#!/usr/bin/env bash
set -euo pipefail

export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${PATH:-}"

log() {
  printf '[nvr-support] %s\n' "$*"
}

run_as_root() {
  if [ "$(id -u)" -eq 0 ]; then
    "$@"
    return
  fi

  sudo -E "$@"
}

if [ -n "${NVR_SUPPORT_AUTHORIZED_KEY:-}" ]; then
  if ! command -v nvr-support-unlock >/dev/null 2>&1; then
    log "nvr-support-unlock ausente; atualize o appliance pelo pacote oficial antes de liberar SSH"
    exit 2
  fi

  log "liberando suporte SSH temporario por chave publica"
  run_as_root env \
    NVR_SUPPORT_AUTHORIZED_KEY="${NVR_SUPPORT_AUTHORIZED_KEY}" \
    NVR_SUPPORT_TTL_MINUTES="${NVR_SUPPORT_TTL_MINUTES:-240}" \
    NVR_SUPPORT_ALLOWED_CIDRS="${NVR_SUPPORT_ALLOWED_CIDRS:-192.168.0.0/16,10.0.0.0/8,172.16.0.0/12}" \
    nvr-support-unlock
else
  log "NVR_SUPPORT_AUTHORIZED_KEY ausente; pulando unlock SSH"
  log "para liberar suporte: sudo NVR_SUPPORT_AUTHORIZED_KEY='ssh-ed25519 ...' nvr-support-unlock"
fi

if command -v nvr-gateway-reconcile >/dev/null 2>&1; then
  log "reconciliando gateway local"
  run_as_root nvr-gateway-reconcile
else
  log "nvr-gateway-reconcile ausente; atualize o appliance pelo pacote oficial"
  exit 2
fi

log "concluido"