#!/usr/bin/env bash
# bootstrap-dev-lxc.sh — provision a fresh dev LXC.
# Run from the PVE host as root. Idempotent.
#
# Usage:
#   ./bootstrap-dev-lxc.sh <CTID> [gitea_token_file]
#
# Assumes:
#   - CT already exists and is started
#   - You have local copies of claude-code (in /tmp/claude-staging) and tea
#     (in /tmp/tea-staging) and credentials (/tmp/claude-creds-staging.json)
#
# This is intentionally not a full image builder — it's the manual recipe
# that documents what dev-01 was bootstrapped with. Codify later.

set -euo pipefail
CTID="${1:?usage: $0 <CTID> [gitea_token_file]}"
TOKEN_FILE="${2:-/tmp/gitea-token-staging}"

[[ -r /tmp/claude-staging  ]] || { echo "missing /tmp/claude-staging (claude-code tree)" >&2; exit 1; }
[[ -r /tmp/tea-staging     ]] || { echo "missing /tmp/tea-staging (tea binary)" >&2; exit 1; }
[[ -r /tmp/claude-creds-staging.json ]] || { echo "missing /tmp/claude-creds-staging.json" >&2; exit 1; }
[[ -r "$TOKEN_FILE"        ]] || { echo "missing token file $TOKEN_FILE" >&2; exit 1; }

# --- packages ---
pct exec "$CTID" -- bash -c '
  apt-get update -qq
  DEBIAN_FRONTEND=noninteractive apt-get install -y -qq \
    git curl ca-certificates jq openssh-server xz-utils
  mkdir -p /root/.claude /root/.local/bin /root/.local/share /root/.ssh /etc/agent /var/agent/workspaces /var/agent/logs
  chmod 700 /root/.ssh /root/.claude /etc/agent
'

# --- claude-code ---
tar -czf /tmp/claude-bundle.tgz -C /tmp claude-staging
pct push "$CTID" /tmp/claude-bundle.tgz /tmp/claude-bundle.tgz
pct push "$CTID" /tmp/claude-creds-staging.json /root/.claude/.credentials.json --perms 600
pct exec "$CTID" -- bash -c '
  set -e
  rm -rf /root/.local/share/claude
  tar -xzf /tmp/claude-bundle.tgz -C /root/.local/share/
  mv /root/.local/share/claude-staging /root/.local/share/claude
  CLAUDE_VERSION=$(ls /root/.local/share/claude/versions/ | sort -V | tail -1)
  ln -sf /root/.local/share/claude/versions/$CLAUDE_VERSION /root/.local/bin/claude
  rm -f /tmp/claude-bundle.tgz
'
rm -f /tmp/claude-bundle.tgz

# --- tea ---
pct push "$CTID" /tmp/tea-staging /usr/local/bin/tea --perms 755

# --- gitea token ---
pct push "$CTID" "$TOKEN_FILE" /etc/agent/gitea-token --perms 600

# --- enable sshd ---
pct exec "$CTID" -- systemctl enable --now ssh

echo "Bootstrap complete for CT $CTID. Versions:"
pct exec "$CTID" -- bash -lc 'PATH=/root/.local/bin:/usr/local/bin:$PATH; claude --version; tea --version | head -2'