#!/bin/sh

set -eu

# Create additional groups
_IFS=${IFS}; IFS=,
for gid in ${UNPRIVILEGED_USER_GROUPS?}; do
	if ! getent group "${gid:?}" >/dev/null 2>&1; then
		groupadd -g "${gid:?}" "g_${gid:?}"
	fi
done
IFS=$_IFS

# Create unprivileged user and group
groupadd \
	--gid "${UNPRIVILEGED_USER_GID:?}" \
	"${UNPRIVILEGED_USER_NAME:?}"
useradd \
	--uid "${UNPRIVILEGED_USER_UID:?}" \
	--gid "${UNPRIVILEGED_USER_GID:?}" \
	--groups "${UNPRIVILEGED_USER_GROUPS?}" \
	--shell "${UNPRIVILEGED_USER_SHELL:?}" \
	--create-home \
	"${UNPRIVILEGED_USER_NAME:?}"

# Copy /etc/skel/ to unprivileged user home if empty
UNPRIVILEGED_USER_HOME=$(getent passwd "${UNPRIVILEGED_USER_NAME:?}" | cut -d: -f6)
if [ -z "$(ls -A "${UNPRIVILEGED_USER_HOME:?}")" ]; then
	cp -aT /etc/skel/ "${UNPRIVILEGED_USER_HOME:?}"
	chown -R "${UNPRIVILEGED_USER_NAME:?}:" "${UNPRIVILEGED_USER_HOME:?}"
fi

# Create /run/user/${UNPRIVILEGED_USER_UID}/dbus-1/ directory
mkdir -p /run/user/"${UNPRIVILEGED_USER_UID:?}"/dbus-1/
chmod -R 700 /run/user/"${UNPRIVILEGED_USER_UID:?}"/
chown -R "${UNPRIVILEGED_USER_NAME:?}:" /run/user/"${UNPRIVILEGED_USER_UID:?}"/

# Set unprivileged user password
printf '%s' "${UNPRIVILEGED_USER_NAME:?}:${UNPRIVILEGED_USER_PASSWORD:?}" | chpasswd
unset UNPRIVILEGED_USER_PASSWORD

# Dump environment variables
export-env > /etc/profile.d/env.sh

# Enable sshd service if ENABLE_SSHD is true
if [ "${ENABLE_SSHD:?}" = 'true' ]; then
	ln -s /etc/sv/sshd /etc/service/
fi

# Enable xdummy service if ENABLE_VIRTUALGL is true
if [ "${ENABLE_VIRTUALGL:?}" = 'true' ]; then
	ln -s /etc/sv/xdummy /etc/service/
fi

# Create RANDFILE if it does not exist
RANDFILE=${RANDFILE-${HOME:?}/.rnd}
if [ ! -f "${RANDFILE:?}" ]; then
	dd if=/dev/urandom of="${RANDFILE:?}" bs=256 count=1 >/dev/null 2>&1
fi

# Generate SSH keys if they do not exist
if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
	ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >/dev/null
fi
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
	ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' >/dev/null
fi

# Generate self-signed certificate
if [ ! -f "${RDP_TLS_KEY_PATH:?}" ] || [ ! -f "${RDP_TLS_CERT_PATH:?}" ]; then
	KEY_FILE=${RDP_TLS_KEY_PATH:?}
	CRT_FILE=${RDP_TLS_CERT_PATH:?}
	CSR_FILE=$(mktemp -u)

	(umask 077 \
		&& openssl genrsa -out "${KEY_FILE:?}" 2048 \
	) >/dev/null

	(umask 022 \
		&& openssl req -new -subj "/CN=$(uname -n)" -key "${KEY_FILE:?}" -out "${CSR_FILE:?}" \
		&& openssl x509 -req -days 3650 -signkey "${KEY_FILE:?}" -in "${CSR_FILE:?}" -out "${CRT_FILE:?}" \
		&& rm -f "${CSR_FILE:?}" \
	) >/dev/null
fi

# Start all services
exec runsvdir -P /etc/service/