#!/usr/bin/env bash

set -euxo pipefail

SCRIPT_DIR=$(dirname "$(readlink -f "$0")")
host_ca_key="${SCRIPT_DIR}/ssh_certs/host_ca"
user_ca_pub="${SCRIPT_DIR}/ssh_certs/user_ca.pub"

if [ ! -f "${host_ca_key}" ]
then
  echo "Host CA key not found."
  exit 1
fi

if [ ! -f "${user_ca_pub}" ]
then
  echo "Public User CA key not found."
  exit 1
fi

temp=$(mktemp -d)

cleanup() {
  rm -rf "${temp}"
}
# trap cleanup EXIT

host_type=$1
hostname=$2
extra_names=${3:-}

principal_names="${hostname}"

if [ ! -z "${extra_names}" ]
then
    principal_names="${principal_names},${extra_names}"
fi

install -d -m755 "${temp}/persisted/etc/ssh"
ssh-keygen -t ed25519 -f "${temp}/persisted/etc/ssh/ssh_host_ed25519_key" -C '' -N ''
ssh-keygen -s ${host_ca_key} -I ${hostname} -h -n "${principal_names}" -V +52w "${temp}/persisted/etc/ssh/ssh_host_ed25519_key.pub"

cp "${user_ca_pub}" "${temp}/persisted/etc/ssh/user_cas.pub"

echo "${temp}"

#nix run github:nix-community/nixos-anywhere -- --extra-files "${temp}" --flake .#${host_type} --target-host root@${hostname}