soteria/scripts/setup_client.sh

#!/bin/bash

set -e

# Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color

log_info() { echo -e "${YELLOW}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }

# Check for required tools
check_command() {
    if ! command -v "$1" &> /dev/null; then
        log_error "$1 is required but not installed."
        exit 1
    fi
}

check_command step
check_command curl
check_command wget
check_command bunzip2

# 1. Setup Step Certificates
log_info "Setting up Step Certificates..."

STEP_PATH="$(step path)"
CERTS_DIR="$STEP_PATH/certs"

if [ ! -d "$CERTS_DIR" ]; then
    log_info "Creating directory $CERTS_DIR"
    mkdir -p "$CERTS_DIR"
fi

# Prompt for secret securely (reading from /dev/tty to support pipe execution)
echo -e "${YELLOW}Please enter the provisioner password for 'admin':${NC}"
read -s secret < /dev/tty
echo ""

if [ -z "$secret" ]; then
    log_error "Password cannot be empty."
    exit 1
fi

# Prompt for Repo Name
DEFAULT_REPO_NAME=$(hostnamectl hostname 2>/dev/null || hostname)
echo -e "${YELLOW}Please enter the Restic Repository Name (default: $DEFAULT_REPO_NAME):${NC}"
read repo_name < /dev/tty

if [ -z "$repo_name" ]; then
    repo_name="$DEFAULT_REPO_NAME"
fi

# Save secret temporarily
SECRET_FILE="$CERTS_DIR/secret.txt"
(umask 077; echo "$secret" > "$SECRET_FILE")
log_success "Secret saved to $SECRET_FILE"

# Generate Certificates
log_info "Generating certificates for repo/client: $repo_name"

cd "$CERTS_DIR"

if step ca certificate \
    --provisioner admin --password-file secret.txt \
    "$repo_name" restic.crt restic.key; then
    
    # Combine into PEM
    (umask 077; cat restic.crt restic.key > restic.pem)
    log_success "Certificates generated and combined into restic.pem"
    
    # Clean up secret? The README keeps it, but usually it's good to ask. 
    # The README implies keeping it for renewal maybe? 
    # But for client certs, renewal might need the password again if using the same provisioner.
    # I'll leave it as per README instructions.
else
    log_error "Failed to generate certificates. Check your password and connection to the CA."
    rm -f "$SECRET_FILE"
    exit 1
fi

# 2. Install Restic
log_info "Checking for Restic..."

if ! command -v restic &> /dev/null; then
    log_info "Restic not found. Installing latest version..."
    
    RESTIC_VERSION="0.18.1"
    DOWNLOAD_URL="https://github.com/restic/restic/releases/download/v${RESTIC_VERSION}/restic_${RESTIC_VERSION}_linux_amd64.bz2"
    
    TMP_DIR=$(mktemp -d)
    pushd "$TMP_DIR" > /dev/null
    
    wget -q -O restic.bz2 "$DOWNLOAD_URL"
    bunzip2 restic.bz2
    chmod +x restic
    
    log_info "Installing restic to /usr/local/bin (requires sudo)..."
    if sudo mv restic /usr/local/bin/; then
        log_success "Restic installed successfully."
    else
        log_error "Failed to move restic to /usr/local/bin"
        popd > /dev/null
        rm -rf "$TMP_DIR"
        exit 1
    fi
    
    popd > /dev/null
    rm -rf "$TMP_DIR"
else
    CURRENT_VERSION=$(restic version | awk '{print $2}')
    log_success "Restic is already installed (version $CURRENT_VERSION)"
fi

# 3. Final Instructions
ROOT_CA="$CERTS_DIR/root_ca.crt"
CLIENT_PEM="$CERTS_DIR/restic.pem"

# Ensure root_ca exists (it should if step is bootstrapped)
if [ ! -f "$ROOT_CA" ]; then
    log_info "Downloading Root CA..."
    step ca root "$ROOT_CA"
fi

log_success "Setup complete!"
echo ""
echo -e "${GREEN}=== Environment Configuration ===${NC}"
echo "Add the following lines to your shell configuration (.bashrc, .zshrc, etc) or script:"
echo ""
echo "export RESTIC_CACERT=$ROOT_CA"
echo "export RESTIC_TLS_CLIENT_CERT=$CLIENT_PEM"
echo "export RESTIC_REPOSITORY=rest:https://soteria.john-stream.com/$repo_name"
echo "export RESTIC_PASSWORD_FILE=~/.config/resticprofile/password.txt"
echo ""
echo -e "${YELLOW}Note: Adjust RESTIC_REPOSITORY and RESTIC_PASSWORD_FILE as needed.${NC}"