#!/bin/sh
set -eu

[ -f /etc/peacock/debug-ssh.conf ] && . /etc/peacock/debug-ssh.conf || true

SSHD_PORT="${SSHD_PORT:-22}"
SSHD_LISTEN_ADDR="${SSHD_LISTEN_ADDR:-0.0.0.0}"
PERMIT_ROOT_LOGIN="${PERMIT_ROOT_LOGIN:-yes}"
PASSWORD_AUTH="${PASSWORD_AUTH:-yes}"
PERMIT_EMPTY_PASSWORDS="${PERMIT_EMPTY_PASSWORDS:-yes}"
ALLOW_EMPTY_ROOT_PASSWORD="${ALLOW_EMPTY_ROOT_PASSWORD:-1}"

mkdir -p /run/sshd /var/log /etc/ssh
chmod 0755 /run/sshd
mkdir -p /etc/dropbear

mkdir -p /dev/pts 2>/dev/null || true
if mountpoint -q /dev/pts; then
    mount -o remount,gid=5,mode=0620,ptmxmode=0666 /dev/pts >/dev/null 2>&1 || true
else
    mount -t devpts devpts /dev/pts -o gid=5,mode=0620,ptmxmode=0666 >/dev/null 2>&1 || true
fi
[ -e /dev/ptmx ] || ln -sf pts/ptmx /dev/ptmx
chmod 0666 /dev/ptmx >/dev/null 2>&1 || true

if [ "$ALLOW_EMPTY_ROOT_PASSWORD" = "1" ]; then
    passwd -d root >/dev/null 2>&1 || true
    # Force empty root hash even if passwd helper fails at boot.
    if [ -f /etc/shadow ]; then
        sed -i 's#^root:[^:]*:#root::#' /etc/shadow >/dev/null 2>&1 || true
    fi
    # Match PRP behavior: keep root passwd field empty too.
    if [ -f /etc/passwd ]; then
        sed -i 's#^root:[^:]*:#root::#' /etc/passwd >/dev/null 2>&1 || true
    fi
fi

# Dropbear validates login shell against /etc/shells.
mkdir -p /etc
{
    echo /bin/sh
    echo /bin/ash
    echo /bin/bash
} > /etc/shells

if ! ls /etc/ssh/ssh_host_*_key >/dev/null 2>&1; then
    ssh-keygen -A >/dev/null 2>&1 || true
fi
if [ ! -s /etc/dropbear/dropbear_rsa_host_key ] && command -v dropbearkey >/dev/null 2>&1; then
    dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key >/dev/null 2>&1 || true
fi

cat > /etc/ssh/sshd_config_peacock_debug <<CFG
Port $SSHD_PORT
ListenAddress $SSHD_LISTEN_ADDR
Protocol 2
PidFile /run/peacock-debug-sshd.pid
PermitRootLogin $PERMIT_ROOT_LOGIN
PasswordAuthentication $PASSWORD_AUTH
PermitEmptyPasswords $PERMIT_EMPTY_PASSWORDS
ChallengeResponseAuthentication no
UsePAM no
PermitTTY yes
X11Forwarding no
AllowTcpForwarding yes
UseDNS no
Subsystem sftp internal-sftp
CFG

exit 0
