#!/bin/bash
# build-persistent-devbox.sh
# Persistent Fedora Minimal-based devbox with SSH, Git, and GitOps secrets (immutable config files)

set -euo pipefail

IMG_NAME="analytics-backend-workspace"
DEV_USER=devuser
SECURE=/opt/secure
DEV_HOME=/home/$DEV_USER

ctr=$(buildah from archlinux)

buildah run "$ctr" -- bash -c "\
  pacman -Sy --noconfirm && pacman -S --noconfirm neovim git zsh tmux podman \
  fzf fd ripgrep jdk-openjdk && pacman -Scc --noconfirm && \
  groupadd secproc && useradd -ms /bin/zsh -G secproc $DEV_USER && \
  useradd --system --no-create-home -s /usr/sbin/nologin -G $DEV_USER viewer && \
  mkdir -p /tmp/tmux-shared && chown -R $DEV_USER:$DEV_USER /tmp/tmux-shared && \
  mkdir -p $SECURE && chmod -R 500 $SECURE && \
  mkdir /app && chmod 700 /app && chown $DEV_USER:$DEV_USER /app
"
# copy start script
buildah copy "$ctr" start.sh $DEV_HOME/start.sh

# copy ssh setup
buildah copy "$ctr" ssh $SECURE/ssh

# copy zshrc, neovim and tmux setup
buildah copy "$ctr" zshrc $DEV_HOME/.zshrc
buildah copy "$ctr" config $DEV_HOME/.config
buildah copy "$ctr" local $DEV_HOME/.local

# zsh and tmux config (immutable)
buildah run "$ctr" -- bash -c "
  chown -R $DEV_USER:$DEV_USER $DEV_HOME && \
  find $DEV_HOME -type f -exec chmod 750 {} + && \
  find $DEV_HOME -type f -exec chown root:secproc {} + && \
  setfacl -R -m u:devuser:--x $DEV_HOME && \ 
"

buildah config \
  --user $DEV_USER \
  --workingdir /app \
  --env CONTAINER_HOST=unix:///run/podman/podman.sock \
  --cmd "$DEV_HOME/start.sh" \
  "$ctr"

buildah commit "$ctr" $IMG_NAME

echo "✅ $IMG_NAME built."