#!/bin/bash
# build-persistent-devbox.sh
# Persistent Fedora Minimal-based devbox with SSH, Git, and GitOps secrets (immutable config files)

set -euo pipefail

IMG_NAME="analytics-backend-workspace"
DEV_USER=devuser
SECURE=/opt/secure
DEV_HOME=/home/$DEV_USER

ctr=$(buildah from archlinux)

buildah run "$ctr" -- bash -c "\
  pacman -Sy --noconfirm && pacman -S --noconfirm neovim git zsh tmux podman \
  fzf fd ripgrep jdk-openjdk && pacman -Scc --noconfirm && \
  useradd -ms /bin/zsh $DEV_USER && \
  useradd --system --no-create-home --shell /usr/sbin/nologin viewer && \
  usermod -aG $DEV_USER viewer && mkdir -p /tmp/tmux-shared && \
  chmod 750 /tmp/tmux-shared && \
  mkdir -p $DEV_HOME/.gnupg && chmod 700 $DEV_HOME/.gnupg
"
# copy start script
buildah copy "$ctr" start.sh /start.sh

# copy ssh setup
buildah copy "$ctr" ssh /"$SECURE"/ssh

# copy zshrc, neovim and tmux setup
buildah copy "$ctr" zshrc $DEV_HOME/.zshrc
buildah copy "$ctr" config $DEV_HOME/.config
buildah copy "$ctr" local $DEV_HOME/.local

# zsh and tmux config (immutable)
buildah run "$ctr" -- bash -c "
  find $DEV_HOME -type f -exec chmod 400 {} + && \
  find $DEV_HOME -type d -exec chmod 500 {} + && \
  chmod -R 500 $SECURE && \
  chmod +x /start.sh
"

buildah config \
  --user $DEV_USER \
  --workingdir /app \
  --env CONTAINER_HOST=unix:///run/podman/podman.sock \
  --cmd "/start.sh" \
  "$ctr"

buildah commit "$ctr" $IMG_NAME

echo "✅ $IMG_NAME built."