#! /bin/sh

set -e

quis=${0##*/}

usage="usage: $quis [-nqv] HOST ..."

verbose=nil
noact=nil
while getopts "hnvq" opt; do
  case "$opt" in
    h) echo "$usage"; exit ;;
    n) noact=t verbose=t ;;
    v) verbose=t ;;
    q) verbose=nil ;;
    *) echo >&2 "$usage"; exit 1 ;;
  esac
done
shift $(( $OPTIND - 1 ))

case $# in 0) echo "$usage"; exit 1 ;; esac

defrun='
run () {
  case $verbose in t) echo >&2 "- $*" ;; esac
  case $noact in nil) "$@" ;; esac
}'
eval "$defrun"

if getent group backup >/dev/null; then
  echo >&2 "$quis: group \`backup' already exists"
else
  run addgroup --gid 200 backup
fi

for host in "$@"; do

  if getent passwd bkp-$host >/dev/null; then
    echo >&2 "$quis: backup user \`bkp-$host' already exists"
  else
    uid=201
    while { getent passwd $uid || getent group $uid; } >/dev/null; do
      uid=$(( $uid + 1 ))
    done
    run addgroup --system --gid $uid bkp-$host
    run adduser --system --uid $uid --gid $uid \
      --home /var/lib/bkp/$host \
      --shell /bin/bash \
      --gecos "Backup user for host $host" \
      --disabled-password \
      bkp-$host
  fi

  getent group backup | {
    IFS=: read name passwd gid members
    case ",$members," in
      ",bkp-$host,")
	echo >&2 "$quis: user \`bkp-$host' already in group \`backup'"
	;;
      *)
	run adduser bkp-$host backup
	;;
    esac
  }

  settings="verbose=$verbose noact=$noact"
  run mkdir -p -m755 /var/lib/bkp/$host/.ssh
  ssh root@$host "$settings; $defrun" '
	cd $HOME
	mkdir -p -m755 .ssh
	cd .ssh
	if [ ! -f id_rsa.pub ]; then
	  genp=t
	else
	  genp=$(
	    ssh-keygen -l -fid_rsa.pub | {
	      read bits fpr fname type
	      case "$bits,$type" in
		*[!0-9]*,*)
		  echo t
		  ;;
		*,"(RSA)")
		  if [ $bits -ge 3072 ]; then echo nil; else echo t; fi
		  ;;
		*)
		  echo t
		  ;;
	      esac
	    }
	  )
	fi

	case $genp in
	  t)
	    run ssh-keygen -trsa -fid_rsa -b3072 -N ""
	    ;;
	esac
  '
  run scp root@$host:.ssh/id_rsa.pub /var/lib/bkp/$host/.ssh/authorized_keys

done