#!/bin/bash

set -e

if [ x"$1" = x"start.sh" ]; then
    cat /start.sh
    exit 0
fi

group="$1"
node="$2"

case "$node" in
    host)
	# Create authorized_keys.orig if necessary
	if ! [ -f /root/.ssh/authorized_keys.orig ]; then
	    if ! [ -f /root/.ssh/authorized_keys ]; then
		if ! [ -d /root/.ssh ]; then
		    mkdir -p /root/.ssh
		    chmod 0700 /root/.ssh
		fi
		touch /root/.ssh/authorized_keys
	    fi
	    cp /root/.ssh/authorized_keys /root/.ssh/authorized_keys.orig
	fi

	# Prepare root keys in a temporary file so that we don't start
	# creating a new authorized_keys for root, and fail midway leaving
	# an empty authorized_keys (e.g., due to running out of disk space).
	root_keys=$(mktemp)
	(
	    echo "# Original root keys:"
	    cat /root/.ssh/authorized_keys.orig
	) > $root_keys

	if [ x"$(docker inspect --format='{{.HostConfig.Privileged}}' host)" \
	      = x"true" ]; then
	    key=$(mktemp)
	    rm -f $key $key.pub
	    # Use key type ed22519 since some of our benchmarking boards have
	    # old distros and don't accept default key type.
	    ssh-keygen -f $key -t ed25519 -N "" -q
	    sed -i -e "s#^key=.*#key=$key#" /usr/local/bin/run_on_bare_machine

	    # Install key for run_on_bare_machine both in new and existing
	    # root keys.  We this in existing root keys to run timedatectl.
	    for auth_keys in $root_keys /root/.ssh/authorized_keys; do
		(
		    echo
	            echo "# Temporary key for granting privileged host container access to the bare machine"
		    cat $key.pub
		) >> $auth_keys
	    done

            # Now that we have run_on_bare_machine setup, synchronize the date
	    # to avoid unjustified certificate errors
	    timedatectl set-ntp true
	fi
	;;
esac

# Fetch the latest copy of /home-data/ to avoid using old user files
# when [re]starting container from an old image.  "Jenkins" and "host"
# containers bind-mount /home, and we need to have a unified view of
# what the latest version of user files is.
(
    tmpdir=$(mktemp -d)
    git clone --depth 1 --single-branch https://git.linaro.org/ci/dockerfiles.git $tmpdir &
    res=0 && wait $! || res=$?
    if ! [ -d $tmpdir/tcwg-base/home-data/ ]; then
	rm -rf $tmpdir
	res=1
    fi
    if [ $res != 0 ]; then
	# Clone from GitLab mirror
	git clone --depth 1 --single-branch https://gitlab.com/Linaro/tcwg/ci/dockerfiles.git $tmpdir
    fi
    rsync -aL --del $tmpdir/tcwg-base/home-data/ /home-data/
    rm -rf $tmpdir
)

if [ x"$group" = x"all" ]; then
    group=".*"
    root_group="tcwg-root"
elif grep -q "^$group-root:x:x:" /home-data/group; then
    root_group="$group-root"
else
    root_group="tcwg-root"
fi

root_users=""

while read line; do
    user=$(echo "$line" | cut -d: -f 1)
    if grep "^$group:x:[0-9]" /home-data/group | cut -d: -f 4 \
	    | grep "\(^\|,\)$user\(,\|\$\)" >/dev/null; then
	new-user.sh --update true --passwd "$line" &
	res=0; wait $! || res=$?
	if [ x"$res" != x"0" ]; then
	    echo "WARNING: User configuration failed: $line"
	elif grep "^$root_group:x:x:" /home-data/group | cut -d: -f 4 \
		| grep "\(^\|,\)$user\(,\|\$\)" >/dev/null; then
	    # Make list of users allowed to ssh as root.
	    root_users="$root_users $user"
	fi
    else
	echo "INFO: Not adding user $user because they are not in the group $group."
    fi
done </home-data/passwd

case "$node" in
    host)
	# Install ssh keys of $root_users into root's account.
	# Note that this is intended to grant $root_users root access
	# to the bare machine -- /root is bind-mounted from bare machine
	# to "host" container.
	(
	    for user in $root_users; do
		echo
		echo "# $user keys:"
		cat /home-data/$user/.ssh/authorized_keys
	    done
	    echo
	) >> $root_keys

	# Now install new root keys.
	mv $root_keys /root/.ssh/authorized_keys

	# tcwg-start-container.sh needs /root/docker-wrapper to test
	# and recover docker service on benchmarking boards.
	# Copy docker-stats for troubleshooting purposes.
	cp -t /root/ /usr/local/bin/docker-wrapper /usr/local/bin/docker-stats

	# Configure and start ssh server
	sed -i -e "/.*Port.*/d" /etc/ssh/sshd_config
	echo "Port 2222" >> /etc/ssh/sshd_config
	exec /usr/sbin/sshd -D
	;;
    tcwg-bmk-*) user=tcwg-benchmark ;;
    *) user=tcwg-buildslave ;;
esac

case "$node" in
    # create a LNT server on tcwg-ex42-01
    tcwg-lnt-*)
	port=$((8080 + ${node##*-}))
	jenkins_scripts_dir=$(sudo -i -u $user mktemp -d)
	sudo -i -u $user git clone \
	     https://gitlab.com/LinaroLtd/tcwg/jenkins-scripts.git \
	     $jenkins_scripts_dir
	lnt_image=linaro/ci-amd64-tcwg-lnt-ubuntu:noble
	$jenkins_scripts_dir/tcwg-start-container.sh \
	    --container $node-lnt \
	    --image "$lnt_image" \
	    --additional_options \
	    "-p $port:80 -v /home/$user/$node:/home/$user/$node" \
	    -- "$lnt_image" "$node"
	rm -rf "$jenkins_scripts_dir"
	;;
esac

sudo -i -u $user rm -rf /home/$user/jenkins-workdir-$node
sudo -i -u $user mkdir /home/$user/jenkins-workdir-$node
sudo -i -u $user curl -o /home/$user/jenkins-workdir-$node/agent.jar \
     http://192.168.77.122:18080/jnlpJars/agent.jar

exec sudo -i -u $user java -jar /home/$user/jenkins-workdir-$node/agent.jar \
     -jnlpUrl http://192.168.77.122:18080/computer/$node/slave-agent.jnlp \
     -noReconnect -secret @jenkins/$node.secret \
     -workDir /home/$user/jenkins-workdir-$node