix "Key Install" "NAS server name cannot be empty"
fi

install_key_on_nas "$nas_server" "$nas_user"