#!/bin/bash
# Add server administrator with full access
# Usage: sudo add-admin username "ssh-public-key"

set -euo pipefail

if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root (use sudo)"
    exit 1
fi

if [[ $# -lt 2 ]]; then
    echo "Usage: sudo add-admin username \"ssh-public-key\""
    echo ""
    echo "Example:"
    echo "  sudo add-admin novak \"ssh-rsa AAAAB3... novak@example.com\""
    exit 1
fi

USERNAME="$1"
SSH_KEY="$2"

# Check if user already exists
if id "$USERNAME" &>/dev/null; then
    echo "Error: User '$USERNAME' already exists"
    exit 1
fi

echo "Creating admin user: $USERNAME"

# Create user with home directory
useradd -m -s /bin/bash "$USERNAME"

# Add to groups
usermod -aG sudo "$USERNAME"       # Server administration
usermod -aG dataread "$USERNAME"   # Public data access
usermod -aG data-private "$USERNAME"  # Private data access
usermod -aG data-ops "$USERNAME"   # Application deployment

# Set up SSH key
mkdir -p "/home/${USERNAME}/.ssh"
echo "$SSH_KEY" > "/home/${USERNAME}/.ssh/authorized_keys"
chmod 700 "/home/${USERNAME}/.ssh"
chmod 600 "/home/${USERNAME}/.ssh/authorized_keys"
chown -R "${USERNAME}:${USERNAME}" "/home/${USERNAME}/.ssh"

# Create workspace
mkdir -p "/home/${USERNAME}/workspace"
chown "${USERNAME}:${USERNAME}" "/home/${USERNAME}/workspace"

# Create symlinks to data, docs, and user scripts
ln -sf /data/src_data "/home/${USERNAME}/data"
ln -sf /data/docs "/home/${USERNAME}/docs"
ln -sf /data/user_scripts "/home/${USERNAME}/user_scripts"

# Add admin to resource limits (unlimited access)
LIMITS_FILE="/etc/security/limits.d/99-users.conf"
if [[ -f "$LIMITS_FILE" ]] && ! grep -q "^${USERNAME} " "$LIMITS_FILE"; then
    ADMIN_BLOCK="${USERNAME}            soft    nproc           unlimited
${USERNAME}            hard    nproc           unlimited
${USERNAME}            -       as              unlimited
${USERNAME}            -       fsize           unlimited
${USERNAME}            -       nofile          65535
"
    # Insert before the marker line
    if grep -q "NEW_ADMIN_ENTRY_ABOVE_THIS_LINE" "$LIMITS_FILE"; then
        sed -i "/NEW_ADMIN_ENTRY_ABOVE_THIS_LINE/i\\${ADMIN_BLOCK}" "$LIMITS_FILE"
    else
        # Fallback: append before wildcard section
        sed -i "/^\* /i\\${ADMIN_BLOCK}" "$LIMITS_FILE"
    fi
    echo "  - Added to resource limits (unlimited)"
fi

echo ""
echo "Admin '$USERNAME' created successfully"
echo "  - Added to group: sudo (server administration)"
echo "  - Added to group: dataread (public data access)"
echo "  - Added to group: data-private (private data access)"
echo "  - Added to group: data-ops (application deployment)"
echo "  - Workspace: /home/${USERNAME}/workspace"
echo "  - Data link: /home/${USERNAME}/data -> /data/src_data"
echo "  - Docs link: /home/${USERNAME}/docs -> /data/docs"
echo "  - Scripts link: /home/${USERNAME}/user_scripts -> /data/user_scripts"
