#!/usr/bin/env bash
# SPDX-License-Identifier: GPL-3.0-or-later
# Copyright (c) 2025 LUXIM d.o.o., Slovenia
# Author: Matjaž Mozetič
#
# Name: backtunnel-keys
# Summary: Manage the accessor-side BackTunnel SSH key pair.
# Description:
#   Provides simple operations for the dedicated BackTunnel SSH key (~/.ssh/id_ed25519_backtunnel):
#     - print: output the public key to stdout (generates key pair if missing)
#     - path : show filesystem paths for the private/public key
#
# Usage:
#   backtunnel-keys print         # print (and generate if missing) the public key
#   backtunnel-keys path          # print the private/public key paths
#
# Examples:
#   backtunnel-keys print > /tmp/accessor.pub
#   backtunnel-keys path
#
# Dependencies:
#   - bash
#   - ssh-keygen (for key generation on first use)
#
# Exit codes:
#   0  success
#   1  invalid usage, missing public key, or other error
#
# Notes:
#   - The key is generated with no passphrase for non-interactive usage by BackTunnel.
#   - Public key is printed to stdout for easy piping/redirection.

set -euo pipefail

KEY="$HOME/.ssh/id_ed25519_backtunnel"
PUB="$KEY.pub"

cmd="${1:-print}"

case "$cmd" in
  # print: ensure the key exists, then print the public key
  print)
    if [[ ! -f "$KEY" ]]; then
      ssh-keygen -t ed25519 -f "$KEY" -N "" -C "backtunnel" >/dev/null
    fi
    if [[ ! -f "$PUB" ]]; then
      echo "Missing public key $PUB" >&2; exit 1
    fi
    cat "$PUB"
    ;;
  # path: show private/public key locations
  path)
    echo "private: $KEY"
    echo "public : $PUB"
    ;;
  *)
    echo "Usage: $0 {print|path}" >&2
    exit 1
    ;;
esac