#!/bin/sh
# bee-sshsetup — configure SSH access
# Called by bee-sshsetup.service before SSH starts.

log() { echo "[bee-sshsetup] $*"; }

SSHD_DIR="/etc/ssh/sshd_config.d"
AUTH_CONF="${SSHD_DIR}/99-bee-auth.conf"

mkdir -p "$SSHD_DIR"

if [ -f /etc/bee-ssh-password-fallback ]; then
    if ! id bee > /dev/null 2>&1; then
        useradd -m -s /bin/sh bee > /dev/null 2>&1
    fi
    echo "bee:eeb" | chpasswd > /dev/null 2>&1
    cat > "$AUTH_CONF" <<'EOF'
PermitRootLogin prohibit-password
PasswordAuthentication yes
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
EOF
    log "SSH key auth unavailable — password fallback active"
    log "Login: bee / eeb"
else
    if id bee > /dev/null 2>&1; then
        passwd -l bee > /dev/null 2>&1 || true
    fi
    cat > "$AUTH_CONF" <<'EOF'
PermitRootLogin prohibit-password
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
EOF
    log "SSH key auth configured"
fi
