#!/bin/bash

set -u

usage() {
    echo "Usage: $0 [-u <username>]" 1>&2
    echo "  -u: Username on fd.vertel.se (defaults to \$USER)"
    exit 1
}

OPTIONS=$(getopt -o u: -- "$@") || usage
eval set -- "$OPTIONS"

USERNAME="$USER"  # Default to current user

while [ $# -gt 0 ]; do
    case "$1" in
        -u) USERNAME="$2"; shift 2 ;;
        --) shift; break ;;
        *) usage ;;
    esac
done

sudo apt update
sudo apt install sssd

sudo systemctl enable sssd.service

sudo tee /etc/sssd/sssd.conf >/dev/null << 'EOF'
[sssd]
config_file_version = 2
domains = fd.vertel.se
services = ssh

[ssh]
ssh_authorized_keys_cache_timeout = 60
ldap_user_ssh_public_key = sshPublicKey

[domain/fd.vertel.se]
#debug_level = 9
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://fd.vertel.se
cache_credentials = True
ldap_search_base = ou=vertel,dc=nodomain
ldap_access_filter = (uid=*)
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/ssl/certs/mycacert.pem
EOF

sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 0600 /etc/sssd/sssd.conf

ssh -t -q -l "$USERNAME" fd.vertel.se "sudo cp /usr/local/share/ca-certificates/mycacert.crt ~/ && sudo chown $USERNAME:$USERNAME ~/mycacert.crt"
scp "$USERNAME"@fd.vertel.se:mycacert.crt ~/
ssh -t -q "$USERNAME"@fd.vertel.se "sudo rm ~/mycacert.crt"

sudo sudo chmod 440 ~/mycacert.crt && sudo chown root:root ~/mycacert.crt
sudo mv ~/mycacert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

echo -e "\nAuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\nAuthorizedKeysCommandUser nobody" | sudo tee -a /etc/ssh/sshd_config

sudo pam-auth-update --enable mkhomedir
sudo systemctl restart sssd.service ssh.service