#!/bin/sh

set -eu

# Remove leftover files
find /tmp/ /run/ -mindepth 1 -delete ||:

# Add GPU devices groups to additional groups
for dev in /dev/dri/*; do
	[ -c "${dev:?}" ] || continue
	gid=$(stat -c '%g' "${dev:?}")
	uug=${UNPRIVILEGED_USER_GROUPS?}
	UNPRIVILEGED_USER_GROUPS="${uug:+${uug:?},}${gid:?}"
done

# Create additional groups
_IFS=${IFS}; IFS=,
for gid in ${UNPRIVILEGED_USER_GROUPS?}; do
	if ! getent group "${gid:?}" >/dev/null 2>&1; then
		groupadd --gid "${gid:?}" "g_${gid:?}"
	fi
done
IFS=$_IFS

# Create unprivileged user and group
if ! getent group "${UNPRIVILEGED_USER_GID:?}" >/dev/null 2>&1; then
	groupadd --gid "${UNPRIVILEGED_USER_GID:?}" "${UNPRIVILEGED_USER_NAME:?}"
fi
if ! getent passwd "${UNPRIVILEGED_USER_UID:?}" >/dev/null 2>&1; then
	useradd \
		--uid "${UNPRIVILEGED_USER_UID:?}" \
		--gid "${UNPRIVILEGED_USER_GID:?}" \
		--groups "${UNPRIVILEGED_USER_GROUPS?}" \
		--shell "${UNPRIVILEGED_USER_SHELL:?}" \
		--home-dir "${UNPRIVILEGED_USER_HOME:?}" \
		--create-home \
		"${UNPRIVILEGED_USER_NAME:?}"
fi

# Set unprivileged user password
if [ -n "${UNPRIVILEGED_USER_PASSWORD?}" ]; then
	printf '%s' "${UNPRIVILEGED_USER_NAME:?}:${UNPRIVILEGED_USER_PASSWORD:?}" | chpasswd
else
	passwd -d "${UNPRIVILEGED_USER_NAME:?}"
fi

if [ -w "${UNPRIVILEGED_USER_HOME:?}" ]; then
	# Copy /etc/skel/ to unprivileged user home if certain files do not exist
	if [ ! -e "${UNPRIVILEGED_USER_HOME:?}"/.profile ]; then
		cp -aT /etc/skel/ "${UNPRIVILEGED_USER_HOME:?}" ||:
		find /etc/skel/ -mindepth 1 -exec sh -c 'chown "$1:" "$2/${3#/etc/skel/}"' _ "${UNPRIVILEGED_USER_NAME:?}" "${UNPRIVILEGED_USER_HOME:?}" '{}' ';'
	fi

	# Set unprivileged user home permissions
	if [ "$(stat -c '%u' "${UNPRIVILEGED_USER_HOME:?}")" != "${UNPRIVILEGED_USER_UID:?}" ]; then
		chown "${UNPRIVILEGED_USER_NAME:?}:" "${UNPRIVILEGED_USER_HOME:?}"
	fi
	if [ "$(stat -c '%a' "${UNPRIVILEGED_USER_HOME:?}")" != '750' ]; then
		chmod 750 "${UNPRIVILEGED_USER_HOME:?}"
	fi
fi

# Create /run/user/${UNPRIVILEGED_USER_UID}/ directory if it does not exist
if [ ! -d /run/user/"${UNPRIVILEGED_USER_UID:?}"/ ]; then
	mkdir -p /run/user/"${UNPRIVILEGED_USER_UID:?}"/
	chmod 700 /run/user/"${UNPRIVILEGED_USER_UID:?}"/
	chown "${UNPRIVILEGED_USER_NAME:?}:" /run/user/"${UNPRIVILEGED_USER_UID:?}"/
fi

# Disable glx module if /dev/dri/ does not exist
if [ ! -d /dev/dri/ ]; then
	printf '%s\n' '"/dev/dri/" does not exist, glx module will be disabled' 1>&2
	sed -i 's|Load \("glx"\)|Disable \1|g' /opt/xrdp/etc/X11/xrdp/xorg.conf
fi

# Enable xrdp bootstrap service
if [ "${SERVICE_XRDP_BOOTSTRAP_ENABLED:?}" = 'true' ] && [ ! -L "${SVDIR:?}"/xrdp-bootstrap ]; then
	ln -s /etc/sv/xrdp-bootstrap "${SVDIR:?}"
fi

# Enable headless X server service
if [ "${SERVICE_XORG_HEADLESS_ENABLED:?}" = 'true' ] && [ ! -L "${SVDIR:?}"/xorg-headless ]; then
	ln -s /etc/sv/xorg-headless "${SVDIR:?}"
fi

# Generate SSH keys if they do not exist
if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
	ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >/dev/null
fi
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
	ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' >/dev/null
fi

# Generate xrdp RSA keys if they do not exist
if [ ! -f "${XRDP_RSAKEYS_PATH:?}" ]; then
	mkdir -p "$(dirname "${XRDP_RSAKEYS_PATH:?}")"
	(umask 077 \
		&& xrdp-keygen xrdp "${XRDP_RSAKEYS_PATH:?}" \
	) >/dev/null
fi

# Generate RDP certificate if it does not exist
if [ ! -f "${XRDP_TLS_KEY_PATH:?}" ] || [ ! -f "${XRDP_TLS_CRT_PATH:?}" ]; then
	FQDN=$(hostname --fqdn)

	mkdir -p "$(dirname "${XRDP_TLS_KEY_PATH:?}")"
	(umask 077 \
		&& openssl ecparam -genkey -name prime256v1 > "${XRDP_TLS_KEY_PATH:?}" \
	) >/dev/null

	mkdir -p "$(dirname "${XRDP_TLS_CRT_PATH:?}")"
	(umask 022 \
		&& openssl req -x509 -sha256 -days 3650 -subj "/CN=${FQDN:?}" -addext "subjectAltName=DNS:${FQDN:?}" -key "${XRDP_TLS_KEY_PATH:?}" > "${XRDP_TLS_CRT_PATH:?}" \
	) >/dev/null
fi

# Print RDP certificate fingerprint
openssl x509 -in "${XRDP_TLS_CRT_PATH:?}" -noout -fingerprint -sha1
openssl x509 -in "${XRDP_TLS_CRT_PATH:?}" -noout -fingerprint -sha256

# Dump environment variables
env | grep -Ev '^(PWD|OLDPWD|HOME|USER|SHELL|TERM|([^=]*(PASSWORD|SECRET)[^=]*))=' | sort > /etc/environment

# Start runit
exec runsvdir -P "${SVDIR:?}"
